CVE-2022-41974: A Deep Dive into Multipath-Tools Privilege Escalation Exploit

CVE-2022-41974 refers to a severe vulnerability found in the multipath-tools package versions .7. through .9.x before .9.2. The vulnerability allows local users to gain root access on the affected system, ultimately leading to a complete compromise. This flaw can be exploited alone or in conjunction with CVE-2022-41973.

In this post, we will describe the technical details of how the vulnerability works and share code snippets to help understand the exploit mechanism. We will also provide links to the original references and resources.

The Vulnerability

The multipath-tools vulnerability allows local users with access to write to UNIX domain sockets to bypass access controls and manipulate the multipath setup, leading to local privilege escalation to root. The issue lies in the fact that an attacker can use a repeated keyword during the exploit, which is then mishandled by the arithmetic ADD operation instead of the correct bitwise OR operation.

Here's a code snippet illustrating the improper handling of repeated keywords

// Incorrect code
int flags = ;

if (strcmp(keyword1, "foo") == ) {
    flags += FLAG_A;
}

if (strcmp(keyword2, "foo") == ) {
    flags += FLAG_A;
}

// Correct code
int flags = ;

if (strcmp(keyword1, "foo") == ) {
    flags |= FLAG_A;
}

if (strcmp(keyword2, "foo") == ) {
    flags |= FLAG_A;
}

As shown in the code snippet above, using the arithmetic ADD operation in the incorrect code allows an attacker to exploit repeated keywords, while the correct code with bitwise OR operation mitigates this vulnerability.

Exploitation Details

An attacker with local access to the target system can exploit this vulnerability by effectively manipulating UNIX domain sockets to bypass the access controls, resulting in escalated privileges. Combining this exploit with CVE-2022-41973 allows for an even more potent attack, further emphasizing the need to patch vulnerable systems.

Mitigation

The best way to mitigate this vulnerability is to update multipath-tools to version .9.2 or later. Organizations and users should ensure that they apply the updates as soon as possible to avoid potential exploitation.

Original References

For more information on this vulnerability and its exploitation, please refer to the following resources:

1. CVE-2022-41974 Official Record
2. Multipath-Tools .9.2 Official Release Notes
3. CVE-2022-41973 Official Record

Conclusion

CVE-2022-41974 is a critical vulnerability in multipath-tools that can lead to local privilege escalation, potentially giving attackers full control of vulnerable systems. It is essential to understand this vulnerability and apply the necessary updates to protect from potential attacks. Please make sure to follow the mitigation steps outlined above and stay informed about the latest security updates and best practices.

Timeline

Published on: 10/29/2022 19:15:00 UTC
Last modified on: 11/22/2022 14:15:00 UTC