Skip to content

Commit

Permalink
Add kernelCTF CVE-2023-4622_lts (#74)
Browse files Browse the repository at this point in the history
* Prepare CVE-2023-4622

* Start write exploit.md

* Exploit arch templeate

* Add more word on exploit doc

* comment corrupt_msg

* more comment

* Update exploit.md

* Modify exploit for fit reproduce system

* Update exploit.md

* Add Achieve container escape section in exploit doc:

* Add more comment in exploit code

* Add EntryBleed section and fix Makfefile

* Update exploit.md

* Update exploit.md

* Add self timeout

* Update exploit.md

* Update metadata.json

* Update metadata.json

* Update metadata.json

* Add more comments on poc.c for read

* Update poc.c

---------

Co-authored-by: Bing-Jhong Billy Jheng <[email protected]>
Co-authored-by: M Ramdhan <[email protected]>
  • Loading branch information
3 people authored Feb 7, 2024
1 parent 58262d4 commit 1deeb22
Show file tree
Hide file tree
Showing 12 changed files with 1,334 additions and 0 deletions.
465 changes: 465 additions & 0 deletions pocs/linux/kernelctf/CVE-2023-4622_lts/docs/exploit.md

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions pocs/linux/kernelctf/CVE-2023-4622_lts/docs/vulnerability.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
- Requirements:
- Capabilites: NA
- Kernel configuration: CONFIG_UNIX=y
- User namespaces required: No
- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=869e7c62486e
- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=790c2f9d15b594350ae9bca7b236f2b1859de02c
- Affected Version: v4.2 - v6.4
- Affected Component: af_unix
- Syscall to disable: splice
- URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4622
- Cause: Use-After-Free
- Description: A use-after-free vulnerability in the Linux kernel's af_unix. unix_stream_sendpage() tries to add data to the last skb in the peer's
recv queue without locking the queue. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being
released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.
12 changes: 12 additions & 0 deletions pocs/linux/kernelctf/CVE-2023-4622_lts/exploit/lts-6.1.36/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
exploit: poc root run.sh
tar czf ./poc.tar.gz poc root
cp run.sh exploit
fallocate -l 512 exploit
dd if=poc.tar.gz of=exploit conv=notrunc oflag=append

poc: poc.c
gcc -o poc poc.c -static -pthread
root: root.c
gcc -o root root.c -static
clean:
rm -rf poc root exploit poc.tar.gz
Binary file not shown.
Binary file not shown.
Loading

0 comments on commit 1deeb22

Please sign in to comment.