Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bcoles/kernel-exploits
Various kernel exploits
https://github.com/bcoles/kernel-exploits
exploit kernel kernel-exploits linux linux-kernel local-root
Last synced: 14 days ago
JSON representation
Various kernel exploits
- Host: GitHub
- URL: https://github.com/bcoles/kernel-exploits
- Owner: bcoles
- Created: 2018-05-05T07:25:57.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2024-03-14T13:37:20.000Z (8 months ago)
- Last Synced: 2024-10-13T07:41:46.328Z (about 1 month ago)
- Topics: exploit, kernel, kernel-exploits, linux, linux-kernel, local-root
- Language: C
- Homepage:
- Size: 166 KB
- Stars: 738
- Watchers: 29
- Forks: 238
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Kernel Exploits
Various kernel exploits
## CVE-2021-22555
Linux local root exploit.
Updated version of theflow's [exploit](https://github.com/google/security-research/blob/master/pocs/linux/cve-2021-22555/exploit.c) for [CVE-2021-22555](https://nvd.nist.gov/vuln/detail/CVE-2021-22555).
> A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.
## CVE-2019-13272
Linux local root exploit.
Updated version of Jann Horn's [exploit](https://bugs.chromium.org/p/project-zero/issues/detail?id=1903) for [CVE-2019-13272](https://nvd.nist.gov/vuln/detail/CVE-2019-13272).
> In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
## CVE-2018-18955
Linux local root exploit.
Wrapper for Jann Horn's [exploit](https://bugs.chromium.org/p/project-zero/issues/detail?id=1712) for [CVE-2018-18955](https://nvd.nist.gov/vuln/detail/CVE-2018-18955).
> In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
## CVE-2018-5333
Linux local root exploit.
Updated version of wbowling's [exploit](https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4) for [CVE-2018-5333](https://nvd.nist.gov/vuln/detail/CVE-2018-5333).
> In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.
## CVE-2017-1000112
Linux local root exploit.
Updated version of xairy's [exploit](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112) for [CVE-2017-1000112](https://nvd.nist.gov/vuln/detail/CVE-2017-1000112).
> Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
## CVE-2017-7308
Linux local root exploit.
Updated version of xairy's [exploit](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308) for [CVE-2017-7308](https://nvd.nist.gov/vuln/detail/CVE-2017-7308).
> The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
## CVE-2016-9793
Linux local root exploit.
Updated version of xairy's [exploit](https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793) for [CVE-2016-9793](https://nvd.nist.gov/vuln/detail/CVE-2016-9793).
> The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.
## CVE-2016-8655
Linux local root exploit.
Updated version of rebel's [exploit](https://packetstormsecurity.com/files/140063/Linux-Kernel-4.4.0-AF_PACKET-Race-Condition-Privilege-Escalation.html) for [CVE-2016-8655](https://nvd.nist.gov/vuln/detail/CVE-2016-8655).
> Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.