PoC Exploit Released for Critical nftables Vulnerability in Linux Kernel

A critical vulnerability (CVE-2024-26809) in the Linux kernel’s netfilter subsystem allows local attackers to escalate privileges via a double-free flaw in the nft_set_pipapo module.

This exploit leverages improper cleanup of pipapo set elements during transaction aborts, enabling arbitrary code execution.

Below is a technical breakdown of the vulnerability and its exploitation.

Vulnerability Overview

The flaw resides in nft_pipapo_destroy(), which handles the destruction of Pipapo set elements. When a set is marked dirty (modified but uncommitted), the function incorrectly frees elements from both the active match object and its clone, leading to a double-free.

This occurs because:

• Commit/Abort Logic: Pipapo sets use a clone mechanism for transactional updates. During an abort, uncommitted elements in the clone should be freed, but a logic error caused elements in both the active and cloned sets to be destroyed.
• Patch Analysis: The fix removes a conditional check for priv->dirty, ensuring elements are only freed from the clone in the destroy path.

c// Vulnerable code snippet (pre-patch)
if (priv->dirty)
    nft_set_pipapo_match_destroy(ctx, set, m);  // Double-free if set->dead is set

Exploitation Workflow

Attackers trigger the vulnerability by manipulating pipapo set transactions:

1. Heap Primitive Setup:
   • Create a pipapo set and add two elements to ensure non-adjacent heap allocations.
   • Send concurrent commands to add a third element (marking the set dirty) and delete the set, triggering the double-free.

c// Trigger code outline
msg_list[0] = new_setelem_msg(...);  // Create element D (dirty)
msg_list[1] = del_set_msg(...);      // Delete set, invoking nft_pipapo_destroy()
send_msg_list(socket, msg_list, 2);  // Trigger double-free

2. Heap Feng Shui:
   • Reclaim freed memory via nft_table objects with controlled user data (NFTA_TABLE_USERDATA), creating overlapping objects.
   • Leak kernel pointers by abusing nft_expr structures and linked list metadata (e.g., nft_object->udata).
3. ROP Chain Execution:
   • Overwrite nft_expr->ops->dump with a gadget (e.g., leave; ret) to pivot the stack.
   • Construct a ROP chain to escalate privileges and execute /bin/sh.

c// ROP payload example
*(uint64_t *)&setelem_data[0x30] = kernel_off + 0xffffffff8112af10;  // pop rdi; ret

Technical Impact

• Target Caches: Exploitation focuses on kmalloc-256 for setelem objects.
• Exploit Reliability: Requires precise heap manipulation to avoid crashes. The double-free of two elements (B and C) prevents immediate kernel panics.
• KASLR Bypass: Leaked nft_last_ops pointers and self-referential nft_object list structures bypass KASLR.

Mitigation and Patches

• Kernel Versions: The fix was backported to stable kernels post-5.19. Users should update to versions including the commit 212ed75dc5fb.
• CVSS Score: Rated 5.5 (Moderate) due to local access requirements, but critical in multi-user environments.

This exploit underscores the risks of transactional memory management in kernel subsystems.

While patches are available, systems without updates remain vulnerable to privilege escalation attacks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post PoC Exploit Released for Critical nftables Vulnerability in Linux Kernel appeared first on Cyber Security News.