-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for CVE-2022-34918 #16794
Add exploit for CVE-2022-34918 #16794
Conversation
9c6e85d
to
3b64a40
Compare
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Use Edit: A quick read through the source shows that at minimum the target kernel must be Ubuntu and unprivileged user namespaces are required. Refer to the following modules which check for these requirements, in addition to checking the kernel version. |
You can write the upload and compile code manually. Before this method existed, the same code was copied between a bunch of modules. This method grew natively out of the copypasta. It isn't a rule. Personally I usually prefer re-writing the exploit to be an all-in-one self-contained C file. This is more convenient and also means that the target host requires only |
modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
Outdated
Show resolved
Hide resolved
This should keep you entertained for a while. Looks like 20.04.4 LTS
Ubuntu 21.10
|
3b64a40
to
d9c1219
Compare
d9c1219
to
73db035
Compare
I added 14 more kernel offsets, and tested a few of these versions, thanks @bcoles . Could you provide a similar list for The symbol that isn't present on older kernel versions is used in the KASLR bypass process, I am not sure if a different pointer could end up in the leaked memory, I might investigate it this weekend. Should still work with the Added a check method also. I will add the module docs tomorrow. |
Ubuntu 22.04 LTS
|
I added some docs, updated the check method, and added offsets for Ubuntu 22.04 kernels, thanks to @bcoles . I also tested a few kernel versions, seems to work fine, but more testing is necessary. |
modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: bcoles <bcoles@gmail.com>
ee9bc48
to
88d069a
Compare
…cleanup in upload_source
@bwatters-r7 Any updates on this? (Should be ready for landing, please let me know if you need help at testing, or if you have more feedback) |
|
||
### Included Binaries | ||
The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from | ||
Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I love that this has started to be a thing again!
modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
Outdated
Show resolved
Hide resolved
def run_payload | ||
info = cmd_exec(@executable_path, @payload_path) | ||
info.each_line do |line| | ||
print_status(line.chomp) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor, but this might be better as vprint_status
because there's a lot of output in the c source. Another option might be to only print the output if the exploit fails. For an example, see
unless session_created? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes, the session is created, but a kernel panic follows shortly after. I've opted for vprint_status
.
modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
Outdated
Show resolved
Hide resolved
@red0xff some minor stuff, but yup, this is on my radar again. |
Hey there @red0xff; thanks for addressing the changes! I'm in the middle of something else right now, but I'm hoping to take a look at this again next week. |
Also, I'm assuming this is based in large part on https://github.com/randorisec/CVE-2022-34918-LPE-PoC, which is owned by @randorisec. I don't see a license file or license information in any of the files; do we have permission to use the code? Could we work with @randorisec to add a license file that would allow us to use it? |
You're right. |
Hi there, |
@randorisec the updates looks good we can move this PR forward based on that update. I would recommend extracting and creating a |
Done, I've added |
modules/exploits/linux/local/netfilter_nft_set_elem_init_privesc.rb
Outdated
Show resolved
Hide resolved
I was unable to get this to work on
|
* }; | ||
* The last three fields are the offsets of the corresponding symbols | ||
*/ | ||
// 22.04 LTS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not passionate about changing it now that it is here and I recognize this is an artifact of the original tool, but normally I'm a fan of placing the offsets in the ruby code and passing them in as arguments. It makes expanding the target sets easier, and allows a forced exploit to run. Again, I'm not super passionate about changing it, but in the future I think that's the better paradigm.
After about 10 attempts and 5 reboots, I got a session:
|
Co-authored-by: Brendan <bwatters@rapid7.com>
Hi, is there something else missing ? We would love to see this module landed 🤗 |
I need to get it to work again....
|
15th time is a charm!
|
Release NotesThis is a local-privilege escalation exploit targeting CVE-2022-34918, a vulnerability in the Netfilter component of the Linux kernel |
CVE-2022-34918
This is a local-privilege escalation exploit targeting the Netfilter component of the Linux kernel.
CVE details
RandoriSec blog post
The vulnerability was discovered, and the initial exploit code was written by Arthur Mongodin (@Aleknight) during his internship at RandoriSec, I made a few modifications to the PoC code, and made a metasploit module out of it.
The exploit targets Ubuntu, it aims to overwrite the
modprobe_path
variable with a string in /tmp/, to create a corresponding temporary file that gives the setuid bit to our payload.From my testing, it has a pretty good success rate, but the system is not always in a stable state after successful exploitation (kernel panics can occur randomly at any time).
Credits
Thanks to @randorisec for supporting this research, and the publication of this exploit code.
Verification
List the steps needed to make sure this thing works
msfconsole
external/source/exploits/CVE-2022-34918/src/util.c
,5.15.0-25-generic #25-Ubuntu
for example.use exploit/linux/local/netfilter_nft_set_elem_init_privesc
Possible improvements
This exploit leaves a file in
/tmp
, having a non-printable name, the file is created by the exploit binary, not sure if it's a good idea to useregister_file_for_cleanup
for it.Compiling on the target would be a good idea, but as I see, the
Msf::Post::Linux::Compile
mixin is mainly a wrapper over gcc. I think it would be a great idea to have a wrapper aroundmake
, supportclang
perhaps if there is no gcc on the target, and so on. I don't think wrapping the exploit in a single file would be a good idea.The exploit writes a file to
/tmp
anyway,WritableDir
is used for uploading the payload and the exploit, but the exploitation strategy used overwrites bytes from modprobe_path with a valid pointer that is also a filename in/tmp
.A check method? Not sure if check should return whether the vulnerability is present, or whether the target is supported (The vulnerability is not specific to Ubuntu, but the exploitation strategy might differ, and the exploit doesn't even have all the offsets for Ubuntu kernel versions).
More offsets for more Ubuntu kernel versions would be nice (update
external/source/exploits/CVE-2022-34918/src/util.c
). The needed offsets are those of:io_ring_ctx_ref_free
io_rsrc_node_ref_zero
modprobe_path
Testing tips
-static
flag in the Makefile (this will reduce the file size drastically).