module
Linux BPF doubleput UAF Privilege Escalation
| Disclosed | Created |
|---|---|
| 2016-05-04 | 2018-05-30 |
Disclosed
2016-05-04
Created
2018-05-30
Description
Linux kernel 4.4 does not properly reference count file descriptors, resulting
in a use-after-free, which can be abused to escalate privileges.
The target system must be compiled with `CONFIG_BPF_SYSCALL`
and must not have `kernel.unprivileged_bpf_disabled` set to 1.
Note, this module will overwrite the first few lines
of `/etc/crontab` with a new cron job. The job will
need to be manually removed.
This module has been tested successfully on Ubuntu 16.04 (x64)
kernel 4.4.0-21-generic (default kernel).
in a use-after-free, which can be abused to escalate privileges.
The target system must be compiled with `CONFIG_BPF_SYSCALL`
and must not have `kernel.unprivileged_bpf_disabled` set to 1.
Note, this module will overwrite the first few lines
of `/etc/crontab` with a new cron job. The job will
need to be manually removed.
This module has been tested successfully on Ubuntu 16.04 (x64)
kernel 4.4.0-21-generic (default kernel).
Authors
jannh jannh@google.com
h00die mike@shorebreaksecurity.com
h00die mike@shorebreaksecurity.com
Platform
Linux
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.