PoC Exploit Released For Linux Kernel’s nftables Subsystem Vulnerability

A critical Proof-of-Concept (PoC) exploit has been released for a significant vulnerability in the Linux kernel’s nftables subsystem, tracked as CVE-2024-26809. 

This flaw, rooted in the kernel’s netfilter infrastructure, exposes affected systems to local privilege escalation through a sophisticated double-free attack. 

Security researchers, including the user “conlonialC,” have demonstrated how this bug can be weaponized to achieve root-level access, underscoring the urgency for system administrators to apply available patches.

Technical Overview of CVE-2024-26809

The vulnerability resides in the nftables subsystem, which is designed to replace legacy packet filtering frameworks like iptables and ip6tables. 

nftables relies on several core kernel components, including the nft_set_pipapo structure, to manage sets of filtering rules. 

The flaw specifically affects the nft_pipapo_destroy() function within the kernel’s net/netfilter module. 

Under certain conditions, this function may attempt to free the same memory region twice-a classic double-free scenario-when a set is marked as “dirty” and contains overlapping elements in both its “match” and “clone” representations.

The vulnerable code path can be summarized as follows:

Here, if the set is dirty, nft_set_pipapo_match_destroy() may be called twice on elements that exist in both “match” and “clone,” leading to a double-free condition.

Exploitation Process

The released PoC exploit, authored by conlonialC, meticulously demonstrates how to leverage this vulnerability for local privilege escalation. 

The attack begins with the creation of a pipapo set and the insertion of multiple elements to ensure the set is marked as dirty. 

The attacker then triggers the destruction of the set, causing the kernel to free the same set elements twice. This double-free corrupts the kernel’s heap, specifically targeting the kmalloc-256 object cache, which is commonly used for kernel object allocations.

By carefully orchestrating heap allocations and deallocations, the exploit achieves several advanced objectives:

• Overlapping nftables objects in memory to enable address leaks.
• Hijacking function pointers, such as expr->ops->dump, to redirect kernel execution flow.
• Executing a Return-Oriented Programming (ROP) chain to escalate privileges and spawn a root shell.

A crucial part of the exploit involves manipulating the kernel’s internal data structures to gain control over the instruction pointer (RIP). 

The attacker crafts a fake nft_expr object and uses a ROP gadget to pivot the stack, ultimately executing arbitrary code in kernel context. 

The exploit’s reliability is enhanced by its ability to reclaim freed heap chunks and leak kernel addresses, bypassing common mitigations.

The following excerpt illustrates the heap manipulation and ROP setup used in the PoC:

This sequence demonstrates how the attacker redirects execution to a custom ROP gadget, culminating in root access.

Affected Versions

CVE-2024-26809 affects Linux kernel versions 5.15.54 and later, including the 6.1 and 6.6 LTS branches. 

The vulnerability has been addressed in recent kernel updates, with distributions such as Debian, Ubuntu, and SUSE releasing patches for all supported versions. 

The fix ensures that elements are only released from the “clone” path during set destruction, preventing double-free conditions.

System administrators are strongly advised to apply the latest security updates immediately. Unpatched systems remain vulnerable to local attackers who can exploit this flaw to gain full control over affected machines.

The public release of a functional exploit for CVE-2024-26809 marks a significant escalation in the threat landscape for Linux servers and workstations. 

The exploit showcases advanced heap manipulation and kernel exploitation techniques, making it a potent tool for attackers. 

Prompt patching and adherence to security best practices are essential to mitigate the risk posed by this vulnerability.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar

The post PoC Exploit Released For Linux Kernel’s nftables Subsystem Vulnerability appeared first on Cyber Security News.