EMBA firmware report

[+] Identify and analyze kernel version

This module tries to identify the version of the used Linux kernel. The following sources are tested:

    - Results of module s24

    - Identified kernel modules in .ko format

    - Identified kernel modules in .o format

    - Filesytem path of kernel modules - e.g.: /lib/modules/1.2.3/bla

Additionally it checks the identified kernel version with the linux-exploit-suggester (https://github.com/mzet-/linux-exploit-suggester) for known exploits.

Finally it tests the kernel modules for interesting combination of closed source modules with debugging information. E.g. Non open source modules with debugging information included.

Kernel version:

    3.10.14

Kernel details:

    A_Simple_driver_for_get_sensors_info_

    A_low_level_driver_for_OmniVision_jxf22_sensors

    A_low_level_driver_for_OmniVision_jxf23_sensors

    JZ_PWM_Driver

    Realtek_Wireless_Lan_Driver

    TXX_codec_driver

    Webcam_Video_Gadget

    exFAT_Filesystem_Driver

    tx_isp_driver

    vmalloc_memory_handling_routines_for_videobuf2

==> Kernel vulnerabilities

[+] Found linux kernel version/s:

    3.10.14

==> Possible exploits via linux-exploit-suggester.sh for kernel version 3.10.14

[*] Search possible exploits via linux-exploit-suggester.sh for kernel version 3.10.14

    https://github.com/mzet-/linux-exploit-suggester

Available information:

Kernel version: 3.10.14

Architecture: N/A

Distribution: N/A

Distribution version: N/A

Additional checks (CONFIG_*, sysctl entries, custom Bash commands): N/A

Package listing: N/A

Searching among:

81 kernel space exploits

0 user space exploits

Possible Exploits:

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

   Exposure: probable

   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04

   Download URL: https://www.exploit-db.com/download/40611

   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

   Requirements: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3

   exploit-db: 40611

   author: Phil Oester

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

   Exposure: probable

   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}

   Download URL: https://www.exploit-db.com/download/40839

   ext-url: https://www.exploit-db.com/download/40847

   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

   Requirements: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3

   exploit-db: 40839

   author: FireFart (author of exploit at EDB 40839); Gabriele Bonacini (author of exploit at 'ext-url')

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/

CVE-2022-32250-linux-kernel-lpe-2022/" title="https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/" target="_blank" >https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/

   Exposure: less probable

   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}

   Download URL: CVE-2022-32250-exploit/main/exp.c" title="https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c" target="_blank" >https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c

   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

   Requirements: pkg=linux-kernel,ver<5.18.1,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1

   author: vulnerability discovery: EDG Team from NCC Group; Author of this exploit: theori.io

[+] [CVE-2021-27365] linux-iscsi

   Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html

   Exposure: less probable

   Tags: RHEL=8

   Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk

   Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled

   Requirements: pkg=linux-kernel,ver<=5.11.3,CONFIG_SLAB_FREELIST_HARDENED!=y

   author: GRIMM

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html

   Exposure: less probable

   Tags: ubuntu=20.04{kernel:5.8.0-*}

   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c

   ext-url: CVE-2021-22555/exploit.c" title="https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c" target="_blank" >https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c

   Comments: ip_tables kernel module must be loaded

   Requirements: pkg=linux-kernel,ver>=2.6.19,ver<=5.12-rc6

   exploit-db: 50135

   author: theflow (orginal exploit author); bcoles (author of exploit update at 'ext-url')

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc

   Exposure: less probable

   Download URL:

   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

   Requirements: pkg=linux-kernel,ver>=3,ver<5.0.19,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,CONFIG_XFRM=y

   author: Vitaly 'vnik' Nikolenko

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html

   Exposure: less probable

   Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}

   Download URL: CVE-2017-7308/poc.c" title="https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c" target="_blank" >https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c

   ext-url: CVE-2017-7308/poc.c" title="https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c" target="_blank" >https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c

   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

   Requirements: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1

   exploit-db: 41994

   author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3

   Exposure: less probable

   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}

   Download URL: https://www.exploit-db.com/download/41458

   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

   Requirements: pkg=linux-kernel,ver>=2.6.18,ver<=4.9.11,CONFIG_IP_DCCP=[my]

   exploit-db: 41458

   author: Andrey 'xairy' Konovalov

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt

   Exposure: less probable

   Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}

   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

   Requirements: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86_64

   exploit-db: 42887

   author: Qualys

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384

   Exposure: less probable

   Tags: ubuntu=14.04,fedora=22

   Download URL: CVE-2016-2384/poc.c" title="https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c" target="_blank" >https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c

