Revisions to What are ways in Linux for non-root user to trigger kernel module loading

Notice removed Canonical answer required by CommunityBot

occurred Mar 10, 2017 at 14:54

Bounty Ended with no winning answer by CommunityBot

occurred Mar 10, 2017 at 14:54

added 309 characters in body

Source Link

edited Mar 9, 2017 at 13:19

Selivanov Pavel

187
1
3
13

One way is to create listening socket for some protocol, and module for that protocol will be loaded. For example, DCCP and SCTP.

Are there other ways?

UPD: Use case: virtual machine somewhere in AWS/Azure/... An attacker got local unprivileged user shell. No hardware changes can be done by unprivileged used. There is local privilege escalation vulnerability in kernel module that is not loaded now. How can he load this module to use it?

Question inspired by recent vulnerability in DCCP protocol kernel module.

UPD2: According to CVE-2017-2636, it's possible to load n_hdlc kernel module just by "activating HDLC for tty device" (russian article on CVE-2017-2636). So there are other ways, but nobody with this sacred knowledge was interested in the question :(

One way is to create listening socket for some protocol, and module for that protocol will be loaded. For example, DCCP and SCTP.

Are there other ways?

UPD: Use case: virtual machine somewhere in AWS/Azure/... An attacker got local unprivileged user shell. No hardware changes can be done by unprivileged used. There is local privilege escalation vulnerability in kernel module that is not loaded now. How can he load this module to use it?

Question inspired by recent vulnerability in DCCP protocol kernel module.

One way is to create listening socket for some protocol, and module for that protocol will be loaded. For example, DCCP and SCTP.

Are there other ways?

UPD: Use case: virtual machine somewhere in AWS/Azure/... An attacker got local unprivileged user shell. No hardware changes can be done by unprivileged used. There is local privilege escalation vulnerability in kernel module that is not loaded now. How can he load this module to use it?

Question inspired by recent vulnerability in DCCP protocol kernel module.

UPD2: According to CVE-2017-2636, it's possible to load n_hdlc kernel module just by "activating HDLC for tty device" (russian article on CVE-2017-2636). So there are other ways, but nobody with this sacred knowledge was interested in the question :(

Tweeted twitter.com/StackUnix/status/839081913134501888

occurred Mar 7, 2017 at 11:54

Notice added Canonical answer required by Selivanov Pavel

occurred Mar 2, 2017 at 13:39

Bounty Started worth 50 reputation by Selivanov Pavel

occurred Mar 2, 2017 at 13:39

added 366 characters in body

Source Link

edited Mar 1, 2017 at 9:22

Selivanov Pavel

187
1
3
13

One way is to create listening socket for some protocol, and module for that protocol will be loaded. For example, DCCP and SCTP.

Are there other ways?

UPD: Use case: virtual machine somewhere in AWS/Azure/... An attacker got local unprivileged user shell. No hardware changes can be done by unprivileged used. There is local privilege escalation vulnerability in kernel module that is not loaded now. How can he load this module to use it?

Question inspired by recent vulnerability in DCCP protocol kernel module.