👉 Overview
👀 What ?
The Linux release_agent exploit - Relative Paths to PIDs is a vulnerability that can be exploited to escalate privileges on a Linux machine. The release_agent is a kernel parameter that can be set to specify a program to be executed when a cgroup (Control Group) becomes empty. The vulnerability lies in the fact that the path to the program is interpreted relatively to the PID of the process that causes the cgroup to become empty, allowing an attacker to run arbitrary programs with elevated privileges.
🧐 Why ?
This vulnerability is significant as it can be exploited by a local attacker to gain root privileges on a Linux machine. Understanding this exploit is crucial for both system administrators for securing their systems and penetration testers for identifying potential attack vectors.
⛏️ How ?
To exploit this vulnerability, an attacker needs to create a cgroup, move their process into it, set the release_agent to the path of the desired program to be executed with elevated privileges, and cause the cgroup to become empty. This will cause the program specified by the release_agent to be executed with root privileges.
⏳ When ?
The exploitation of this vulnerability started to become prevalent in 2016, when it was discovered that the release_agent kernel parameter could be misused in this way. Despite patches being released to mitigate it, it remains a potent vector of attack in unpatched systems.
⚙️ Technical Explanations
The key to understanding this exploit lies in understanding the concept of cgroups in Linux. Cgroups are a feature of the Linux kernel that allows the system to allocate resources—such as CPU time, system memory, network bandwidth, or combinations of these resources—among user-defined groups of processes. When a cgroup becomes empty (i.e., all processes in it have finished executing), the Linux kernel will execute the program specified by the release_agent parameter with root privileges. The vulnerability arises from the fact that the path to this program is interpreted relatively to the PID of the process that caused the cgroup to become empty, rather than being an absolute path. This allows an attacker to manipulate the filesystem in such a way that an arbitrary program is executed with root privileges when a cgroup becomes empty.