Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-5123 PoC — Linux kernel 输入验证错误漏洞

Source
https://github.com/teawater/CVE-2017-5123
Associated Vulnerability
Title:Linux kernel 输入验证错误漏洞 (CVE-2017-5123)
Description:Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.
Readme
# README

> **Note**: The code in this repo is to demo the isolation of secure pod sandbox technologies such as [kata containers](https://kata-containers.io) and does not intend to attack any platforms.

## How to re-produce
* Get linux kernel 4.13.0
* patch 0001-CVE-2017-5123-help-to-make-attack-safely.patch
* Build Linux kernel with config Kconfig
* Boot kernel and get address of dac_mmap_min_addr, have_canfork_callback, prepare_kernel_cred, commit_creds, set_fs_root, copy_fs_struct, current_task with following commands.
  Update the address to CVE-2017-5123.c
```
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms
```
* gdb vmlinux
* Get the size of TASK_FS_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct task_struct *)0)->fs)
```
* Get the size of TASK_PARENT_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct task_struct *)0)->parent)
```
* Get the size of FS_ROOT_OFFSET and Update the address to CVE-2017-5123.c
```
(gdb) p &(((struct fs_struct *)0)->root)
```
* build CVE-2017-5123.c with --static and put the binary file to a docker image.
* Boot kernel with kernel command line option "nosmep".
* Now, use the docker image rock and roll.

## About this CVE

The waitid implementation in upstream kernels did not restrict the target destination to copy information results. This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation.<br>
The bug was introduced the 2017-05-21 and fixed 2017-10-09.

This CVE has already been fixed on later releases of 4.13 branch and newer mainline kernels. However, there may exist similar CVEs allows privilege escalation. The CVE itself is quite similar to famous [dirty cow, CVE-2016-5195 ](https://dirtycow.ninja/) actually.

## More Informations

CVE-2017-5123.c use this vulnerability change the value of /proc/sys/vm/mmap_min_addr.  Then let Linux kernel call shellcode to get file access permission of host root.
File Snapshot

 [4.0K]  /data/pocs/02805c4a3432b5273577a61265dd15a504c6a32d
├── [1.4K]  0001-CVE-2017-5123-help-to-make-attack-safely.patch
├── [4.9K]  CVE-2017-5123.c
├── [393K]  cve-2017-5123.key
├── [ 32K]  hacked.png
├── [ 11M]  initrd.img-4.13.0+
├── [ 85K]  Kconfig
├── [1.9K]  README.md
├── [ 60K]  systemok.png
└── [4.5M]  vmlinuz-4.13.0+

0 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →