CVE-2016-2384 proof-of-concept exploit demo
[Youtube Data] Public Data - [Exploit]
2022년 NHN Cloud 무료 교육일정 : https://doc.skill.or.kr/2022-NHN-Cloud-Education
제목 : CVE-2016-2384 proof-of-concept exploit demo
주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.
Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.
내용 :
공격자가 시스템에 일반 사용자로 접근 하여 exploit 을 실행 하여 root 권한을 획득 하는 방법 입니다.
github 에 소스코드가 올라가 있으나 테스트 용으로 사용하시기 바랍니다.
해결방안으로는 최신버전의 보안 업데이트 수행 하시기 바랍니다.
Description
Overview
This post describes an exploitable vulnerability (CVE-2016-2384) in the usb-midi Linux kernel driver. The vulnerability is present only if the usb-midi module is enabled, but as far as I can see many modern distributions do this. The bug has been fixed upstream.
The vulnerability can be exploited in two ways:
Denial of service. Requires physical access (ability to plug in a malicious USB device). All the kernel versions seem to be vulnerable to this attack. I managed to cause a kernel panic on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic), Fedora 22 (4.1.5-200.fe22.x86_64) and CentOS 6 (2.6.32-584.12.2.e16.x86_64).
Arbitrary code execution with ring 0 privileges (and therefore a privilege escalation). Requires both physical and local access (ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user). All the kernel versions starting from v3.0 seem to be vulnerable to this attack. I managed to gain root privileges on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic) and Fedora 22 (4.1.5-200.fe22.x86_64). All machines had SMEP turned on, but didn't have SMAP.
A proof-of-concept exploit (poc.c, poc.py) is provided for both types of attacks. The provided exploit uses a Facedancer21 board to physically emulate the malicious USB device. The provided exploit bypasses SMEP, but doesn't bypass SMAP (though it might be possible to do). It has about 50% success rate (the kernel crashes on failure), but this can probably be improved. Check out the demo video.
Infomation :
CVE-2016-2384: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2384
Source Code : https://github.com/xairy/CVE-2016-2384
2022년 NHN Cloud 무료 교육일정 : https://doc.skill.or.kr/2022-NHN-Cloud-Education
Last updated