Note: The code in this repo is to demo the isolation of secure pod sandbox technologies such as kata containers and does not intend to attack any platforms.
- Get linux kernel 4.13.0
- patch 0001-CVE-2017-5123-help-to-make-attack-safely.patch
- Build Linux kernel with config Kconfig
- Boot kernel and get address of dac_mmap_min_addr, have_canfork_callback, prepare_kernel_cred, commit_creds, set_fs_root, copy_fs_struct, current_task with following commands. Update the address to CVE-2017-5123.c
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms
- gdb vmlinux
- Get the size of TASK_FS_OFFSET and Update the address to CVE-2017-5123.c
(gdb) p &(((struct task_struct *)0)->fs)
- Get the size of TASK_PARENT_OFFSET and Update the address to CVE-2017-5123.c
(gdb) p &(((struct task_struct *)0)->parent)
- Get the size of FS_ROOT_OFFSET and Update the address to CVE-2017-5123.c
(gdb) p &(((struct fs_struct *)0)->root)
- build CVE-2017-5123.c with --static and put the binary file to a docker image.
- Boot kernel with kernel command line option "nosmep".
- Now, use the docker image rock and roll.
The waitid implementation in upstream kernels did not restrict the target destination to copy information results. This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation.
The bug was introduced the 2017-05-21 and fixed 2017-10-09.
This CVE has already been fixed on later releases of 4.13 branch and newer mainline kernels. However, there may exist similar CVEs allows privilege escalation. The CVE itself is quite similar to famous dirty cow, CVE-2016-5195 actually.
CVE-2017-5123.c use this vulnerability change the value of /proc/sys/vm/mmap_min_addr. Then let Linux kernel call shellcode to get file access permission of host root.