Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAFzhf4q5uSF6PawxyD6BtRgLTWdXroPVhppEFnfp4v+QjWBFxQ@mail.gmail.com>
Date: Mon, 15 May 2023 20:13:55 +0100
From: Piotr Krysiuk <piotras@...il.com>
To: oss-security@...ts.openwall.com
Cc: Patryk Sondej <patryk.sondej@...il.com>
Subject: Re: [CVE-2023-32233] Linux kernel use-after-free in Netfilter
 nf_tables when processing batch requests can be abused to perform arbitrary
 reads and writes in kernel memory

On Mon, May 8, 2023 at 4:58 PM Piotr Krysiuk <piotras@...il.com> wrote:
> Therefore, according to the linux-distros list policy, the exploit must
> be published within 7 days from this advisory. In order to comply with
> that policy, I intend to publish both the description of exploitation
> techniques and also the exploit source code on Monday 15th by email to
> this list.

Per the announcement above, we are publishing the description of
exploitation techniques and also the exploit source code as attachments
to this email.

The attached instructions have been tested against Ubuntu 23.04 Desktop
for amd64. However, the vulnerability is not limited to Ubuntu. The
affected code originates from the upstream Linux kernel from
https://kernel.org/ and we confirmed that exploitation is possible
against some other popular distributions.


# Affected Configurations

The following describes minimum set of configurations where the bug is
exploitable. The attached exploit adds a few additional dependencies.
However, an alternative exploitation method could be developed that
avoids those additional dependencies.

The capability CAP_NET_ADMIN over the network namespace is required in
order to exploit the vulnerability.

A well-known technique to obtain that capability is by creating a new
user/network namespace. In case of the current stable and longterm
Linux kernels from https://kernel.org/ an unprivileged local user can
create such namespace when the following configuration option is
enabled explicitly on top of `x86_64_defconfig`:

    CONFIG_USER_NS

For these kernels, Netfilter nf_tables is also disabled by default and
the following configuration option must be set explicitly to compile
it:

    CONFIG_NF_TABLES

And then at least one of the families must also be enabled:

    CONFIG_NF_TABLES_INET
    CONFIG_NF_TABLES_IPV4
    CONFIG_NF_TABLES_ARP
    CONFIG_NF_TABLES_NETDEV
    CONFIG_NF_TABLES_BRIDGE
    CONFIG_NF_TABLES_IPV6

For certain older kernels, `nft_set` functionality is disabled by
default and one of the following configuration option must be set
explicitly for any such system to be affected (depending on release):

    CONFIG_NF_TABLES_SET
    CONFIG_NFT_SET_RBTREE
    CONFIG_NFT_SET_HASH
    CONFIG_NFT_SET_BITMAP


Kind regards,

Patryk Sondej
Piotr Krysiuk

View attachment "README.md" of type "text/markdown" (10101 bytes)

View attachment "EXPLOIT.md" of type "text/markdown" (4022 bytes)

View attachment "exploit.c" of type "text/x-csrc" (62791 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.