   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

   Requirements: pkg=linux-kernel,ver>=3.0.0,ver<=4.4.8

   exploit-db: 41999

   author: Andrey 'xairy' Konovalov

[+] [CVE-2015-9322] BadIRET

   Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/

   Exposure: less probable

   Tags: RHEL<=7,fedora=20

   Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz

   Requirements: pkg=linux-kernel,ver>=3.0.1,ver<3.17.5,x86_64

   author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' Zabrocki

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/

   Exposure: less probable

   Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}

   Download URL: https://www.exploit-db.com/download/39166

   Requirements: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3

   exploit-db: 39166

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/

   Exposure: less probable

   Download URL: https://www.exploit-db.com/download/39230

   Requirements: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3

   exploit-db: 39230

[+] [CVE-2014-5207] fuse_suid

   Details: https://www.exploit-db.com/exploits/34923/

   Exposure: less probable

   Download URL: https://www.exploit-db.com/download/34923

   Requirements: pkg=linux-kernel,ver>=3.0.1,ver<=3.16.1

   exploit-db: 34923

[+] [CVE-2014-4943] PPPoL2TP (DoS)

   Details: https://cyseclabs.com/page?n=01102015

   Exposure: less probable

   Download URL: https://www.exploit-db.com/download/36267

   Requirements: pkg=linux-kernel,ver>=3.2,ver<=3.15.6

   exploit-db: 36267

[+] [CVE-2014-4014] inode_capable

   Details: http://www.openwall.com/lists/oss-security/2014/06/10/4

   Exposure: less probable

   Tags: ubuntu=12.04

   Download URL: https://www.exploit-db.com/download/33824

   Requirements: pkg=linux-kernel,ver>=3.0.1,ver<=3.13

   exploit-db: 33824

[+] [CVE-2014-0196] rawmodePTY

   Details: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html

   Exposure: less probable

   Download URL: https://www.exploit-db.com/download/33516

   Requirements: pkg=linux-kernel,ver>=2.6.31,ver<=3.14.3

   exploit-db: 33516

[+] [CVE-2014-0038] timeoutpwn

   Details: CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html" title="http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html" target="_blank" >http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html

   Exposure: less probable

   Tags: ubuntu=13.10

   Download URL: https://www.exploit-db.com/download/31346

   Comments: CONFIG_X86_X32 needs to be enabled

   Requirements: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y

   exploit-db: 31346

[+] [CVE-2014-0038] timeoutpwn 2

   Details: CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html" title="http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html" target="_blank" >http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html

   Exposure: less probable

   Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic}

   Download URL: https://www.exploit-db.com/download/31347

   Comments: CONFIG_X86_X32 needs to be enabled

   Requirements: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y

   exploit-db: 31347

[+] [CVE-2016-0728] keyring

   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

   Exposure: less probable

   Download URL: https://www.exploit-db.com/download/40003

   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working

   Requirements: pkg=linux-kernel,ver>=3.10,ver<4.4.1

   exploit-db: 40003

[+] [CVE-2014-2851] use-after-free in ping_init_sock() (DoS)

   Details: https://cyseclabs.com/page?n=02012016

   Exposure: less probable

   Download URL: https://www.exploit-db.com/download/32926

   Requirements: pkg=linux-kernel,ver>=3.0.1,ver<=3.14

   exploit-db: 32926

[+] WARNING: Vulnerability CVE-2016-5195 is a known exploited vulnerability.

[+] WARNING: Vulnerability CVE-2016-5195 is a known exploited vulnerability.

[+] WARNING: Vulnerability CVE-2014-0196 is a known exploited vulnerability.

==> Check modprobe.d directory and content

[-] No modprobe.d directory found

[-] No check for kernel configuration

==> Analyze kernel modules

[*] Found 16 kernel modules.

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/exfat.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/6225984-11075644.jffs2_new_extract/usbcamera.ko (-rw-r--r-- root root)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/tx-isp.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/6225984-11075644.jffs2_new_extract/audio.ko (-rw-r--r-- root root)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/6225984-11075644.jffs2_new_extract/videobuf2-vmalloc.ko (-rw-r--r-- root root)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/sensor_jxf22.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/sensor_jxf23.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/sample_speakerctl.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/6225984-11075644.jffs2_new_extract/libcomposite.ko (-rw-r--r-- root root)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/sample_pwm_hal.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/sample_motor.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/usb-akubelli.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/rtl8189ftv.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/audio.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/sinfo.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED

[-] Found kernel module ./logs/firmware/unblob_extracted/firmware_extract/5570624-6156352.squashfs_v4_le_extract/sample_pwm_core.ko (-rw-r--r-- 501 dialout)  License: GPL - NOT STRIPPED