explaingit

manizada/cifswitch

Analysis updated 2026-05-18

25PythonAudience · ops devopsComplexity · 4/5Setup · moderate

TLDR

A defensive security proof-of-concept that demonstrates a Linux privilege escalation technique via cifs.upcall and library-name hijacking, for authorized testing only.

Mindmap

mindmap
  root((repo))
    What it does
      Security PoC
      Privilege escalation demo
      Patch verification aid
    Tech stack
      Python
      C
      Linux
      GCC
    Use cases
      Verify mitigations
      Study NSS hijacking
      Test detection tooling
    Audience
      Security and ops teams
    Caveats
      Authorized use only
      Isolated test environment required

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Verify that a patch or mitigation for the underlying vulnerability is working on systems you own.

USE CASE 2

Study how cifs.upcall and NSS library-name resolution can be abused for privilege escalation.

USE CASE 3

Test defensive detection tooling against a known proof-of-concept technique in an isolated lab.

What is it built with?

PythonCLinuxGCC

How does it compare?

manizada/cifswitchalexrosbach/replibookarlandaren/proagents
Stars252525
LanguagePythonPythonPython
Setup difficultymoderateeasyeasy
Complexity4/52/51/5
Audienceops devopsops devopsvibe coder

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 1h+

Requires GCC and an x86_64 Linux system, library paths may need adjusting per distro.

In plain English

CIFSwitch is a proof-of-concept (PoC) tool published for defensive security research. The README links to an accompanying writeup that explains the vulnerability or technique in detail. The tool is explicitly scoped to help defenders, system maintainers, and authorized security teams verify that a patch or mitigation is working correctly on systems they own or have permission to test. Technically, the PoC works by compiling two small C helper programs at runtime. One is a fake library that writes an entry into the sudoers configuration, which controls who can run commands as root on a Linux system. The other is a trigger that causes a system component called cifs.upcall to enter a private namespace and load the fake library. The approach involves manipulating how the system resolves library names, a technique sometimes called NSS (Name Service Switch) hijacking. The tool requires GCC (a standard C compiler) to be present on the machine. The README does not describe the underlying vulnerability in detail, readers are directed to the linked writeup for that context. The tool targets x86_64 Linux systems and notes that the assumed library directory paths may need adjustment depending on the specific distribution. The README carries a prominent warning that use of this material is the sole responsibility of the user and must be lawful, authorized, and conducted in an isolated test environment.

Copy-paste prompts

Prompt 1
Explain what Name Service Switch hijacking is and why it matters for Linux security.
Prompt 2
What does cifs.upcall normally do, and how does this PoC abuse it?
Prompt 3
How would a defender detect this technique with auditd or similar logging?
Prompt 4
What precautions should I take before running a PoC like this in a test environment?

Frequently asked questions

What is cifswitch?

A defensive security proof-of-concept that demonstrates a Linux privilege escalation technique via cifs.upcall and library-name hijacking, for authorized testing only.

What language is cifswitch written in?

Mainly Python. The stack also includes Python, C, Linux.

How hard is cifswitch to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is cifswitch for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.