| Name | linux_esp6_output_head |
| CVE | CVE-2022-27666 |
| Exploit Pack | CANVAS |
| Description | linux_pipe_buffer |
| Notes | CVE Name: CVE-2022-27666 VENDOR: Linux NOTES: 'A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.' - Mitre desc. This primitive allows an unprivileged user to trigger an out-of-bounds write in a 8-page (0x8000 byte) buffer, allocated in esp6_output_head. With some heap fengshui, an unprivileged local user can use this flaw to gain an arbitrary write primitive. Using a common technique, overwriting `modprobe_path`, an attacker is able to gain local privilege escalation by having arbitrary files run as root. The vulnerable path was introduced in 2017, by commit cac2661c53f3 and commit 03e2a30f6a27, and is now patched in stable branches. NOTE: That as this is a heap out-of-bounds write, there is the risk of corrupting the wrong kernel structures, which can result in undefined behavior and/or kernel panics. I've focused on reliability, to reduce the chances of a crash. The exploit may take multiple attempts to succeed due to the non-deterministic nature of the heap. The exploit was tested on: - Ubuntu 21.10 x86_64 (5.13.0-25) Currently supports: Linux kernel 4.11+, 5.X-5.16 on x86_64 VersionsAffected: Introduced in 4.11, 5.X and patched in early 2022. Repeatability: Infinite References: - https://etenal.me/archives/1825 CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27666 Date public: 23/03/2022 CVSS: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Learn more about the CANVAS Exploit Pack here: CANVAS |