oss-sec mailing list archives
[CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory
From: Piotr Krysiuk <piotras () gmail com>
Date: Mon, 8 May 2023 16:58:20 +0100
An issue has been discovered in the Linux kernel that can be abused by unprivileged local users to escalate privileges. The issue is about Netfilter nf_tables accepting some invalid updates to its configuration. Netfilter nf_tables allows updating its configuration with batch requests that group multiple basic operations into atomic transactions. In a specific scenario, an invalid batch request may contain an operation that implicitly deletes an existing nft anonymous set followed by another operation that attempts to act on the same nft anonymous set after it is deleted. In the above scenario, one example of the former operation is to delete an existing nft rule that uses an nft anonymous set. And an example of the latter operation is an attempt to delete an element from that nft anonymous set after the set gets deleted. Alternatively, the latter operation could even attempt to explicitly delete that nft anonymous set again. In the discussed scenario, Netfilter nf_tables fails to reject invalid batch request and then it corrupts its own internal state when committing the latter operation. The issue has been reproduced against multiple Linux kernel releases, including Linux 6.3.1 (current stable). We developed an exploit that allows unprivileged local users to start a root shell by abusing the above issue. That exploit was shared privately with <security () kernel org> to assist with fix development. Somebody from the Linux kernel team then emailed the proposed fix to <linux-distros () vs openwall org> and that email also included a link to download our description of exploitation techniques and our exploit source code. Therefore, according to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, I intend to publish both the description of exploitation techniques and also the exploit source code on Monday 15th by email to this list. The fix is available from mainline kernel git repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=c1592a89942e9678f7d9c8030efa777c0d57edab # Discoverers Patryk Sondej <patryk.sondej () gmail com> Piotr Krysiuk <piotras () gmail com> # References CVE-2023-32233 (reserved via https://cveform.mitre.org/)
Current thread:
- [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory Piotr Krysiuk (May 08)