The proof of concept (PoC) itself relies on /tmp/ having mount 'exec' permissions. On systems with a separate /tmp/ and mounted with 'noexec' this would fail. This latter is one of a series of hardening steps that are useful in making executing untrusted code more difficult (but not impossible).<p>Fix is introduced in commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6. On the wider point of kernel corruption it isn't absolutely clear if the PoC relies on specific attributes of the target kernel builds or a suitable .config, and if so which, or very specific kernel versions between v4.1-rc1 and v5.19-rc7.<p>Article talks specifically about "Ubuntu 22.04" and shows kernel 5.15.0-27-generic in the poc.gif but the github README.md says 5.15.0-39-generic. No mention if this affects the -lowlatency kernels.<p>Recent Linux stable tree kernels carry the patch (e.g. v5.18.12 commit 6b7488071ea8ed6265a39afebd5a5920f6975d02).<p>The exploit fails (here) on stable tree v5.18.9 in an interesting way!<p><pre><code> $ ./poc
[+] Second process currently waiting
[+] Get CAP_NET_ADMIN capability
[+] Netlink socket created
[+] Netlink socket bound
[+] Table table created
[+] Set for the leak created
[+] Set for write primitive created
[*] Leak in process[-] add_key: Disk quota exceeded
</code></pre>
This on an ext4 file-system with no quotas enabled and 9GiB free space.<p>The message via perror() is of course wrong; in fact during the call via SYSCALL_DEFINES(add_key, ...) in security/keys/keyctl.c a return value of 122 (EDQUOT) is returned. There are 3 call sites in that function that call PTR_ERR() - a function that determines if a pointer value is a valid 'errno' value - so one of strndup_user(), lookup_user_key(), or key_create_or_update() failed.
To my very humble reading you need local system (non-root) access first. So no exploitation over the networking interface themselves.<p>Disclaimer: Not a hacker, not an Linux pro.
Wow! If I understand correctly this is a local privilege escalation (the blog post doesn't mention "local" or "remote"). But it seems it could also be used to get remote code execution?<p>I wish there was a list of distribution kernels that are vulnerable and which have already patched this. Would be valuable to add to the blog post and the GitHub repo. <a href="https://github.com/randorisec/CVE-2022-34918-LPE-PoC" rel="nofollow">https://github.com/randorisec/CVE-2022-34918-LPE-PoC</a>
My understanding is you need CAP_NET_ADMIN first right? Which is enabled by default for an interactive user on Ubuntu. But is it enabled for say www-data? If I pop a shell on wordpress for example, I would need to compromise another account with that capability right? Or is CAP_NET_ADMIN enabled for non-interactive system users or not required for this LPE?
TL;DR: Local privileges escalation in iptables on Ubuntu 22.04 and RHEL 9.<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918" rel="nofollow">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3491...</a><p><a href="https://access.redhat.com/security/cve/cve-2022-34918" rel="nofollow">https://access.redhat.com/security/cve/cve-2022-34918</a>
Speaking about iptables - is there anything in the wild that allows users make request to web port and I can approve/deny particular requests?<p>For example, 443/TCP is blocked from world. However if someone opens web page, it returns <html><body>Access request from IP xxx.xxx.xxx.xxx has been submitted</body></html> (or maybe a form where you put port number you'd like to access) and from server-side I can somehow see those requests, useragents and accept/deny and just ignore bots.<p>Use-case: Some photoalbum is locked down, accessed by particular IPs/countries/vpn (to reduce or prevent bruteforcing, automated hacking and such) - however I'd like to give access to someone (who doesn't know his IP) by just giving him a domain name. <a href="https://photos.example.com" rel="nofollow">https://photos.example.com</a> - yeah, he sees that unfriendly page. After a while I call him and say - try again and poof, next time he opens the page, he penetrates the firewall and gets pictures.<p>The thing is:<p>- VPN is too much of an ask to a person I want to send a link to some data<p>- Country block is very rough filter, just helps to reduce some log traffic from uninteresting countries with loads of bots.<p>- Asking person his IP is very manual: "please open/google up such phrase, send me that address and I'll look up my notes to copy/paste that iptables command and I'll modify it slightly (or add some config entry to .htaccess) to put your IP in and then you'll have access until you reconnect to your mobile network or your ISP gives you new DHCP address and then we'll repeat"<p>"Knockwall" doesn't return much results, eh.