제목 : CVE-2016-2384 proof-of-concept exploit demo

내용 :

공격자가 시스템에 일반 사용자로 접근 하여 exploit 을 실행 하여 root 권한을 획득 하는 방법 입니다.

github 에 소스코드가 올라가 있으나 테스트 용으로 사용하시기 바랍니다.

해결방안으로는 최신버전의 보안 업데이트 수행 하시기 바랍니다.

Description

Overview

This post describes an exploitable vulnerability (CVE-2016-2384) in the usb-midi Linux kernel driver. The vulnerability is present only if the usb-midi module is enabled, but as far as I can see many modern distributions do this. The bug has been fixed upstream.

The vulnerability can be exploited in two ways:

Denial of service. Requires physical access (ability to plug in a malicious USB device). All the kernel versions seem to be vulnerable to this attack. I managed to cause a kernel panic on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic), Fedora 22 (4.1.5-200.fe22.x86_64) and CentOS 6 (2.6.32-584.12.2.e16.x86_64).

Arbitrary code execution with ring 0 privileges (and therefore a privilege escalation). Requires both physical and local access (ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user). All the kernel versions starting from v3.0 seem to be vulnerable to this attack. I managed to gain root privileges on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic) and Fedora 22 (4.1.5-200.fe22.x86_64). All machines had SMEP turned on, but didn't have SMAP.

A proof-of-concept exploit (poc.c, poc.py) is provided for both types of attacks. The provided exploit uses a Facedancer21 board to physically emulate the malicious USB device. The provided exploit bypasses SMEP, but doesn't bypass SMAP (though it might be possible to do). It has about 50% success rate (the kernel crashes on failure), but this can probably be improved. Check out the demo video.

Infomation :

CVE-2016-2384: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2384

Source Code : https://github.com/xairy/CVE-2016-2384