4.4
CVSSv2

CVE-2018-18955

Published: 16/11/2018 Updated: 24/08/2020
CVSS v2 Base Score: 4.4 | Impact Score: 6.4 | Exploitability Score: 3.4
CVSS v3 Base Score: 7 | Impact Score: 5.9 | Exploitability Score: 1
VMScore: 467
Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

In the Linux kernel 4.15.x up to and including 4.19.x prior to 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux linux kernel

canonical ubuntu linux 16.04

canonical ubuntu linux 18.04

canonical ubuntu linux 18.10

Vendor Advisories

Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
Several security issues were fixed in the Linux kernel ...
A flaw was found in the Linux kernel where map_write() in kernel/user_namespacec allows privilege escalation as it mishandles nested user namespaces with more than 5 UID or GID ranges An unprivileged user with CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace This is possible because a user ...

Exploits

This Metasploit module exploits a vulnerability in Linux kernels 4150 to 41818, and 4190 to 4191, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955) The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installe ...
#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47164zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses crontab technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitcronsh # [*] Compiling # [*] Writing payload to /tmp/payload # ...
commit 6397fac4915a ("userns: bump idmap limits to 340") increases the number of possible uid/gid mappings that a namespace can have from 5 to 340 This is implemented by switching to a different data structure if the number of mappings exceeds 5: Instead of linear search over an unsorted array of struct uid_gid_extent, binary search over a sorted ...
#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47166zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses ldsopreload technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitldpreloadsh # [*] Compiling # [*] Adding libsubuidso to /e ...
#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47167zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses polkit technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitpolkitsh # [*] Compiling # [*] Creating /usr/share/polkit-1/action ...
#!/bin/sh # # EDB Note: Download ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47165zip # # wrapper for Jann Horn's exploit for CVE-2018-18955 # uses dbus service technique # --- # test@linux-mint-19-2:~/kernel-exploits/CVE-2018-18955$ /exploitdbussh # [*] Compiling # [*] Creating /usr/share/dbus-1/syst ...

Github Repositories

Linux-Kernel-Exploits

Linux-Kernel-Exploits CVE-2018-18955 Detail In the Linux kernel 415x through 419x before 4192, map_write() in kernel/user_namespacec allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demons

Linux-Kernel-Exploits

Linux-Kernel-Exploits CVE-2018-18955 Detail In the Linux kernel 415x through 419x before 4192, map_write() in kernel/user_namespacec allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demons

POCs can run in some Linux kernel versions

POC-available POCs can run in some Linux kernel versions CVE-2019-11599 POC运行内核版本:462 运行方式: gcc -o coredump_helper coredump_helperc sudo /set_helpersh gcc -o dumpme dumpmec /dumpme 运行结果: 运行poc 通过dmesg查看日志 CVE-2019-9213 POC运行内核版本:462 运行方式: gcc -o nullmap nullmapc /nullmap 运行结果: CVE-

💀 Linux local root exploit for CVE-2018-18955

CVE-2018-18955 Linux local root exploit Wrapper for Jann Horn's exploit for CVE-2018-18955, forked from kernel-exploits In the Linux kernel 415x through 419x before 4192, map_write() in kernel/user_namespacec allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges A user who has CAP_SYS_ADMIN in an aff

Tryhackme box

thelondonbridge THM TheLondonBridge Walkthrough Hello guys this is my very first box in THM hope you guys will enjoy it, There are mainly 4 stages in this box: *) Scanning *) Enumeration *) Gaining access *) Privilege escalation **) Scan the ip using rustscan: rustscan We found 3 open ports SSH HTTP 44567(further version scan gave us a tcpwrapped service) **) Enumeration We enu

Compte rendu ctf mordor fait dans le cadre de INF805

By VINAI Florent & BELKACEMI Billal COMPTE RENDU CTF MORDOR UDES MAITRISE CYBER 2023 **Introduction ** Défi #1 : Trouver la porte d’entrée de Mordor 5** **Défi #2 : Intrusion dans Mordor 6** **Défi #3 : Accès à DVWA de Samwise 12** **Défi #4 : Accès au fichier “telnetinfotxt” 14** **Défi