Add linpeas privilege escalation checks from: ksmbd - Exploiting CVE-2025-37947 (3/3)

2025-12-12 07:40:39 -08:00 · 2025-10-16 13:04:42 +00:00
parent be3fe91da4
commit 1bc5a4d11b
2 changed files with 114 additions and 0 deletions
--- a/linPEAS/builder/linpeas_parts/7_software_information/Ksmbd_CVE_2025_37947.sh
+++ b/linPEAS/builder/linpeas_parts/7_software_information/Ksmbd_CVE_2025_37947.sh
@@ -0,0 +1,113 @@
 # Title: Software Information - KSMBD streams_xattr exposure (CVE-2025-37947)
 # ID: SI_Ksmbd_CVE_2025_37947
 # Author: HT Bot
 # Last Update: 16-10-2025
 # Description: Detect ksmbd kernel server exposure to CVE-2025-37947 when a writable share enables streams_xattr.
 # License: GNU GPL
 # Version: 1.0
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG
 # Initial Functions:
 # Generated Global Variables: $kernel_rel, $findings, $soft_hits, $any_streams, $confs, $section, $conf
 # Fat linpeas: 0
 # Small linpeas: 1
 # This check aims to be lightweight and avoid false positives:
 #  - It requires ksmbd to be present/active (kernel module or service)
 #  - It parses common Samba/ksmbd config files and flags shares that both enable
 #    streams_xattr and are writable (writeable=yes|writable=yes|read only=no)
 ksmbd_is_active() {
  # ksmbd can be detected as a kernel module or via its userspace helper
  if [ -d /sys/module/ksmbd ] || [ -e /proc/fs/ksmbd ]; then
    return 0
  fi
  if command -v lsmod >/dev/null 2>&1 && lsmod 2>/dev/null | grep -qw "^ksmbd"; then
    return 0
  fi
  if command -v systemctl >/dev/null 2>&1 && systemctl is-active ksmbd >/dev/null 2>&1; then
    return 0
  fi
  # As a best-effort fallback, check if something is listening on 445 without smbd
  if command -v ss >/dev/null 2>&1; then
    if ss -H -ltpn 2>/dev/null | grep -qE "\bLISTEN\b.*:445\b"; then
      # If smbd is not the listener PID (ksmbd is in-kernel, no PID shown)
      if ! pgrep -x smbd >/dev/null 2>&1; then
        return 0
      fi
    fi
  fi
  return 1
 }
 find_streams_writable_shares() {
  # Parse typical config locations for Samba/ksmbd
  # Note: ksmbd-tools often uses /etc/ksmbd/ksmbd.conf with Samba-like syntax
  local confs
  confs="/etc/ksmbd/ksmbd.conf /etc/ksmbd/smb.conf /etc/samba/smb.conf /usr/local/etc/smb.conf"
  for f in $confs; do
    [ -r "$f" ] || continue
    # Use awk to find sections that enable streams_xattr and are writable
    awk -v IGNORECASE=1 -v file="$f" '
      function flush(){
        if (section!="" && has_streams && writable) {
          printf("%s|%s\n", file, section);
        }
      }
      BEGIN{ section=""; has_streams=0; writable=0; }
      {
        line=$0;
        # strip trailing comments
        sub(/[;#].*$/, "", line);
        if ($0 ~ /^\s*\[/) {
          flush();
          section=$0; gsub(/^\s*\[/, "", section); gsub(/\]\s*$/, "", section);
          has_streams=0; writable=0;
        }
        if (line ~ /vfs[[:space:]]+objects[[:space:]]*=.*streams_xattr/)
          has_streams=1;
        if (line ~ /streams[ _]?xattr[[:space:]]*=[[:space:]]*(yes|true|on)/)
          has_streams=1;
        if (line ~ /writ(e)?able[[:space:]]*=[[:space:]]*(yes|true|on)/)
          writable=1;
        if (line ~ /read[[:space:]]*only[[:space:]]*=[[:space:]]*(no|false|off)/)
          writable=1;
      }
      END{ flush(); }
    ' "$f"
  done
 }
 print_ksmbd_header() {
  print_2title "KSMBD streams_xattr exposure (CVE-2025-37947)"
  print_info "Checks if ksmbd is active and a writable share enables streams_xattr (precondition for CVE-2025-37947)."
  print_info "Reference: CVE-2025-37947 - ksmbd_vfs_stream_write out-of-bounds write in streams_xattr path"
 }
 if ksmbd_is_active || [ "$DEBUG" ]; then
  print_ksmbd_header
  kernel_rel=$(uname -r 2>/dev/null)
  echo "Kernel: $kernel_rel" 2>/dev/null
  findings=$(find_streams_writable_shares)
  if [ -n "$findings" ]; then
    echo "$findings" | while IFS='|' read -r conf section; do
      printf "Potentially vulnerable share: [%s] in %s\n" "$section" "$conf" | sed -${E} "s,.*,${SED_RED_YELLOW},"
    done
    echo "  └─ ksmbd detected and streams_xattr enabled on writable share(s). Host likely exploitable for local LPE (CVE-2025-37947)." | sed -${E} "s,.*,${SED_RED},"
  else
    # If streams_xattr is enabled but not writable, provide a softer note
    soft_hits=$(find_streams_writable_shares | wc -l 2>/dev/null)
    if [ "$soft_hits" -eq 0 ]; then
      # Search for any streams_xattr mention to help manual triage
      any_streams=$(grep -Rils --include='*.conf' 'streams_xattr' /etc/ksmbd /etc/samba /usr/local/etc 2>/dev/null | head -n 3)
      if [ -n "$any_streams" ]; then
        echo "streams_xattr referenced in configuration but no writable share detected:" | sed -${E} "s,.*,${SED_YELLOW},"
        printf "%s\n" "$any_streams" | sed -${E} "s,.*,${SED_YELLOW},"
      else
        echo "ksmbd detected, but no writable share with streams_xattr found." | sed -${E} "s,.*,${SED_GREEN},"
      fi
    fi
  fi
  echo ""
 fi
--- a/testfile.txt
+++ b/testfile.txt
@@ -0,0 +1 @@
 hello