Re: Linux Kernel use-after-free write in netfilter

[Solar Designer <solar () openwall com>]

On Thu, Aug 25, 2022 at 03:20:21PM +0200, Solar Designer wrote:
> On Tue, May 31, 2022 at 10:00:32AM +0100, EDG EDG wrote:
> > A use-after-free write vulnerability was identified within the
> > netfilter subsystem
> > which can be exploited to achieve privilege escalation to root.
> >
> > In order to trigger the issue it requires the ability to create user/net
> > namespaces.
> >
> > This issue has been fixed within the following commit:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd
> >
> > The issue was previously confirmed on the latest linux master (commit
> > 143a6252e1b8ab424b4b293512a97cca7295c182) and we have confirmed it can be
> > exploited for privilege escalation on Ubuntu 22.04 (Linux kernel
> > 5.15.0-27-generic).
> [...]
> > # POC Code
> [...]
> >     printf("should have triggered KASAN\n");
>
> While the message above included PoC code, there's now also a blog post
> and GitHub repo with a full exploit:
>
> https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
> https://github.com/theori-io/CVE-2022-32250-exploit
>
> "In this post, we have shown the process of exploiting CVE-2022-32250.
> We were able to leak KASLR and overwrite modprobe_path by utilizing the
> mqueue functions, and as a result, we successfully gained root
> privileges in Ubuntu 22.04."

The Exploit Development Group (EDG) at NCC Group, who discovered this
vulnerability and started this thread, have just published their own
write-up about its exploitation:

https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/

Alexander