Add cls_route4 CVE-2022-2588 module (detect-only)
11th module. net/sched cls_route4 handle-zero dead UAF — discovered
by kylebot Aug 2022, fixed mainline 5.20 (commit 9efd23297cca).
Bug existed since 2.6.39 → very wide attack surface.
- modules/cls_route4_cve_2022_2588/iamroot_modules.{c,h}:
- kernel_range thresholds: 5.4.213 / 5.10.143 / 5.15.69 / 5.18.18 /
5.19.7 / mainline 5.20+
- can_unshare_userns() probes user_ns+net_ns clone availability
(the exploit's CAP_NET_ADMIN-in-userns gate)
- cls_route4_module_available() checks /proc/modules
- Reports VULNERABLE if kernel in range AND user_ns allowed;
PRECOND_FAIL if user_ns denied; OK if patched.
- Exploit stub returns IAMROOT_PRECOND_FAIL with reference to
kylebot's public PoC.
- Auditd rule: tc-style sendto syscalls (rough; legit traffic
shaping will trip — tune by user).
iamroot.c + Makefile + core/registry.h wired. CVES.md row added.
Verified on kctf-mgr (6.12.86): module reports OK, total module
count = 11.
This commit is contained in:
@@ -56,10 +56,15 @@ OVL_DIR := modules/overlayfs_cve_2021_3493
|
||||
OVL_SRCS := $(OVL_DIR)/iamroot_modules.c
|
||||
OVL_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(OVL_SRCS))
|
||||
|
||||
# Family: cls_route4 (CVE-2022-2588)
|
||||
CR4_DIR := modules/cls_route4_cve_2022_2588
|
||||
CR4_SRCS := $(CR4_DIR)/iamroot_modules.c
|
||||
CR4_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(CR4_SRCS))
|
||||
|
||||
# Top-level dispatcher
|
||||
TOP_OBJ := $(BUILD)/iamroot.o
|
||||
|
||||
ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS)
|
||||
ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS) $(CR4_OBJS)
|
||||
|
||||
.PHONY: all clean debug static help
|
||||
|
||||
|
||||
Reference in New Issue
Block a user