leviathan
3ad1446489
11th module. net/sched cls_route4 handle-zero dead UAF — discovered
by kylebot Aug 2022, fixed mainline 5.20 (commit 9efd23297cca).
Bug existed since 2.6.39 → very wide attack surface.
- modules/cls_route4_cve_2022_2588/iamroot_modules.{c,h}:
- kernel_range thresholds: 5.4.213 / 5.10.143 / 5.15.69 / 5.18.18 /
5.19.7 / mainline 5.20+
- can_unshare_userns() probes user_ns+net_ns clone availability
(the exploit's CAP_NET_ADMIN-in-userns gate)
- cls_route4_module_available() checks /proc/modules
- Reports VULNERABLE if kernel in range AND user_ns allowed;
PRECOND_FAIL if user_ns denied; OK if patched.
- Exploit stub returns IAMROOT_PRECOND_FAIL with reference to
kylebot's public PoC.
- Auditd rule: tc-style sendto syscalls (rough; legit traffic
shaping will trip — tune by user).
iamroot.c + Makefile + core/registry.h wired. CVES.md row added.
Verified on kctf-mgr (6.12.86): module reports OK, total module
count = 11.
13 lines
238 B
C
13 lines
238 B
C
/*
|
|
* cls_route4_cve_2022_2588 — IAMROOT module registry hook
|
|
*/
|
|
|
|
#ifndef CLS_ROUTE4_IAMROOT_MODULES_H
|
|
#define CLS_ROUTE4_IAMROOT_MODULES_H
|
|
|
|
#include "../../core/module.h"
|
|
|
|
extern const struct iamroot_module cls_route4_module;
|
|
|
|
#endif
|