Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/H4K6/CVE-2023-0179-PoC

针对（CVE-2023-0179）漏洞利用该漏洞被分配为CVE-2023-0179，影响了从5.5到6.2-rc3的所有Linux版本，该漏洞在6.1.6上被测试。漏洞的细节和文章可以在os-security上找到。
https://github.com/H4K6/CVE-2023-0179-PoC

Last synced: 21 days ago
JSON representation

针对（CVE-2023-0179）漏洞利用该漏洞被分配为CVE-2023-0179，影响了从5.5到6.2-rc3的所有Linux版本，该漏洞在6.1.6上被测试。漏洞的细节和文章可以在os-security上找到。

Host: GitHub
URL: https://github.com/H4K6/CVE-2023-0179-PoC
Owner: H4K6
Created: 2023-03-16T02:20:52.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-03-16T02:22:28.000Z (over 1 year ago)
Last Synced: 2024-08-05T17:24:39.789Z (4 months ago)
Language: C
Homepage:
Size: 86.9 KB
Stars: 205
Watchers: 5
Forks: 27
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - H4K6/CVE-2023-0179-PoC - 针对（CVE-2023-0179）漏洞利用该漏洞被分配为CVE-2023-0179，影响了从5.5到6.2-rc3的所有Linux版本，该漏洞在6.1.6上被测试。漏洞的细节和文章可以在os-security上找到。 (C)

README

        # Needle (CVE-2023-0179) exploit

This repository contains the exploit for my recently discovered vulnerability in the nftables subsystem that was assigned CVE-2023-0179, affecting all Linux versions from 5.5 to 6.2-rc3, although the exploit was tested on 6.1.6.

The vulnerability details and writeup can be found on [oss-security](https://www.openwall.com/lists/oss-security/2023/01/13/2)

## Building instructions

Just invoke the `make needle` command to generate the corresponding executable.

`libmnl` and `libnftnl` are required for the build to succeed:

```bash

sudo apt-get install libmnl-dev libnftnl-dev

```

## Infoleak

The exploit will enter an unprivileged user and network namespace and add an `nft_payload` expression via the `rule_add_payload` function which, when evaluated, will trigger the stack buffer overflow and overwrite the registers.

The content is then retrieved with the following nft command:

`nft list map netdev mytable myset12`

The output will leak several shuffled addresses relative to kernel data structures, among which we find a kernel instruction address and the regs pointer.

## LPE

The exploit creates a new user account `needle:needle` with UID 0 by abusing the `modprobe_path` variable.

Enjoy root privileges.

## Demo

[![asciicast](https://asciinema.org/a/mVTu420tWy8ocdFY70sWD9VLO.svg)](https://asciinema.org/a/mVTu420tWy8ocdFY70sWD9VLO)

## Credits

- David Bouman's `libnftnl` [implementation](https://github.com/pqlx/CVE-2022-1015) and detailed [blog post](https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/)