If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Here on the blog I like to share a lot of news about bug discoveries and vulnerabilities that are detected on linux within its different subsystems, as well as some popular applications.
As many of you will know the process of disclosing a vulnerability tends to offer a grace period so that the developers have a period to be able to solve said bug and launch corrective versions or patches. In most cases before the vulnerability is disclosed, the bugs are fixed, but this is not always the case and the information as well as the prepared xplots are released to the public.
The thing about getting to this point is that It is not the first time that it has been revealed that an "xploit" from a vulnerability results with a "hidden prize", since in mid-June, a vulnerability (listed under CVE-2023-35829 ) was reported in the Linux kernel module rkvdec.
In this case, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool. Its hidden backdoor presents a stealthy and persistent threat. Operating as a downloader, it silently downloads and executes a Linux bash script, while disguising its operations as a kernel-level process.
Its persistence methodology is quite astute. Used to build executables from source files, it takes advantage of the make command to create a kworker file and adds its file path to the bashrc file, allowing the malware to continuously operate within the victim's system.
Detected vulnerability leads to access to a memory area after releasing it due to a race condition in the driver download. It was assumed that the problem was limited to a denial of service call, but recently, in some communities on Telegram and Twitter, information appeared that the vulnerability can be used to gain root rights by an unprivileged user.
To demonstrate this, two functional prototypes of xploits were released as evidence which were posted on Github and later removed, because backdoors were found on them.
An analysis of the published exploits showed that contain malicious code that installs malware on Linux, as they set up a backdoor for remote login and send some files to the attackers.
The malicious exploit just pretended to get root access by displaying diagnostic messages about the progress of the attack, creating a separate user identifier space with its own root user, and running the /bin/bash shell in an environment isolated from principal that created the impression of having root access when running utilities like whoami.
Malicious code it was activated by calling the executable file aclocal.m4 from the script Makefile compilation script (researchers who discovered the malicious code were alarmed by the fact that when compiling the exploit, an executable file in ELF format is called as autoconf script) . After starting, the executable creates a file on the system that it adds to "~/.bashrc" for automatic startup.
Thus, the process is renamed which suggests the user would not notice it in the process list in the context of the abundance of kworker processes in the Linux kernel.
The kworker process would then download a bash script from an external server and would run it on the system. In turn, the downloaded script adds a key to connect to the intruders via SSH, and which also saves a file with the contents of the user's home directory and some system files, such as /etc/passwd, to the storage service transfer.sh, after which it is sent as a link to the saved file to the attacking server.
Finally, it is worth mentioning that if you are an enthusiast who likes to test xploits or vulnerabilities that are disclosed, take your precautions and it never hurts to perform these tests in an isolated environment (VM) or on another secondary system/equipment that is specific for this.
If you are interested in knowing more about it, you can check the details in the following link.