Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAFzhf4oH6POgqz3r_VSuVc1ZGOZmkKG4cJ0ZuFPm-pwmfLj0yw@mail.gmail.com>
Date: Mon, 8 May 2023 16:58:20 +0100
From: Piotr Krysiuk <piotras@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables
 when processing batch requests can be abused to perform arbitrary reads and
 writes in kernel memory

An issue has been discovered in the Linux kernel that can be abused by
unprivileged local users to escalate privileges.

The issue is about Netfilter nf_tables accepting some invalid updates
to its configuration.

Netfilter nf_tables allows updating its configuration with batch
requests that group multiple basic operations into atomic transactions.
In a specific scenario, an invalid batch request may contain an
operation that implicitly deletes an existing nft anonymous set
followed by another operation that attempts to act on the same nft
anonymous set after it is deleted. In the above scenario, one example
of the former operation is to delete an existing nft rule that uses an
nft anonymous set. And an example of the latter operation is an attempt
to delete an element from that nft anonymous set after the set gets
deleted. Alternatively, the latter operation could even attempt to
explicitly delete that nft anonymous set again. In the discussed
scenario, Netfilter nf_tables fails to reject invalid batch request and
then it corrupts its own internal state when committing the latter
operation.

The issue has been reproduced against multiple Linux kernel releases,
including Linux 6.3.1 (current stable).

We developed an exploit that allows unprivileged local users to start a
root shell by abusing the above issue. That exploit was shared
privately with <security@...nel.org> to assist with fix development.
Somebody from the Linux kernel team then emailed the proposed fix to
<linux-distros@...openwall.org> and that email also included a link to
download our description of exploitation techniques and our exploit
source code.

Therefore, according to the linux-distros list policy, the exploit must
be published within 7 days from this advisory. In order to comply with
that policy, I intend to publish both the description of exploitation
techniques and also the exploit source code on Monday 15th by email to
this list.

The fix is available from mainline kernel git repository:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=c1592a89942e9678f7d9c8030efa777c0d57edab

# Discoverers

Patryk Sondej <patryk.sondej@...il.com>
Piotr Krysiuk <piotras@...il.com>

# References

CVE-2023-32233 (reserved via https://cveform.mitre.org/)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.