4.4
CVSSv2

CVE-2018-18955

Published: 16/11/2018 Updated: 24/08/2020
CVSS v2 Base Score: 4.4 | Impact Score: 6.4 | Exploitability Score: 3.4
CVSS v3 Base Score: 7 | Impact Score: 5.9 | Exploitability Score: 1
VMScore: 506
Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

In the Linux kernel 4.15.x up to and including 4.19.x prior to 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

canonical ubuntu linux 16.04

canonical ubuntu linux 18.10

canonical ubuntu linux 18.04

Vendor Advisories

Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
A flaw was found in the Linux kernel where map_write() in kernel/user_namespacec allows privilege escalation as it mishandles nested user namespaces with more than 5 UID or GID ranges An unprivileged user with CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace This is possible because a user ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...

Exploits

#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47167zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses polkit technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitpolkitsh # [*] Compiling # [*] Creating /usr/share/polkit-1/action ...
#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47166zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses ldsopreload technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitldpreloadsh # [*] Compiling # [*] Adding libsubuidso to /e ...
#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47164zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses crontab technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitcronsh # [*] Compiling # [*] Writing payload to /tmp/payload # ...
#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47165zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses dbus service technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitdbussh # [*] Compiling # [*] Creating /usr/share/dbus-1/syst ...
commit 6397fac4915a ("userns: bump idmap limits to 340") increases the number of possible uid/gid mappings that a namespace can have from 5 to 340 This is implemented by switching to a different data structure if the number of mappings exceeds 5: Instead of linear search over an unsorted array of struct uid_gid_extent, binary search over a sorted ...

Mailing Lists

This Metasploit module exploits a vulnerability in Linux kernels 4150 to 41818, and 4190 to 4191, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955) The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installe ...

Metasploit Modules

Linux Nested User Namespace idmap Limit Local Privilege Escalation

This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).

msf > use exploit/linux/local/nested_namespace_idmap_limit_priv_esc
      msf exploit(nested_namespace_idmap_limit_priv_esc) > show targets
            ...targets...
      msf exploit(nested_namespace_idmap_limit_priv_esc) > set TARGET <target-id>
      msf exploit(nested_namespace_idmap_limit_priv_esc) > show options
            ...show and set options...
      msf exploit(nested_namespace_idmap_limit_priv_esc) > exploit

Github Repositories

Linux-Kernal-Exploits

Linux-Kernal-Exploits CVE-2018-18955 Detail In the Linux kernel 415x through 419x before 4192, map_write() in kernel/user_namespacec allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demons

Linux-Kernel-Exploits CVE-2018-18955 Detail In the Linux kernel 415x through 419x before 4192, map_write() in kernel/user_namespacec allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demons

yotjf TryHackMe - Year of the Jelly Fish Adding ip to /etc/hosts 34248251102 robyns-petshopthm 34248251102 monitorrrobyns-petshopthm export IP=34248251102 Recon nmap scan 21/tcp open ftp vsftpd 303 22/tcp open ssh OpenSSH 59p1 Debian 5ubuntu14 (Ubuntu Linux; protocol 20) 80/tcp open http Apache httpd 2429 443/tcp open ssl/http Apache htt

中文 | English 1 Introduction Metarget = meta- + target, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically 11 Why Metarget? During security researches, we might find that the deployment of vulnerable environment often takes much time, while the time spen

Localroot Compile

Localroot Exploit This repository is a place where Localroot has been compiled and tested Linux Kernel Exploit with Compile #CVE  #Description  #Kernels Linux kernel XFRM Subsystem UAF [3x - 5x kernels] (Ubuntu 1404 / 1604 Server 44 LTS kernels, CentOS 8 418 kernels, Red Hat Enterprise Linux 4 418 kernels, Ubuntu 1804 Server LTS 415 kernels) CVE-2020-72

Linux kernel EoP exp

linux-kernel-exploits 简介 在github项目:githubcom/SecWiki/linux-kernel-exploits 的基础上增加了最近几年的提权漏洞Exp,漏洞相关信息的搜集在对应漏洞文件夹下的Readmemd。 红队攻击时,可以通过脚本:githubcom/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggestersh 评估系统可能受到哪些提

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

What's this This project is mainly used to collect the exp for Linux platform privilege promotion, only to help penetration testers quickly achieve privilege promotion in actual combat Information CVE ID Description Kernels CVE-2004-0077 Linux Kernel 2420, 2224, 2425, 2426, 2427 CVE-2004-1235 Linux Kernel 2429 CVE-2005-0736 Linux Kernel 265, 267,

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

Linux Elevation(持续更新)

Linux Elvation This project is for Linux Elvation Vulnerable list #CVE  #Description  #Kernels CVE-2020-9470[Wing FTP Server 625 - Privilege Escalation] CVE-2020-8635[Wing FTP Server 623 - Privilege Escalation] CVE-2020-8835[Linux Kernel 54 or Linux Kernel 54] CVE-2019-7304 [2342ubuntu01 or 2355+18101] CVE-2019-13272 [Linux kernel before 5117]

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits Linux平台提权漏洞集合

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

linux-kernel-exploits 简介 linux-kernel-exploits 漏洞列表 #CVE  #Description  #Kernels CVE–2018–18955  [map_write() in kernel/user_namespacec allows privilege escalation] (Linux kernel 415x through 419x before 4192) CVE–2018–1000001  [glibc] (glibc &lt;= 226) CVE-2017-1000367  [Sudo] (Sudo 186p7 - 1820)

Linux Elevation(持续更新)

Linux Elvation This project is for Linux Elvation Vulnerable list #CVE  #Description  #Kernels CVE-2021-3156[Sudo 182 - 1831p2 Sudo 190 - 195p1] CVE-2020-9470[Wing FTP Server 625 - Privilege Escalation] CVE-2020-8635[Wing FTP Server 623 - Privilege Escalation] CVE-2020-8835[Linux Kernel 54 or Linux Kernel 54] CVE-2019-7304 [2342ubuntu01 or 23