支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 02805c4a3432b5273577a61265dd15a504c6a32d

来源
https://github.com/teawater/CVE-2017-5123
关联漏洞
标题:Linux kernel 输入验证错误漏洞 (CVE-2017-5123)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel中存在输入验证错误漏洞。本地攻击者可利用该漏洞获取root权限。
介绍
# README

> **Note**: The code in this repo is to demo the isolation of secure pod sandbox technologies such as [kata containers](https://kata-containers.io) and does not intend to attack any platforms.

## How to re-produce
* Get linux kernel 4.13.0
* patch 0001-CVE-2017-5123-help-to-make-attack-safely.patch
* Build Linux kernel with config Kconfig
* Boot kernel and get address of dac_mmap_min_addr, have_canfork_callback, prepare_kernel_cred, commit_creds, set_fs_root, copy_fs_struct, current_task with following commands.
  Update the address to CVE-2017-5123.c
```
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms
```
* gdb vmlinux
* Get the size of TASK_FS_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct task_struct *)0)->fs)
```
* Get the size of TASK_PARENT_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct task_struct *)0)->parent)
```
* Get the size of FS_ROOT_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct fs_struct *)0)->root)
```
* build CVE-2017-5123.c with --static and put the binary file to a docker image.
* Boot kernel with kernel command line option "nosmep".
* Now, use the docker image rock and roll.

## About this CVE

The waitid implementation in upstream kernels did not restrict the target destination to copy information results. This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation.<br>
The bug was introduced the 2017-05-21 and fixed 2017-10-09.

This CVE has already been fixed on later releases of 4.13 branch and newer mainline kernels. However, there may exist similar CVEs allows privilege escalation. The CVE itself is quite similar to famous [dirty cow, CVE-2016-5195 ](https://dirtycow.ninja/) actually.

## More Informations

CVE-2017-5123.c use this vulnerability change the value of /proc/sys/vm/mmap_min_addr.  Then let Linux kernel call shellcode to get file access permission of host root.
文件快照

 [4.0K]  /data/pocs/02805c4a3432b5273577a61265dd15a504c6a32d
├── [1.4K]  0001-CVE-2017-5123-help-to-make-attack-safely.patch
├── [4.9K]  CVE-2017-5123.c
├── [393K]  cve-2017-5123.key
├── [ 32K]  hacked.png
├── [ 11M]  initrd.img-4.13.0+
├── [ 85K]  Kconfig
├── [1.9K]  README.md
├── [ 60K]  systemok.png
└── [4.5M]  vmlinuz-4.13.0+

0 directories, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。