io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
§ Context
Assumed environment: foothold as a regular user on Linux. Kernel unpatched for an io_uring SQE UAF (multiple 2022-2024 CVEs). modprobe lookup not statically restricted.
§ Steps
- 01Attacker binary runs as rootInitial AccessT1078— Valid Accounts
- 02User shellInitial AccessT1078— Valid Accounts
- 03Run any binary type → kernel auto-loadsExecutionT1059— Command and Scripting Interpreter
- 04Trigger io_uring UAFPrivilege EscalationLK-IO-URING-UAF— io_uring UAF / Privesc
- 05Kernel write primitivePrivilege EscalationLK-DIRTY-PAGETABLE— Dirty Pagetable
- 06Overwrite modprobe_pathPrivilege EscalationLK-MODPROBE-PATH— modprobe_path Overwrite
§ References
§ Frequently asked
- What is the "io_uring UAF → modprobe_path overwrite → root" attack path?
- Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Attacker binary runs as root (T1078) — a initial access primitive. Assumed environment: foothold as a regular user on Linux.
- What is the final impact of this kill-chain?
- The final step lands on Overwrite modprobe_path (LK-MODPROBE-PATH), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
- Shared techniques2
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
- Shared techniques2
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
- Shared techniques2
certutil + bitsadmin → AV-friendly stager chain
Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.
- Shared techniques2
F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB
Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.
- Shared techniques2
Exposed UART → root shell → firmware extraction
Open the IoT device, locate TX/RX/GND pads, attach a USB-UART, get an unauthenticated root prompt, dump firmware for offline analysis + 0-day hunting.