nft_set_pipapo module. This exploit leverages improper cleanup of pipapo set elements during transaction aborts, enabling arbitrary code execution.
Below is a technical breakdown of the vulnerability and its exploitation.
The flaw resides in nft_pipapo_destroy(), which handles the destruction of Pipapo set elements. When a set is marked dirty (modified but uncommitted), the function incorrectly frees elements from both the active match object and its clone, leading to a double-free.
This occurs because:
priv->dirty, ensuring elements are only freed from the clone in the destroy path.c// Vulnerable code snippet (pre-patch)
if (priv->dirty)
nft_set_pipapo_match_destroy(ctx, set, m); // Double-free if set->dead is set
Attackers trigger the vulnerability by manipulating pipapo set transactions:
dirty) and delete the set, triggering the double-free.c// Trigger code outline
msg_list[0] = new_setelem_msg(...); // Create element D (dirty)
msg_list[1] = del_set_msg(...); // Delete set, invoking nft_pipapo_destroy()
send_msg_list(socket, msg_list, 2); // Trigger double-free
nft_table objects with controlled user data (NFTA_TABLE_USERDATA), creating overlapping objects.nft_expr structures and linked list metadata (e.g., nft_object->udata).nft_expr->ops->dump with a gadget (e.g., leave; ret) to pivot the stack./bin/sh.c// ROP payload example
*(uint64_t *)&setelem_data[0x30] = kernel_off + 0xffffffff8112af10; // pop rdi; ret
kmalloc-256 for setelem objects.nft_last_ops pointers and self-referential nft_object list structures bypass KASLR.212ed75dc5fb.This exploit underscores the risks of transactional memory management in kernel subsystems.
While patches are available, systems without updates remain vulnerable to privilege escalation attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post PoC Exploit Released for Critical nftables Vulnerability in Linux Kernel appeared first on Cyber Security News.
A juvenile riding a mini-bike in South Beloit was hit by an SUV and taken…
A juvenile riding a mini-bike in South Beloit was hit by an SUV and taken…
Six Flags Great America will host a historic, summer-long 50th anniversary celebration offering families special…
Six Flags Great America will host a historic, summer-long 50th anniversary celebration offering families special…
Magic: The Gathering is a fun hobby, but it’s not a cheap one, making finding…
Production has begun on the live-action streaming series Scooby-Doo: Origins, Netflix announced Friday. The streamer…
This website uses cookies.