PTRACE_TRACEME local root CVE-2019-13272 is a linux kernel Local Privilege Escalation vulnerability originally discovered and exploited by Jann Horn on 201907, his exploit is adaptated for x64.
However, there is still many desktop system running on arm64 chipset, such that I create this exploit which can exploit aarch64 linux with this vuln.
Simple steps to prepare the env and test this exploit
-
download aarch64 ubuntu iso and EFI file
- ubuntu-18.04.3-server-arm64.iso
- QEMU_EFI.fd
-
install the iso to qemu image
- qemu-img create ubuntu18.04-arm64.img 16G
qemu-system-aarch64 \
-m 2048 \
-cpu cortex-a57 \
-smp 2 \
-M virt \
-bios QEMU_EFI.fd \
-nographic \
-drive if=none,file=ubuntu-18.04.3-server-arm64.iso,id=cdrom,media=cdrom \
-device virtio-scsi-device -device scsi-cd,drive=cdrom \
-drive if=none,file=ubuntu18.04-arm64.img,id=hd0 \
-device virtio-blk-device,drive=hd0 \
-netdev tap,id=net1,ifname=tap1,script=no,downscript=no \
-device virtio-net-device,netdev=net0 \
-netdev user,id=net0
- bootup the system
qemu-system-aarch64 \
-m 2048 \
-cpu cortex-a57 \
-smp 2 \
-M virt \
-bios QEMU_EFI.fd \
-nographic \
-drive if=none,file=ubuntu18.04-arm64-withnet.img,id=hd0 \
-device virtio-blk-device,drive=hd0 \
-device virtio-net-device,netdev=net0 \
-netdev user,id=net0,hostfwd=tcp:127.0.0.1:2222-:22
- build and run the exploit
login the system and install gcc copy the exploit file to the system and build&&run
char *pkexec_path = "/tmp/fakepkexec";
char *helper_path = "/tmp/fakehelper";
char *shell_path = "/bin/sh";
you need to modify the above path to the file path on your system if you want to run the exp in a desktop aarch64 system