About 0x00
July 20, 2019, Linux kernel officially fixes a local privilege escalation vulnerability. Through this vulnerability, an attacker can elevate the ordinary user permissions for the Root privileges.
0x01 Vulnerability Overview
When you call PTRACE_TRACEME, ptrace_link function will get credentials for the parent process RCU references, then the pointer to get_cred function. However, the life cycle of the object struct cred rules do not allow unconditionally RCU references into a stable reference.
PTRACE_TRACEME obtain credentials of the parent process, so that various operations can perform the same process as the father of the parent process can be executed. If the malicious use of low-privilege process PTRACE_TRACEME child and parent of the child process has a high authority, which the child can gain control over its parent process and use its parent's permission to call execve function to create a new high-privilege process.
0x02 Affects Version
Currently affected Linux kernel version:
Linux Kernel < 5.1.17
0x03 environment to build
Creating a low-privilege account
useradd test # 创建test用户
passwd test # 给test用户设置密码
Switch to test user
su test
View the system kernel version is less than 5.1.17
uname-a
0x04 exploits
View the current user and the current user's UID
Download exploit script, save the file as poc.c
https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
Use gcc to compile c file, the file is generated exp
gcc poc.c -o exp
Run the generated exp
./exp
Exp can see has successfully exploited the ordinary upgraded to root user test
Check out the current user after successfully exploited
0x05 restorations
Patching link:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6994eefb0053799d2e07cd140df6c2ea106c41ee