hngopher.com

       [HN Gopher] Linux kernel use-after-free in Netfilter, local priv...
       ___________________________________________________________________
        
       Linux kernel use-after-free in Netfilter, local privilege
       escalation
        
       Author : kuizu
       Score  : 49 points
       Date   : 2023-05-09 20:02 UTC (2 hours ago)
        
 (HTM) web link (seclists.org)
 (TXT) w3m dump (seclists.org)
        
       | knorker wrote:
       | > delete an existing nft rule that uses an nft anonymous set. And
       | an example of the latter operation is an attempt to delete an
       | element from that nft anonymous set after the set gets deleted
       | 
       | I'd be very interested to hear how this can be done by an
       | unprivileged user.
       | 
       | Try to race set add/removals, sure, but if it depends on the set
       | itself getting deleted, that seems... harder.
        
         | 0x006A wrote:
         | on https://bugzilla.redhat.com/show_bug.cgi?id=2196105 a
         | comment suggests that it might only be possible if you have
         | "unprivileged user namespaces" enabled
        
           | pizzalife wrote:
           | >a comment suggests that it might only be possible if you
           | have "unprivileged user namespaces" enabled
           | 
           | Which is the default on Ubuntu.
        
       | l33tman wrote:
       | "We developed an exploit that allows unprivileged local users to
       | start a root shell by abusing the above issue. That exploit was
       | shared privately with <security () kernel org> to assist with fix
       | development. Somebody from the Linux kernel team then emailed the
       | proposed fix to <linux-distros () vs openwall org> and that email
       | also included a link to download our description of exploitation
       | techniques and our exploit source code.
       | 
       | Therefore, according to the linux-distros list policy, the
       | exploit must be published within 7 days from this advisory. In
       | order to comply with that policy, I intend to publish both the
       | description of exploitation techniques and also the exploit
       | source code on Monday 15th by email to this list."
       | 
       | Interesting.. they didn't write what conditions have to be met
       | for it to be exploitable. Also interesting that someone screwed
       | up and accidentally forwarded an email including the exploit to a
       | broad mailing list...
       | 
       | Part of the nf modules are active if you have iptables, which you
       | have if you run ufw (for example), so pretty broad exploit if
       | that's all that's required, but the specific module in question
       | in the patch, nf_tables, is not loaded on my Ubuntu 20.04LTS 5.40
       | kernel running iptables/ufw at least.
        
         | hsbauauvhabzb wrote:
         | What's actually reasonable here. I'm all for exploit code
         | becoming public eventually, but I think it's silly to drop it
         | immediately after a fix has been released, or before, in almost
         | all scenarios (unless there's been 90+ days or the issue marked
         | as wontfix)
        
         | candiddevmike wrote:
         | What a dumb policy. Why have the disclosure time be so soon?
         | This thing will be in the wild before folks can upgrade if I'm
         | understanding this correctly.
        
         | pizzalife wrote:
         | > but the specific module in question in the patch, nf_tables,
         | is not loaded on my Ubuntu 20.04LTS 5.40 kernel running
         | iptables/ufw at least
         | 
         | This doesn't matter since Linux has autoloading of most network
         | modules, and you can cause the modules to be loaded on Ubuntu
         | since it supports unprivileged user/net namespaces.
         | ubuntu:~% grep DISTRIB_DESCRIPTION /etc/lsb-release
         | DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"       ubuntu:~%
         | lsmod|grep nf_table       ubuntu:~% unshare -U -m -n -r
         | ubuntu:~% nft add table inet filter       ubuntu:~% lsmod|grep
         | nf_table       nf_tables             249856  0
        
         | thelastparadise wrote:
         | I don't think the bug itself is newsworthy. The existence of
         | the exploit code, and the way that it was accidentally
         | published, I think are.
        
           | pizzalife wrote:
           | It's exploitable by an unprivileged user on the most popular
           | distro out there (Ubuntu). I would say it's newsworthy.
        
       | alex14fr wrote:
       | Glad to have sticked with the good old iptables and left
       | CONFIG_NF_TABLES unset in kernel configuration.
        
         | sam_lowry_ wrote:
         | Aren't iptables just an emulation layer on top of netfilter?
        
           | TechBro8615 wrote:
           | Yes, AFAIU (not an expert), iptables and nftables are two
           | command line tools and abstractions (chains vs. tables) for
           | interacting with the same underlying netfilter API.
        
             | nubinetwork wrote:
             | I believe at one time they were two separate subsystems,
             | but they got merged in 4.x or 5.x
        
           | eikenberry wrote:
           | Probably depends on the distro. Iptables is a wrapper around
           | nftables in most distros, but probably not all.
        
       ___________________________________________________________________
       (page generated 2023-05-09 23:00 UTC)