CVE-2017-16995-Ubuntu local privilege escalation vulnerability reproduced
Environment setup
The system chooses the Ubuntu16.04-desktop-amd64.iso installation environment, and the installation process does not need to install the update package.
Vulnerability analysis & exploitation
In this environment, it is not successful to directly use the compiled program (4.4.0-21-generic), as follows:
Then I tried both on Ubuntu 14.04 and 16.04.4, but still unsuccessful! All report errors, the following is the 14 environmental error information:
Missing header file, then try under 16.04.4:
Obviously the version 4.13 is higher than 4.4.0, so there is no loophole, maybe it is caused by the relatively new image of 16.04.
Did not try in 16.04.1 and 16.04.1. Therefore, I personally think that the scope of the articles on the Internet is slightly larger
We still use 16.04 to test. Find the details of the vulnerability, the vulnerability number is: CVE-2017-16995
There are detailed instructions in seebug: https://www.seebug.org/vuldb/ssvid-97183
Checking the vulnerability details here, you can see that the author analyzed the specific details. Because of the eBPF bpf(2) system call with the Linux kernel, when the user provides a malicious BPF program, the eBPF validator module generates a calculation error, resulting in arbitrary memory read and write problem. Unprivileged users can use this vulnerability to obtain privilege escalation. We will not analyze the code. The author is constantly trying to get several variables R0/R1/R10 that cause memory address changes to be debugged during gcc compilation, so the final code is Correct: crasher_badtrunc.c
We compile and execute this crash code under ubuntu, and execute exp after causing changes:
gcc -ocrasher_badtrunc crasher_badtrunc.c -Wall && ./crasher_badtrunc
It can be seen that the privilege escalation is successful and the root privilege is obtained. From the perspective of the utilization process, the utilization conditions are still relatively small, so it should belong to a high-risk vulnerability!