the-z-labs / linux-exploit-suggester Goto Github PK
View Code? Open in Web Editor NEWLinux privilege escalation auditing tool
License: GNU General Public License v3.0
Linux privilege escalation auditing tool
License: GNU General Public License v3.0
I have come across a similar shell script that’s also designed to find exploits although, it uses an online database to find exploits.
It may be worth copying some of the code from it so linux-exploit-suggester can also use the online database.
The OS check fails on Fedora systems causing potential exploit candidates to be skipped.
[user@localhost linux-exploit-suggester]$ ./linux-exploit-suggester.sh --userspace-only
Available information:
Kernel version: 3.19.8
Architecture: x86_64
Distribution: fedora
Distribution version: 20
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: N/A
Searching among:
0 kernel space exploits
0 user space exploits
Possible Exploits:
Can you please list all the current supported CVEs in the read me or wiki so, it is easier to submit or request missing exploits.
Because, at the moment its hard to know what missing and what should be added.
Thanks
system info:
www-data@openadmin:/tmp$ uname -a
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
www-data@openadmin:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic
les version: today
les output:
www-data@openadmin:/tmp$ bash les.sh
bash les.sh
Available information:
Kernel version: 4.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 18.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
73 kernel space exploits
43 user space exploits
Possible Exploits:
cat: write error: Broken pipe
[+] [CVE-2018-18955] subuid_shell
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
Exposure: probable
Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
Comments: CONFIG_USER_NS needs to be enabled
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
Problem:
Please note the line after: "Possible Exploits:"
cat: write error: Broken pipe
There seem to be more exploits, but something goes wrong
For example, CVE-2019-13272 PTRACE_TRACEME should be appropriate but is not displayed
On running in a certain case, CVE-2021-3156 is recommended.
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main```
GLIBC version
ldd --version | grep GLIBC
ldd (Ubuntu GLIBC 2.23-0ubuntu3) 2.23
CVE-2021-3156 requires libc 2.26+ as shown over at https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py#L112
As such, this should never have been recommended.
Can you please add the option to log all potential exploits to a log file in the same directory.
Thanks
I just cloned the git repository (as of HEAD at commit 65589f8) and the script seems to abort inmidst execution as follows on an up-to-date RHEL7, rebooted into the most recent kernel:
$ ./linux-exploit-suggester.sh
Available information:
Kernel version: 3.10.0
Architecture: x86_64
Distribution: RHEL
Distribution version: 7.8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
74 kernel space exploits
45 user space exploits
Possible Exploits:
[…]
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
Both 'src-url' and 'exploit-db' entries are empty for '\e[1;32m[CVE-2019-15666]\e[0m XFRM_UAF' exploit - fix that. Aborting.
So it seems as if the software expects some constrains which the internal database entry for CVE-2019-15666 can't fulfill.
(The unparsed ANSI sequences show up on the terminal as above — uninterpreted. Not sure if this is on purpose.)
The script does not detect this vulnerabilities:
https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability
Several exploits are missing the green text color.
$ grep "Name:" linux-exploit-suggester.sh | fgrep -v grn
Name: [CVE-2015-9322] BadIRET (DoS)
Name: [CVE-2011-1485] pkexec
Name: [CVE-2014-0476] chkrootkit
Not sure if this is intentional - if there's perhaps some undocumented unspoken color coding convention.
First of all thank you for this amazing tool, I want a small correction in an exploit download page suggested by linux-exploit-suggester for Dirty Cow 2 https://www.exploit-db.com/exploits/40847.cpp, but the page has status 404, I want the exploit to suggest the new download page i.e. https://www.exploit-db.com/exploits/40847 as it has moved permanently.
You may refer to the attachments.
When /tmp
is not writable but /www/tmp
is. I downloaded linux-exploit-suggester
to /www/tmp
and ran it:
bash-4.2$ bash les.sh
les.sh: line 81: cannot create temp file for here-document: No such file or directory
les.sh: line 92: cannot create temp file for here-document: No such file or directory
les.sh: line 101: cannot create temp file for here-document: No such file or directory
les.sh: line 110: cannot create temp file for here-document: No such file or directory
les.sh: line 119: cannot create temp file for here-document: No such file or directory
les.sh: line 128: cannot create temp file for here-document: No such file or directory
les.sh: line 137: cannot create temp file for here-document: No such file or directory
les.sh: line 146: cannot create temp file for here-document: No such file or directory
les.sh: line 155: cannot create temp file for here-document: No such file or directory
les.sh: line 165: cannot create temp file for here-document: No such file or directory
les.sh: line 174: cannot create temp file for here-document: No such file or directory
les.sh: line 183: cannot create temp file for here-document: No such file or directory
les.sh: line 193: cannot create temp file for here-document: No such file or directory
les.sh: line 202: cannot create temp file for here-document: No such file or directory
les.sh: line 212: cannot create temp file for here-document: No such file or directory
les.sh: line 224: cannot create temp file for here-document: No such file or directory
les.sh: line 235: cannot create temp file for here-document: No such file or directory
les.sh: line 246: cannot create temp file for here-document: No such file or directory
les.sh: line 256: cannot create temp file for here-document: No such file or directory
les.sh: line 266: cannot create temp file for here-document: No such file or directory
les.sh: line 275: cannot create temp file for here-document: No such file or directory
les.sh: line 284: cannot create temp file for here-document: No such file or directory
les.sh: line 293: cannot create temp file for here-document: No such file or directory
...
