oss-sec mailing list archives

Re: [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory

From: Piotr Krysiuk <piotras () gmail com>
Date: Mon, 15 May 2023 20:13:55 +0100

On Mon, May 8, 2023 at 4:58 PM Piotr Krysiuk <piotras () gmail com> wrote:

Therefore, according to the linux-distros list policy, the exploit must
be published within 7 days from this advisory. In order to comply with
that policy, I intend to publish both the description of exploitation
techniques and also the exploit source code on Monday 15th by email to
this list.


Per the announcement above, we are publishing the description of
exploitation techniques and also the exploit source code as attachments
to this email.

The attached instructions have been tested against Ubuntu 23.04 Desktop
for amd64. However, the vulnerability is not limited to Ubuntu. The
affected code originates from the upstream Linux kernel from
https://kernel.org/ and we confirmed that exploitation is possible
against some other popular distributions.


# Affected Configurations

The following describes minimum set of configurations where the bug is
exploitable. The attached exploit adds a few additional dependencies.
However, an alternative exploitation method could be developed that
avoids those additional dependencies.

The capability CAP_NET_ADMIN over the network namespace is required in
order to exploit the vulnerability.

A well-known technique to obtain that capability is by creating a new
user/network namespace. In case of the current stable and longterm
Linux kernels from https://kernel.org/ an unprivileged local user can
create such namespace when the following configuration option is
enabled explicitly on top of `x86_64_defconfig`:

    CONFIG_USER_NS

For these kernels, Netfilter nf_tables is also disabled by default and
the following configuration option must be set explicitly to compile
it:

    CONFIG_NF_TABLES

And then at least one of the families must also be enabled:

    CONFIG_NF_TABLES_INET
    CONFIG_NF_TABLES_IPV4
    CONFIG_NF_TABLES_ARP
    CONFIG_NF_TABLES_NETDEV
    CONFIG_NF_TABLES_BRIDGE
    CONFIG_NF_TABLES_IPV6

For certain older kernels, `nft_set` functionality is disabled by
default and one of the following configuration option must be set
explicitly for any such system to be affected (depending on release):

    CONFIG_NF_TABLES_SET
    CONFIG_NFT_SET_RBTREE
    CONFIG_NFT_SET_HASH
    CONFIG_NFT_SET_BITMAP


Kind regards,

Patryk Sondej
Piotr Krysiuk

Attachment: README.md
Description:

Attachment: EXPLOIT.md
Description:

Attachment: exploit.c
Description:

Current thread:

[CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory Piotr Krysiuk (May 08)
- Re: [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory Piotr Krysiuk (May 15)