CVE-2021-3492

HIGH

Ubuntu Linux < 18.04 and < 20.10 - Use-After-Free in Shiftfs

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-3492. PoCs published by synacktiv.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-3492, a double-free vulnerability in the Linux kernel's shiftfs module. The exploit leverages BTRFS ioctl operations and userfaultfd for synchronization to achieve arbitrary read/write in kernel memory, ultimately leading to privilege escalation.

Description

Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.

Exploits (1)

nomisec WORKING POC 42 stars

by synacktiv · poc

https://github.com/synacktiv/CVE-2021-3492

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-3492, a double-free vulnerability in the Linux kernel's shiftfs module. The exploit leverages BTRFS ioctl operations and userfaultfd for synchronization to achieve arbitrary read/write in kernel memory, ultimately leading to privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (Ubuntu 20.10, 5.8.0-xx-generic)

No auth needed

Prerequisites: Linux kernel with shiftfs module loaded · BTRFS filesystem support · User namespace and mount namespace access

MITRE ATT&CK