# CVE-2016-2384 proof-of-concept exploit demo

{% hint style="info" %}
**2022년 NHN Cloud&#x20;**<mark style="color:red;">**무료**</mark>**&#x20;교육일정** : <https://doc.skill.or.kr/2022-NHN-Cloud-Education>
{% endhint %}

## 제목 : CVE-2016-2384 proof-of-concept exploit demo

{% hint style="danger" %}
**주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.**

**Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.**
{% endhint %}

### 내용 :&#x20;

> 공격자가 시스템에 일반 사용자로 접근 하여 exploit 을 실행 하여 root 권한을 획득 하는 방법 입니다.
>
> github 에 소스코드가 올라가 있으나 테스트 용으로 사용하시기 바랍니다.&#x20;
>
> 해결방안으로는 최신버전의 보안 업데이트 수행 하시기 바랍니다.

### Description&#x20;

> Overview
>
> This post describes an exploitable vulnerability (CVE-2016-2384) in the usb-midi Linux kernel driver. The vulnerability is present only if the usb-midi module is enabled, but as far as I can see many modern distributions do this. The bug has been fixed upstream.<br>
>
> The vulnerability can be exploited in two ways:<br>
>
> Denial of service. Requires physical access (ability to plug in a malicious USB device). All the kernel versions seem to be vulnerable to this attack. I managed to cause a kernel panic on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic), Fedora 22 (4.1.5-200.fe22.x86\_64) and CentOS 6 (2.6.32-584.12.2.e16.x86\_64).<br>
>
> Arbitrary code execution with ring 0 privileges (and therefore a privilege escalation). Requires both physical and local access (ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user). All the kernel versions starting from v3.0 seem to be vulnerable to this attack. I managed to gain root privileges on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic) and Fedora 22 (4.1.5-200.fe22.x86\_64). All machines had SMEP turned on, but didn't have SMAP.
>
> A proof-of-concept exploit (poc.c, poc.py) is provided for both types of attacks. The provided exploit uses a Facedancer21 board to physically emulate the malicious USB device. The provided exploit bypasses SMEP, but doesn't bypass SMAP (though it might be possible to do). It has about 50% success rate (the kernel crashes on failure), but this can probably be improved. Check out the demo video.

### Infomation :&#x20;

> CVE-2016-2384: <https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2384>
>
> Source Code : [https://github.com/xairy/CVE-2016-2384](https://github.com/xairy/CVE-2016-2384)

{% embed url="<https://youtu.be/lfl1NJn1nvo>" %}
시연 영상    &#x20;
{% endembed %}

{% hint style="info" %}
**2022년 NHN Cloud&#x20;**<mark style="color:red;">**무료**</mark>**&#x20;교육일정** : <https://doc.skill.or.kr/2022-NHN-Cloud-Education>
{% endhint %}