[HN Gopher] Linux kernel use-after-free in Netfilter, local priv... ___________________________________________________________________ Linux kernel use-after-free in Netfilter, local privilege escalation Author : kuizu Score : 49 points Date : 2023-05-09 20:02 UTC (2 hours ago) (HTM) web link (seclists.org) (TXT) w3m dump (seclists.org) | knorker wrote: | > delete an existing nft rule that uses an nft anonymous set. And | an example of the latter operation is an attempt to delete an | element from that nft anonymous set after the set gets deleted | | I'd be very interested to hear how this can be done by an | unprivileged user. | | Try to race set add/removals, sure, but if it depends on the set | itself getting deleted, that seems... harder. | 0x006A wrote: | on https://bugzilla.redhat.com/show_bug.cgi?id=2196105 a | comment suggests that it might only be possible if you have | "unprivileged user namespaces" enabled | pizzalife wrote: | >a comment suggests that it might only be possible if you | have "unprivileged user namespaces" enabled | | Which is the default on Ubuntu. | l33tman wrote: | "We developed an exploit that allows unprivileged local users to | start a root shell by abusing the above issue. That exploit was | shared privately with <security () kernel org> to assist with fix | development. Somebody from the Linux kernel team then emailed the | proposed fix to <linux-distros () vs openwall org> and that email | also included a link to download our description of exploitation | techniques and our exploit source code. | | Therefore, according to the linux-distros list policy, the | exploit must be published within 7 days from this advisory. In | order to comply with that policy, I intend to publish both the | description of exploitation techniques and also the exploit | source code on Monday 15th by email to this list." | | Interesting.. they didn't write what conditions have to be met | for it to be exploitable. Also interesting that someone screwed | up and accidentally forwarded an email including the exploit to a | broad mailing list... | | Part of the nf modules are active if you have iptables, which you | have if you run ufw (for example), so pretty broad exploit if | that's all that's required, but the specific module in question | in the patch, nf_tables, is not loaded on my Ubuntu 20.04LTS 5.40 | kernel running iptables/ufw at least. | hsbauauvhabzb wrote: | What's actually reasonable here. I'm all for exploit code | becoming public eventually, but I think it's silly to drop it | immediately after a fix has been released, or before, in almost | all scenarios (unless there's been 90+ days or the issue marked | as wontfix) | candiddevmike wrote: | What a dumb policy. Why have the disclosure time be so soon? | This thing will be in the wild before folks can upgrade if I'm | understanding this correctly. | pizzalife wrote: | > but the specific module in question in the patch, nf_tables, | is not loaded on my Ubuntu 20.04LTS 5.40 kernel running | iptables/ufw at least | | This doesn't matter since Linux has autoloading of most network | modules, and you can cause the modules to be loaded on Ubuntu | since it supports unprivileged user/net namespaces. | ubuntu:~% grep DISTRIB_DESCRIPTION /etc/lsb-release | DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS" ubuntu:~% | lsmod|grep nf_table ubuntu:~% unshare -U -m -n -r | ubuntu:~% nft add table inet filter ubuntu:~% lsmod|grep | nf_table nf_tables 249856 0 | thelastparadise wrote: | I don't think the bug itself is newsworthy. The existence of | the exploit code, and the way that it was accidentally | published, I think are. | pizzalife wrote: | It's exploitable by an unprivileged user on the most popular | distro out there (Ubuntu). I would say it's newsworthy. | alex14fr wrote: | Glad to have sticked with the good old iptables and left | CONFIG_NF_TABLES unset in kernel configuration. | sam_lowry_ wrote: | Aren't iptables just an emulation layer on top of netfilter? | TechBro8615 wrote: | Yes, AFAIU (not an expert), iptables and nftables are two | command line tools and abstractions (chains vs. tables) for | interacting with the same underlying netfilter API. | nubinetwork wrote: | I believe at one time they were two separate subsystems, | but they got merged in 4.x or 5.x | eikenberry wrote: | Probably depends on the distro. Iptables is a wrapper around | nftables in most distros, but probably not all. ___________________________________________________________________ (page generated 2023-05-09 23:00 UTC)