diff --git a/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md b/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md index 4c08b89a08..9478296bc6 100644 --- a/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md +++ b/documentation/modules/exploit/linux/local/cve_2022_0995_watch_queue.md @@ -1,8 +1,10 @@ ## Vulnerable Application -This module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap -out-of-bounds write in kernel memory. The exploit fails occasionally, but it does not crash the target and can be run -multiple times until privilege escalation is achieved. +This module exploits a vulnerability in the Linux Kernel's watch_queue event +notification system. It relies on a heap out-of-bounds write in kernel memory. +The exploit may fail on the first attempt so multiple attempts may be needed. +Note that the exploit can potentially cause a denial of service if multiple +failed attemps occur, however this is unlikely. ### Install diff --git a/modules/exploits/linux/local/cve_2022_0995_watch_queue.rb b/modules/exploits/linux/local/cve_2022_0995_watch_queue.rb index fa99ee2c0a..a705b94de9 100644 --- a/modules/exploits/linux/local/cve_2022_0995_watch_queue.rb +++ b/modules/exploits/linux/local/cve_2022_0995_watch_queue.rb @@ -21,12 +21,15 @@ class MetasploitModule < Msf::Exploit::Local info, 'Name' => 'Watch Queue Out of Bounds Write', 'Description' => %q{ - This module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap - out-of-bounds write in kernel memory. The exploit fails occasionally, but it does not crash the target and can be run - multiple times until privilege escalation is achieved. + This module exploits a vulnerability in the Linux Kernel's watch_queue event + notification system. It relies on a heap out-of-bounds write in kernel memory. + The exploit may fail on the first attempt so multiple attempts may be needed. + Note that the exploit can potentially cause a denial of service if multiple + failed attemps occur, however this is unlikely. }, 'License' => MSF_LICENSE, 'Author' => [ + 'Jann Horn', # discovery and poc 'bonfee', # PoC 'bwatters-r7' # Aka @tychos_moose, Metasploit Module ], @@ -39,6 +42,7 @@ class MetasploitModule < Msf::Exploit::Local [ 'CVE', '2022-0995' ], [ 'URL', 'https://github.com/Bonfee/CVE-2022-0995' ], [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb' ], + [ 'URL', 'https://packetstormsecurity.com/files/166770/Linux-watch_queue-Filter-Out-Of-Bounds-Write.html'], [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-0995' ] ], 'Targets' => [ @@ -46,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Local ], 'DefaultTarget' => 0, 'Notes' => { - 'Reliability' => [ REPEATABLE_SESSION ], + 'Reliability' => [ UNRELIABLE_SESSION ], # Not expected to get a shell every time due to heap spray sometimes not working. 'Stability' => [ CRASH_OS_DOWN ], 'SideEffects' => [ ARTIFACTS_ON_DISK ] } @@ -98,7 +102,7 @@ class MetasploitModule < Msf::Exploit::Local def check # Vulnerable versions are under 5.17:rc8 - # This module only has offsets for 5.17.0-37 + # This module only has offsets for 5.13.0-37 vulnerable_version = Rex::Version.new('5.17.0') major_version = pull_version[0] if major_version <= vulnerable_version