oss-sec mailing list archives
Re: Linux Kernel use-after-free write in netfilter
From: Solar Designer <solar () openwall com>
Date: Fri, 2 Sep 2022 11:49:46 +0200
On Thu, Aug 25, 2022 at 03:20:21PM +0200, Solar Designer wrote:
On Tue, May 31, 2022 at 10:00:32AM +0100, EDG EDG wrote:A use-after-free write vulnerability was identified within the netfilter subsystem which can be exploited to achieve privilege escalation to root. In order to trigger the issue it requires the ability to create user/net namespaces. This issue has been fixed within the following commit: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd The issue was previously confirmed on the latest linux master (commit 143a6252e1b8ab424b4b293512a97cca7295c182) and we have confirmed it can be exploited for privilege escalation on Ubuntu 22.04 (Linux kernel 5.15.0-27-generic).[...]# POC Code[...]printf("should have triggered KASAN\n");While the message above included PoC code, there's now also a blog post and GitHub repo with a full exploit: https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/ https://github.com/theori-io/CVE-2022-32250-exploit "In this post, we have shown the process of exploiting CVE-2022-32250. We were able to leak KASLR and overwrite modprobe_path by utilizing the mqueue functions, and as a result, we successfully gained root privileges in Ubuntu 22.04."
The Exploit Development Group (EDG) at NCC Group, who discovered this vulnerability and started this thread, have just published their own write-up about its exploitation: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ Alexander
Current thread:
- Re: Linux Kernel use-after-free write in netfilter Solar Designer (Aug 25)
- Re: Linux Kernel use-after-free write in netfilter Solar Designer (Sep 02)