“Cascading White Privilege attacks against modern Linux systems, Bespoke CP attacks”

_.-"""-._

.' `.

/ \

| |

| crustsec |

| |

\ / _.-"""-._

_.`. .'. .' `.

|`-._`-.._..-'_.-| / \

| _ `-._ _.-' | | |

| | `-._ " _.-'| | | |

| | || | | | | |

| | || | | | \ /

| | || | | | _`. .'.

| | || | | | |`-.`-.._..-'.-'|

| | || | | | | `-._.-' |

| | _.-'| |_ | | | |`-._ _.-'| |

| |'_.-'| |_`-.| | | | || | | |

|_.-' | | `-._ `._|`-._ | | || | | |

/ / | | ``---._ `-._ | | || | | |

| / / .-' `-._|`-._ ``-._ `-._ | | || | | |

|| || / /|-| |-._ `-._ `--._`-._|`-._ | | || | | |

| | ' || |\ `-._ `-._ ``---._ `| | || | | |

| - | | | || | \ | |`-._ `-._|`-._ ``-| |`-.|| | | |

_.-' | | || | \ | | `-._ `-._ | |-._ | |._ | |

_.-' | | || | \| | `-._ `-.| | `| |_ `-| |

| | | || | | | `-._ _.| | | | `.-| |

| | || || | | | _.-'|_.-'_.-' | |_.-' |

| | | . || | | | _.-' __.---'' _.| ' |

| | || || | | |\_.-'|_.-'_.-'' _.-'|_.-' _. |

| | | || | | |' _- _.-' _.-' | |

|| || || |_.-'| |_.---'' _.-' _ | | |

\ | | | || |_.-'| | _.-'|_.-' _.-'|| | | |

\ | || .'_| | | |_.-' _.-'| | || | | |

\ | | |._ | | | `-._ _.-' | | || | | |

\ || | | `| | ```-._`-._|`-._ _.-' | | || | | |

|\_.-| | `-._ ``---._ `-._ | | || | | |

| | `-._|`-._ ``-._ `-._ | | || | | |

| || || | `-._ `--._`-._|`| | || | | |

| | | | `-._ ``---.| |`|| | | |

| | | | |`-._ `-._|`-._ | |-.| |-._ | |

| | ||`-._ `-.| | | |._ `-| |

| | | | || | `-._ _.| | | | `-_| |

| | | ||__ | | | `-._ _.-'|_.-'_.-' | |_.-' |

| | | | ._.-| |. | | `-._ _.-' __.---'' _| |

| | | ||/ | | \ | | _.-'|_.-'_.-'' _.-'|_.-' |

| || || | | .'| |-' __.---'' _.-' |

| | | | |.| '| |-'' _.-'|_.-' |

| | || _. | | | | | _.-' |

| | | ' | | | | |_.-' |

| || | | \ | | / _| ' _.-'

|_.-' | _`.| |'-' _.-'

|`-._ _.| _.-'

| `-._ _.-' _.-'

| |' _.-'

| | _.-'

| | _.-'

| | _.-'

| | _.-'

| | _.-'

| | _.-'

_ | | _.-'

`-|_ | _.-'

`-._ | _.-'

`-.|.-'

First, let’s show off the trick, then get down to the details!

root@instance-1:/# id

uid=0(root) gid=0(root) groups=0(root)

root@instance-1:/# ./expl

nobody@instance-1:/$ id

uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

nobody@instance-1:/$ uname -a

Linux instance-1 3.19.0-51-generic #58~14.04.1-Ubuntu SMP Fri Feb 26 22:02:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Now that we’ve all seen it, what’s going on here? An escalation from uid0 to uid 65534, a HUGE increase in UID. We’ve elevated privileges from the user “root”, to the much more powerful “nobody” user. Nobody is more powerful than root. Additionally, such an increase in numbers could be applied to an “integer overflow” attack, if we make the numbers too big! Imagine code like this:

int main(void) {

uid_t myuid = getuid();

char x = (char)myuid; // assuming that uid was 0.

// BOOM we’ve overflowed x, and can do all sort of nasty stuff.

}

On linux systems, the user id is stored in the file “/etc/passwd”. Needless to say, you know what that means. Bingo, game over. We now have the highest number of uid, and can read all other passwords on the system.

The attack is currently 0day, works against all known ubuntu linux versions, and the exploit has been sent to the kernel maintainers for patching, after which it will be released.

Team xXx.CrUsT.s3C.xXx

__ __ ____ _ _ _____ _____ ____ __ __

\ \/ /__ __ / ___|_ __| | | |__|_ _|___|___ / / ___| __ __\ \/ /

\ / \ \/ /| | | '__| | | / __|| | / __| |_ \| | \ \/ / \ /

/ \ > < | |___| | | |_| \__ \| |_\__ \___) | |___ _ > < / \