[CONTINUE]
...
Available information:
Kernel version: [REDACTED]
Architecture: x86_64
Distribution: RHEL
Distribution version:
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
71 kernel space exploits
39 user space exploits
Possible Exploits:
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
...
[CONTINUE]
...
However I ran https://github.com/jondonas/linux-exploit-suggester-2 and https://github.com/rebootuser/LinEnum without problem.
Don't have time to debug, but this occurs on Kernel 2.6.18-53 with CentOS 5
sh-3.1$ bash ./linux-exploit-suggester.sh
Kernel version: 2.6.18
Architecture: i386
Distribution: redhat
Package list: from current OS
Possible Exploits:
./linux-exploit-suggester.sh: line 1379: syntax error in conditional expression: unexpected token `|'
./linux-exploit-suggester.sh: line 1379: syntax error near `|t'
./linux-exploit-suggester.sh: line 1379: ` elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then'
sh-3.1$
Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.
https://inventory.rawsec.ml/tools.html#linux-exploit-suggester.sh
An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.
More details about features here.
Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.
Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.
The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.
Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.
If you want to thank us, you can help make the project better known by tweeting about it! For example:
That's all, this message is just to notify you if you care.
Hi there.
First of all, I would like to thank you for this awesome tool.
May I check if you encounter any issue running this script?
I got this error when i tried running it on some PWK machines.
./linux-exploit-suggester.sh: line 988: mapfile: command not found
I have attached screenshot below for your reference.
Thank you!
$ ./les.sh
Script needs Bash in version 4.0 or newer. Aborting.
It says LES supports only bash 4.0+ and I was running it on bash 3.1 so I understand.
But on #3 you said
To avoid these kind of errors I've added bash version checking on script's startup. 4.0 is needed for associative arrays, =~ operator was added in 3.* so we should be good now.
So finally 3.* is not supported?
Idk Im sure how im supposed to write any of this or what way im supposed to write it😩
It appears the kernel version check for CVE-2017-16995 is incorrect.
As an example, on a vulnerable Linux Mint 18 kernel 4.4.0-116-generic system:
user@mint-18 ~/Desktop/linux-exploit-suggester $ uname -r
4.4.0-116-generic
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
user@mint-18 ~/Desktop/linux-exploit-suggester $ fg
vi linux-exploit-suggester.sh
[1]+ Stopped vi linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
diff --git a/linux-exploit-suggester.sh b/linux-exploit-suggester.sh
index e9c88d4..cad912c 100755
--- a/linux-exploit-suggester.sh
+++ b/linux-exploit-suggester.sh
@@ -688,7 +688,7 @@ EOF
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2017-16995]${txtrst} eBPF_verifier
-Reqs: pkg=linux-kernel,ver>=4.9,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
+Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
Tags: ubuntu=16.04.4(kernel:4.4.0-116)
analysis-url: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
[+] [CVE-2017-16995] eBPF_verifier
Details: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor
The 4.4.0-116-generic kernel on Ubuntu and Linux Mint is confirmed vulnerable to the exploit:
user@mint-18 ~/Desktop/linux-exploit-suggester $ wget 'https://www.exploit-db.com/download/44298'
--2018-03-25 15:32:03-- https://www.exploit-db.com/download/44298
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6021 (5.9K) [application/txt]
Saving to: '44298’
44298 100%[=====================================================>] 5.88K --.-KB/s in 0s
2018-03-25 15:32:04 (1.06 GB/s) - '44298’ saved [6021/6021]
user@mint-18 ~/Desktop/linux-exploit-suggester $ mv 44298 44298.c
user@mint-18 ~/Desktop/linux-exploit-suggester $ gcc 44298.c
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./a.out
task_struct = ffff880036c23800
uidptr = ffff880038381c04
spawning root shell
mint-18 linux-exploit-suggester # id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),130(sambashare),1000(user)
It seems there some confusion over the CVEs. For example, the following sources provide conflicting information on the affected kernels:
Regardless, the specified exploit works on the 4.4 kernel.
https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c
I'm maintaining an updated exploit in the cve-2017-7308
branch of my fork of xairy's exploit.
I've added new offsets, new KASLR bypasses, additional pre-exploitation checks, and networking support for post-exploitation.
