[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux Kernel use-after-free write in netfilter
From:       Solar Designer <solar () openwall ! com>
Date:       2022-08-25 13:20:21
Message-ID: 20220825132021.GA27469 () openwall ! com
[Download RAW message or body]

On Tue, May 31, 2022 at 10:00:32AM +0100, EDG EDG wrote:
> A use-after-free write vulnerability was identified within the
> netfilter subsystem
> which can be exploited to achieve privilege escalation to root.
> 
> In order to trigger the issue it requires the ability to create user/net
> namespaces.
> 
> This issue has been fixed within the following commit:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd
>  
> The issue was previously confirmed on the latest linux master (commit
> 143a6252e1b8ab424b4b293512a97cca7295c182) and we have confirmed it can be
> exploited for privilege escalation on Ubuntu 22.04 (Linux kernel
> 5.15.0-27-generic).
[...]
> # POC Code
[...]
> printf("should have triggered KASAN\n");

While the message above included PoC code, there's now also a blog post
and GitHub repo with a full exploit:

https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
https://github.com/theori-io/CVE-2022-32250-exploit

"In this post, we have shown the process of exploiting CVE-2022-32250.
We were able to leak KASLR and overwrite modprobe_path by utilizing the
mqueue functions, and as a result, we successfully gained root
privileges in Ubuntu 22.04."

Alexander


[prev in list] [next in list] [prev in thread] [next in thread]