Date: Mon, 15 May 2023 20:13:55 +0100 From: Piotr Krysiuk <piotras@...il.com> To: oss-security@...ts.openwall.com Cc: Patryk Sondej <patryk.sondej@...il.com> Subject: Re: [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory On Mon, May 8, 2023 at 4:58 PM Piotr Krysiuk <piotras@...il.com> wrote: > Therefore, according to the linux-distros list policy, the exploit must > be published within 7 days from this advisory. In order to comply with > that policy, I intend to publish both the description of exploitation > techniques and also the exploit source code on Monday 15th by email to > this list. Per the announcement above, we are publishing the description of exploitation techniques and also the exploit source code as attachments to this email. The attached instructions have been tested against Ubuntu 23.04 Desktop for amd64. However, the vulnerability is not limited to Ubuntu. The affected code originates from the upstream Linux kernel from https://kernel.org/ and we confirmed that exploitation is possible against some other popular distributions. # Affected Configurations The following describes minimum set of configurations where the bug is exploitable. The attached exploit adds a few additional dependencies. However, an alternative exploitation method could be developed that avoids those additional dependencies. The capability CAP_NET_ADMIN over the network namespace is required in order to exploit the vulnerability. A well-known technique to obtain that capability is by creating a new user/network namespace. In case of the current stable and longterm Linux kernels from https://kernel.org/ an unprivileged local user can create such namespace when the following configuration option is enabled explicitly on top of `x86_64_defconfig`: CONFIG_USER_NS For these kernels, Netfilter nf_tables is also disabled by default and the following configuration option must be set explicitly to compile it: CONFIG_NF_TABLES And then at least one of the families must also be enabled: CONFIG_NF_TABLES_INET CONFIG_NF_TABLES_IPV4 CONFIG_NF_TABLES_ARP CONFIG_NF_TABLES_NETDEV CONFIG_NF_TABLES_BRIDGE CONFIG_NF_TABLES_IPV6 For certain older kernels, `nft_set` functionality is disabled by default and one of the following configuration option must be set explicitly for any such system to be affected (depending on release): CONFIG_NF_TABLES_SET CONFIG_NFT_SET_RBTREE CONFIG_NFT_SET_HASH CONFIG_NFT_SET_BITMAP Kind regards, Patryk Sondej Piotr Krysiuk View attachment "README.md" of type "text/markdown" (10101 bytes) View attachment "EXPLOIT.md" of type "text/markdown" (4022 bytes) View attachment "exploit.c" of type "text/x-csrc" (62791 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.