oss-sec logo

oss-sec
mailing list archives


From: Piotr Krysiuk

Date: Mon, 8 May 2023 16:58:20 +0100


An issue has been discovered in the Linux kernel that can be abused by
unprivileged local users to escalate privileges.

The issue is about Netfilter nf_tables accepting some invalid updates
to its configuration.

Netfilter nf_tables allows updating its configuration with batch
requests that group multiple basic operations into atomic transactions.
In a specific scenario, an invalid batch request may contain an
operation that implicitly deletes an existing nft anonymous set
followed by another operation that attempts to act on the same nft
anonymous set after it is deleted. In the above scenario, one example
of the former operation is to delete an existing nft rule that uses an
nft anonymous set. And an example of the latter operation is an attempt
to delete an element from that nft anonymous set after the set gets
deleted. Alternatively, the latter operation could even attempt to
explicitly delete that nft anonymous set again. In the discussed
scenario, Netfilter nf_tables fails to reject invalid batch request and
then it corrupts its own internal state when committing the latter
operation.

The issue has been reproduced against multiple Linux kernel releases,
including Linux 6.3.1 (current stable).

We developed an exploit that allows unprivileged local users to start a
root shell by abusing the above issue. That exploit was shared
privately with  to assist with fix development.
Somebody from the Linux kernel team then emailed the proposed fix to
 and that email also included a link to
download our description of exploitation techniques and our exploit
source code.

Therefore, according to the linux-distros list policy, the exploit must
be published within 7 days from this advisory. In order to comply with
that policy, I intend to publish both the description of exploitation
techniques and also the exploit source code on Monday 15th by email to
this list.

The fix is available from mainline kernel git repository:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=c1592a89942e9678f7d9c8030efa777c0d57edab

# Discoverers

Patryk Sondej 
Piotr Krysiuk 

# References

CVE-2023-32233 (reserved via https://cveform.mitre.org/)


Current thread:

  • [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory Piotr Krysiuk (May 08)

Read More