Has the use been successful?

[laowang1026]

Linux version 4.19.91-20211117175159.ff8219c.al7.x86_64 (root@fbba8dd77f8f) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)) #1 SMP Wed Nov 17 09:57:56 UTC 2021

[*] Spraying kmalloc-32 [*] Opening ext4 filesystem fsopen: Remember to unshare

[laowang1026]

Linux version 4.19.91-20211117175159.ff8219c.al7.x86_64 (root@fbba8dd77f8f) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)) #1 SMP Wed Nov 17 09:57:56 UTC 2021
./exploit fuse: device not found, try 'modprobe fuse' first [*] Opening ext4 filesystem fsopen: Remember to unshare

[bcoles]

The exploit uses the fuse technique and requires user name spaces (kernel.unprivileged_userns_clone = 1) as per the writeup.

Also, the exploit_fuse.c exploit only targets Ubuntu 5.x kernels based on mainline kernel versions 5.7 and higher.

This bug popped up since 5.1-rc1. It’s important to note that you need the CAP_SYS_ADMIN capability to trigger it, but the permission only needs to be granted in the CURRENT NAMESPACE.

CVE-2022-0185/README.md

Line 5 in 09ffda1

The non-kctf version (fuse version) specifically targets Ubuntu with kernel version 5.11.0-44. It does not directly return a root shell, but makes /bin/bash suid, which will lead to trivial privilege escalation. Adjusting the `single_start` and `modprobe_path` offsets should allow it to work on most other Ubuntu versions that have kernel version 5.7 or higher; for versions between 5.1 and 5.7, the spray will need to be improved as in the kctf version. The exploitation strategy relies on FUSE and SYSVIPC elastic objects to achieve arbitrary write.