[LINPEAS] Add privilege escalation check: PoC for CVE-2025-38352 Linux POSIX CPU T...

[carlospolop]

🔧 Automated Privilege Escalation Check Addition

🤔 Privilege Escalation Reasoning

The blog describes CVE-2025-38352, a local Linux kernel vulnerability in the POSIX CPU timers implementation that enables kernel memory corruption and local privilege escalation to root on affected kernels. This is not a CTF-only misconfiguration or a custom script; it is a real kernel bug already reported as exploited in the wild (Android bulletin) and affects Linux LTS 6.12.33 kernels configured with CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n. That fits linpeas’ scope of detecting kernel-level privilege escalation primitives and risky kernel configurations. The technique is generic for Linux/Android and conceptually applicable to other POSIX-like kernels, but the CVE and PoC are Linux-specific. linpeas can benefit from: (1) detecting vulnerable kernel versions/configurations (presence of the specific LTS 6.12.33 or nearby versions and CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled), and (2) flagging the host as potentially vulnerable to a known local privesc. It does not require any highly custom userland binaries or odd CTF-like setups; only the kernel build options matter, which is typical for production Android and embedded systems.

🤖 Implementation Details

PEASS linpeas agent completed successfully with 71 items. Agent Comment: Summary:

• Added a new LinPEAS module linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh that detects the newly disclosed Linux kernel POSIX CPU timers race (CVE-2025-38352). The check inspects the running kernel release (with special emphasis on Linux 6.12.x where the public PoC targets 6.12.33) and walks common kernel-config locations (/proc/config.gz, /boot/config-$(uname -r), module build trees, etc.) to determine whether CONFIG_POSIX_CPU_TIMERS_TASK_WORK is disabled, which is the prerequisite for the vulnerability.
• When the option is disabled, the module highlights the risk, annotates the config source path, differentiates high-risk 6.12.x kernels with red/yellow emphasis, and adds contextual guidance (Android exploitation note, recommendation to patch or re-enable task_work handling).

Testing:

• bash -n linPEAS/builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh

🏗️ Builder Agent Response

LinPEAS build agent completed successfully with 50 items. Agent Comment: Build fixed ✅

1. Navigated to /tmp/hacktricks_update_3hhop4sz/repo/linPEAS and ran python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh. The first attempt failed because the new module builder/linpeas_parts/1_system_information/18_CVE_2025_38352.sh declared several undeclared global variables.

2. Updated that module by:

   • Adding the full list of module-specific variables to the # Generated Global Variables metadata.
   • Renaming every working variable with the unique cve38352_ prefix (e.g., $kernel_release → $cve38352_kernel_release) to avoid namespace collisions and satisfy the builder’s metadata checks.
   • Rewriting the script with the new variable names to keep behavior unchanged.

3. Re-ran the build command (timeout 600s). This time it completed successfully, downloading the auxiliary tooling and writing the fat build to /tmp/linpeas_fat.sh.

LinPEAS now builds cleanly with no outstanding errors.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.