modules/exploits/linux/local/netfilter_xtables_heap_oob_write_priv_esc.rb Check Issues

[h00die]

modules/exploits/linux/local/netfilter_xtables_heap_oob_write_priv_esc.rb has a few issues.

1. grsec, being handled in guard Rex::Version.new against crashes on local modules #19813
2. it seems to only run on ubuntu, but it doesn't do an OS check. get_sysinfo could be used with the :distro key. On my Fedora 31 test box i'm seeing:

[msf](Jobs:2 Agents:1) exploit(linux/local/netfilter_xtables_heap_oob_write_priv_esc) > check
[*] The target is not exploitable. Ubuntu kernel 5.3.7-301.fc31.x86_64 #1 is not vulnerable.

@bcoles

[bcoles]

1. grsec, being handled in [guard Rex::Version.new against crashes on local modules #19813](https://github.com/rapid7/metasploit-framework/pull/19813)

This part of the module worked fine when it was merged - someone has since broken the library, affecting many modules, not just this one.

This bug is in the library not the module. The bug should be fixed in the library.

2. it seems to only run on ubuntu, but it doesn't do an OS check. `get_sysinfo` could be used with the `:distro` key.

The module does an OS check via the kernel version.

The issue is with the hard coded error string that presumes the system is Ubuntu.

"Ubuntu" should be removed from this message:

metasploit-framework/modules/exploits/linux/local/netfilter_xtables_heap_oob_write_priv_esc.rb

Line 98 in d8e9093

return CheckCode::Safe("Ubuntu kernel #{version} is not vulnerable.") if !ubuntu_kernels.include? version

@bcoles

Why am I tagged? I didn't write this module.

[h00die]

Oops, read from the bottom up and just saw your name!

[h00die]

@sjanusz-r7 wrote the module