I'm not sure if you want to trust my code; and Xairy should get the credit. Perhaps the alternate link could be added to the comments
, rather than replacing the existing src-url
?
I suppose that the line 1790 should look like this:
pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]*' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g')
or
pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g')
Since the "ntfs-3g-1:2016.2.22AR.1-3" package is not detected otherwise.
However, the package “mysql-server-5.6.30-1” is still not detected. But if we replace "Reqs: pkg=mysql-server|mariadb-server,ver<5.5.52" with "Reqs: pkg=mysql-server|mariadb-server"
The Exploit has a typo in its name.
It should be mempodipper instead of memodipper
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2012-0056]${txtrst} **memodipper**
Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=3.1.0
Tags: ubuntu=(10.04|11.10){kernel:3.0.0-12-(generic|server)}
Rank: 1
analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/
src-url: https://git.zx2c4.com/CVE-2012-0056/plain/**mempodipper**.c
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64
exploit-db: 18411
EOF
)
I was hoping to add the somewhat recent OverlayFS Bug, but am having trouble getting this working as I would expect. I think the root of the problem could just be this script doesn't do a great job with Ubuntu's crazy kernel scheme of putting the minor version after a dash.
I added the following:
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2023-0386]${txtrst} OverlayFS FuseFS SetUID Copy
Reqs: pkg=linux-kernel,ver<5.15.70
Tags: ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}
Rank: 1
analysis-url: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
src-url: https://github.com/xkaneiki/CVE-2023-0386
Comments:
author: vulnerability discovery: Red Hat
EOF
)
But when I run it on my updated VM, it still says highly probable. That being said a lot of other kernel checks say its vulnerable.
uname output:
Linux ubuntu 5.15.0-73-generic #80~20.04.1-Ubuntu SMP Wed May 17 14:58:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
LES Output:
Available information:
Kernel version: 5.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
82 kernel space exploits
49 user space exploits
Possible Exploits:
[+] [CVE-2023-0386] OverlayFS FuseFS SetUID Copy
Details: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
Exposure: highly probable
Tags: [ ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*} ]
Download URL: https://github.com/xkaneiki/CVE-2023-0386
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: probable
Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: probable
Tags: [ ubuntu=(20.04|21.04) ],debian=11
Download URL: https://haxx.in/files/dirtypipez.c
...
If I change the tag so it is not Ubuntu 20.04, the exploit moves from highly probable
to less probable
. Am I doing it correctly? I figured the
ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}
Would not match my uname of 5.15.0-73-generic.
The ExploitDB binsploits repo appears to have been migrated to https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9436.tgz, so currently the binsploits download links in linux-exploit-suggester are broken
Hi, I think CONFIG_CC_STACKPROTECTOR has being superseed by CONFIG_CC_STACKPROTECTOR_AUTO
https://outflux.net/blog/archives/2018/04/12/security-things-in-linux-v4-16/
https://patchwork.kernel.org/patch/9981173/
This is what I get in 4.16.6-1 (ARCH):
zgrep STACKPROTECTOR /proc/config.gz
CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_AUTO=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
# CONFIG_CC_STACKPROTECTOR_STRONG is not set
And this in Ubuntu 16.04:
grep STACKPROTECTOR /boot/config-4.13.0-39-generic
CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
CONFIG_CC_STACKPROTECTOR_STRONG=y
grep STACKPROTECTOR /boot/config-4.4.0-121-generic
CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
CONFIG_CC_STACKPROTECTOR_STRONG=y
linux-exploit-suggester contains the following for double-fdput (CVE-2016-4557):
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-4557]${txtrst} double-fdput()
Reqs: pkg=linux-kernel,ver>=4.4,ver<4.5.5,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
Tags: ubuntu=16.04(kernel:4.4.0-62)
analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
src-url: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
exploit-db: 40759
author: Jann Horn
EOF
)
Tags: ubuntu=16.04(kernel:4.4.0-62)
is inaccurate, as Ubuntu claims the issue was resolved in 4.4.0-22 and exploit-db shows the exploit was tested on Ubuntu kernel 4.4.0-21.
Additionally, src-url: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
is invalid, as direct URLs for attachment on the Chromium bug tracker return a HTTP 400 error unless a signed_aid
parameter is provided.
https://github.com/bcoles/kernel-exploits/blob/cve-2017-1000112/CVE-2017-1000112/poc.c
I'm maintaining an updated exploit in the cve-2017-1000112
branch of my fork of xairy's exploit.
I've added new offsets, new KASLR bypasses, support for Linux Mint distros (17 and 18), and networking support for post-exploitation.
I'm not sure if you want to trust my code; and Xairy should get the credit. Perhaps the alternate link could be added to the comments
, rather than replacing the existing src-url
?
After updating my OS I run the script again and it shows me some CVEs. Does this mean my OS is still vulnerable?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.