[LINPEAS] Add privilege escalation check: ksmbd - Exploiting CVE-2025-37947 (3/3)

[carlospolop]

🔧 Automated Privilege Escalation Check Addition

🤔 Privilege Escalation Reasoning

The post documents a local Linux kernel LPE (CVE-2025-37947) in ksmbd's streams_xattr write path that enables an authenticated local user to escalate to root on affected kernels (e.g., Ubuntu 22.04, 5.15.0-153-generic). Preconditions are realistic in production: ksmbd enabled, a writable SMB share, and streams_xattr support. This is not a contrived CTF setup nor a niche third‑party product; ksmbd is in mainline kernels and widely shipped in LTS distributions. While the post provides a full exploitation chain, linpeas does not need to exploit it—only detect likely exposure based on kernel version, ksmbd presence, and share configuration—making it a good candidate for integration as a vulnerability check.

🤖 Implementation Details

PEASS linpeas agent completed successfully with 81 items. Agent Comment: Work completed in repo: /tmp/hacktricks_update_6lfoy_bk/repo
Date: 2025-10-16

1. Analysis and relevance

• Technique: Local Linux kernel LPE due to an OOB write in ksmbd’s streams_xattr path (CVE-2025-37947). Preconditions: ksmbd enabled and a writable SMB share with streams_xattr enabled.
• Why it belongs in linPEAS: ksmbd is mainline, present on common LTS kernels; the detection is configuration- and service-based (fast, low-noise). We only detect exposure, not exploit.
• Not already covered: repo had no ksmbd- or streams_xattr-specific checks.

2. Where I added the check

• New module created:
  • linPEAS/builder/linpeas_parts/7_software_information/Ksmbd_CVE_2025_37947.sh

3. What the new module does (detection logic)

• Only runs if ksmbd appears active/present:
  • Detects ksmbd via one of:
    • /sys/module/ksmbd, /proc/fs/ksmbd
    • lsmod | grep -w ksmbd
    • systemctl is-active ksmbd
    • ss -ltpn shows port 445 listening and smbd is not present (best-effort kernel listener hint)
• Parses common Samba/ksmbd configuration files to find writable shares that enable streams_xattr:
  • Files searched: /etc/ksmbd/ksmbd.conf, /etc/ksmbd/smb.conf, /etc/samba/smb.conf, /usr/local/etc/smb.conf
  • Section-aware parsing with awk looks for, within the same share:
    • streams_xattr enabled via vfs objects = ... streams_xattr or streams_xattr = yes/true/on (case-insensitive; covers “streams xattr” and “streams_xattr”)
    • Writability via writable=yes|writeable=yes or read only=no
• Output:
  • If matches found: marks “Potentially vulnerable share: [share] in ” and a red-highlighted note that host is likely exploitable for local LPE (CVE-2025-37947). Also prints uname -r for operator context.
  • If no writable share but streams_xattr shows up anywhere, prints a yellow, softer note with paths for manual triage.
  • If ksmbd is present but no streams_xattr writable share detected, prints a green reassurance line.

4. Implementation details

• File: linPEAS/builder/linpeas_parts/7_software_information/Ksmbd_CVE_2025_37947.sh
• Module metadata (as per linPEAS builder requirements):
  • Title: Software Information - KSMBD streams_xattr exposure (CVE-2025-37947)
  • ID: SI_KSMBD_CVE_2025_37947
  • Author: HT Bot
  • Last Update: 16-10-2025
  • Description: Detect ksmbd exposure when writable share enables streams_xattr
  • License: GNU GPL
  • Version: 1.0
  • Functions Used: print_2title, print_info
  • Global Variables: $DEBUG
  • Fat linpeas: 0
  • Small linpeas: 1
• Performance: Single-pass awk over small config files; minimal process checks (lsmod/systemctl/ss/pgrep); optional grep limited to config dirs if needed. No recursive filesystem scans outside conf dirs; no heavy operations.
• Compatibility: POSIX sh-compliant calling; relies on standard tools (awk, grep, ss/pgrep if present; gracefully degrades).

5. Documentation

• In-module print_info explains purpose and references the CVE. No changes needed in sensitive_files.yaml (this is not a generic file-content search pattern) or broader docs.

6. Validation (syntax/quality)

• Bash syntax check: OK
  • bash -n linPEAS/builder/linpeas_parts/7_software_information/Ksmbd_CVE_2025_37947.sh => SyntaxOK
• Follows existing module patterns (metadata header, print_2title, print_info, small and fast).

Summary of technique covered

• Title: KSMBD streams_xattr exposure (CVE-2025-37947)
• Detection:
  • Confirm ksmbd presence/active.
  • Parse share definitions to find sections enabling streams_xattr and writable access.
• Output: Flags potentially vulnerable shares and shows kernel version to aid patch verification.
• Location added: linPEAS/builder/linpeas_parts/7_software_information/Ksmbd_CVE_2025_37947.sh

Rationale for scope

• The check matches realistic configurations (ksmbd + streams_xattr + writable share) and is efficient, non-invasive, and cross-distro. It avoids version-guessing and only signals “likely exploitable” when all preconditions are met, reducing false positives.

🏗️ Builder Agent Response

LinPEAS build agent completed successfully with 33 items. Agent Comment: I’m on it. Here’s what I did and the result.

Actions taken

1. Navigated to the builder directory

• Path: /tmp/hacktricks_update_6lfoy_bk/repo/linPEAS

2. Attempted the build

• Command run: python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh
• Initial result: Build failed while checking module syntax.

3. Diagnosed the error

• Error: Wrong ID in module Ksmbd_CVE_2025_37947.sh; the ID must match the filename with the section prefix.
• After fixing ID, a second error occurred:
  • Global Variables '$kernel_rel, $conf, $any_streams, $soft_hits, $section, $findings, $confs' were not listed under “Generated Global Variables.”

4. Fixes applied

• Updated the module header in:
  • linPEAS/builder/linpeas_parts/7_software_information/Ksmbd_CVE_2025_37947.sh
• Changes:
  • Set ID to match filename with section prefix:
    • From: SI_KSMBD_CVE_2025_37947
    • To: SI_Ksmbd_CVE_2025_37947
  • Declared generated variables to satisfy the builder’s metadata requirements:
    • Generated Global Variables: $kernel_rel, $findings, $soft_hits, $any_streams, $confs, $section, $conf
  • Left “Global Variables” as $DEBUG (the only external global referenced).

5. Re-ran the build

• Command: python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh
• Result: Build completed successfully.

6. Verification

• Output file created: /tmp/linpeas_fat.sh
• Size: ~16 MB
• Top lines confirm a valid linpeas script with expected header.

Status

• LinPEAS builds successfully with the provided command.
• No remaining build errors.

If you need me to also test the small/no-fat variants or add/remove modules, I can run those too.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.