ksmbd - Exploiting CVE-2025-37947 (3/3)

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.doyensec.com/2025/10/08/ksmbd-3.html
• Blog Title: ksmbd - Exploiting CVE-2025-37947 (3/3)
• Suggested Section: Linux -> Linux Kernel Exploitation / Linux Privilege Escalation: ksmbd streams_xattr OOB write (CVE-2025-37947) with msg_msg and pipe_buffer exploitation

🎯 Content Summary

Title: ksmbd - Exploiting CVE-2025-37947 (3/3) — Doyensec

Scope/goal: Show a reliable local Linux kernel privilege escalation (LPE) against ksmbd by abusing a deterministic out-of-bounds (OOB) write in the streams_xattr path. Exploit demonstrated on Ubuntu 22.04.5 LTS with kernel 5.15.0-153-generic, bypassing KASLR, SMEP, SMAP, and hardened usercopy.

Preconditions to reach the bug:
- ksmbd service enabled and a writable SMB share exposed.
- Samba VF...

🔧 Technical Details

Deterministic OOB via streams_xattr position truncation: In ksmbd, if *pos + count > XATTR_SIZE_MAX (0x10000), the allocation is clamped to 0x10000 but count is recomputed as (*pos + count) - 0x10000 and memcpy(&stream_buf[*pos], buf, count) proceeds. Set *pos ≥ 0x10000 (e.g., 0x10018) to write beyond the 16‑page buffer; shifting *pos steers offset, with count growing accordingly.

Buddy-allocator page shaping for page-overflow targets: Pre-exhaust order‑3/4 freelists (zone Normal, migrate type Unmovable) to force order‑5 splits, then place an order‑3 slab (e.g., kmalloc‑cg‑4k) immediately after the order‑4 stream buffer. Spray 4096‑byte msg_msg objects, create holes by receiving some messages, and iterate until adjacency is achieved.

Generic msg_msg exploitation chain: Overflow a primary msg_msg n...

🤖 Agent Actions

I analyzed the Doyensec blog post and updated HackTricks with a new Linux kernel exploitation technique based on ksmbd streams_xattr OOB write (CVE-2025-37947), including the exploitation chain with msg_msg and pipe_buffer primitives.

What I added/changed:

• Created two new technical pages (to keep parity with existing structure that mirrors kernel exploitation in both sections):

  • src/binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md
  • src/linux-hardening/privilege-escalation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md

  These pages include:

  • Preconditions and smb.conf configuration to reach the bug.
  • Root cause analysis with a properly wrapped expandable code snippet showing the vulnerable function (kvmalloc allocation clamping + memcpy at unclamped offset).
  • Deterministic OOB steering via file offset arithmetic (pos ≥ 0x10000) and example pos/count leading to a 32-byte OOB write.
  • Buddy allocator page-shaping strategy to place an order-3 slab (kmalloc-cg-4k) adjacent to the order-4 stream buffer (pre-exhaust order-3/4 freelists, force order-5 split).
  • Full exploitation plan adapted from CVE-2021-22555:
    • msg_msg overlap to share a secondary and detect with MSG_COPY
    • UAF + UNIX socket spray to craft fake msg_msg, heap pointer leak via m_ts over-read
    • Rebuild consistent links with sk_buff
    • Reclaim with pipe_buffer, leak anon_pipe_buf_ops for KASLR
    • Fake pipe_buf_operations->release to pivot into ROP and escalate to root
  • Tuning parameters, reliability notes, and mitigations.
  • References to the Doyensec blog, libsmb2, PoCs, and eBPF tracer.
  • All code blocks longer than 15 lines wrapped in an expandable details block.
  • Proper HackTricks banners and a single References section at the end (before the final banner include).

• Added “See also” cross-links in the existing POSIX CPU timers kernel exploitation pages to help discoverability:

  • src/binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md
  • src/linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md

  Inserted a “See also” section above the References that links to the new ksmbd page in the same folder via:
  {{#ref}}
  ksmbd-streams_xattr-oob-write-cve-2025-37947.md
  {{#endref}}

Why this is the right place:

• Per repository structure and prior precedent (posix-cpu-timers page exists in both binary-exploitation and linux-hardening/linux-kernel-exploitation), kernel exploitation content belongs under both sections, with primary focus on binary-exploitation.
• The new pages focus on the exploitation techniques (page-overflow OOB write, buddy allocator shaping, msg_msg UAF/overlap exploitation, pipe_buffer KASLR bypass and ROP pivot), not on the CVE label itself.

References added:

• Doyensec blog: https://blog.doyensec.com/2025/10/08/ksmbd-3.html
• libsmb2: https://github.com/sahlberg/libsmb2
• PoC and full exploit: https://github.com/doyensec/KSMBD-CVE-2025-37947/blob/main/proof-of-concept.c and https://github.com/doyensec/KSMBD-CVE-2025-37947/blob/main/CVE-2025-37947.c
• eBPF tracer: https://github.com/doyensec/KSMBD-CVE-2025-37947/blob/main/bpf-tracer.sh

No redundant content was found in existing pages; this technique was not present yet, so new pages were warranted.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.doyensec.com/2025/10/08/ksmbd-3.html

Content Categories: Based on the analysis, this content was categorized under "Linux -> Linux Kernel Exploitation / Linux Privilege Escalation: ksmbd streams_xattr OOB write (CVE-2025-37947) with msg_msg and pipe_buffer exploitation".

Repository Maintenance:

• MD Files Formatting: 903 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge