Exploit for Use After Free in Linux Linux Kernel CVE-2024-1086

Name: Exploit for Use After Free in Linux Linux Kernel CVE-2024-1086
Rating: 5 (410 reviews)
2024-08-15 | CVSS 7.8
## https://sploitus.com/exploit?id=FE3CDC04-584A-587D-BB70-EA55C9014B0A
# CVE-2024-1086

- [NIST NVD Article](https://nvd.nist.gov/vuln/detail/CVE-2024-1086)
- [Github PoC](https://github.com/notselwyn/cve-2024-1086)
- [Writeup](https://pwning.tech/nftables/)
## Affected Versions

- v5.14 to (including) v6.6
- excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>
- all versions (excluding patched stable branches) from v3.15 to v6.8-rc1.

## Caveats
- does not work on v6.4> kernels with kconfig CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y (including Ubuntu v6.5)
- requires user namespaces (kconfig CONFIG_USER_NS=y), that those user namespaces are unprivileged (sh command sysctl kernel.unprivileged_userns_clone = 1)
- nf_tables is enabled (kconfig CONFIG_NF_TABLES=y)
- Exploit may be very unstable on systems with a lot of network activity

    Systems with WiFi adapter, when surrounded by high-usage WiFi networks, will be very unstable.

- The kernel panic (system crash) after running the exploit is a side-effect which deliberately hasn't been fixed to prevent malicious usage of the exploit

## Research Log

### Environment Setup
Barely used QEMU before, so I am following the [instructions](https://ubuntu.com/server/docs/virtualisation-with-qemu) to install Default Ubuntu with QEMU from Ubuntu's official site.

[Install msys2](https://www.msys2.org/#installation) so we can get its package management capabilities to install QEMU on Windows 11

[Install QEMU](https://www.qemu.org/download/#windows) by using `pacman -S mingw-w64-x86_64-qemu`

We get this error after installing QEMU:

![alt text](imgs/1.png)

This is due to user error, instead of using msys.exe, I needed mingw64. More info on MSYS2 environments [here.](https://stackoverflow.com/questions/76552264/what-are-msys2-environments-how-do-i-pick-one)

Gained the ability to call QEMU now after uninstalling from MSYS2 and into a MINGW64 Shell

Now a new error where it could not read the image for whatever reason.


![alt text](imgs/2.png)

After downloading the latest release of Ubuntu 24.04 we replace the link in the command for netboot image with the physical location of the ISO. Sidenote also removed the `-enable-kvm` switch this will only work on Linux Hosts. More info on [KVM](https://wiki.archlinux.org/title/KVM). Alternatives would be [HAXM](https://www.qemu.org/2017/11/22/haxm-usage-windows/) `-enable-hax` on windows which requires a CPU that has Intel VT-x with Extended Page Tables (EPT) capabilities. Hyper-V must be disabled.

![alt text](imgs/3.png)

Success on launching QEMU and getting to grub. However the VM will not actually be able to boot. We are presented with a memory error then a kernel panic. This is due to not building an image or specifying memory amounts for the VM.

Creating a virtual image:
`qemu-img create -f qcow2 ubuntu24.04.img 12G`

Booting the virtual machine:
`qemu-system-x86_64 -cdrom ubuntu-24.04-desktop-amd64.iso -boot menu=on -drive file=ubuntu24.04.img -m 4G -cpu qemu64 -smp 4`

-cdrom
    virtual cd/dvd drive to hold the ISO
-boot
    choose boot behavior, boot directly off ISO, drives, etc
-drive
    path to the image we created that represents the VM
-m
    set the amount of memory
-cpu
    set virtualized CPU type
-smp
    set how many cores are dedicated to the VM

![alt text](imgs/4.png)

After getting a successfull boot, the performance is very slow and undesirable. Will re-attempt with a host machine that runs linux.

## Environment 2

Installed Ubuntu 24.04 LTS on a new machine, all default settings.
Will be attempting the same type of install above to get a solid base line that my tools are working.

Install qemu

`sudo apt-get install qemu-system`

Download Ubuntu 24.04 LTS

`wget https://releases.ubuntu.com/24.04/ubuntu-24.04-desktop-amd64.iso?_gl=1*1dpopbp*_gcl_au*ODE2NDcxMTIwLjE3MjM2ODcyMjI.&_ga=2.206772948.633577881.1723687219-264703441.1723687219`

Create QCOW2 Image

`qemu-img create -f qcow2 ubuntu-lts.img 12G`

Start VM up w/ KVM and virtio acceleration ( all features c: )

`qemu-system-x86_64 -enable-kvm -boot menu=on -drive file=ubuntu-24.04-desktop-amd64.img -m 4G -cpu host -smp 4 -vga virtio -display sdl,gl=on`

The emulation was able to install the system way faster and the GUI is 10x smoother and bearable to work in now.

![alt text](imgs/6.png)

Now that the VM is running properly we are going to 
compile the latest linux kernel v6.6.14 ( that should be vulnerable )

install dependencies:
`sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev`

download source
`wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.6.14.tar.xz`

Ensure these kernel kernel options are off, necessary for kernel versions 6.4.0 >=
- CONFIG_INIT_ON_FREE_DEFAULT_ON
- CONFIG_INIT_ON_ALLOC_DEFAULT_ON

make a default kernel config
`make defconfig`

I use vim to search for the configuration options and set the values to equal n for no.

`make -j$(nproc)`

`make modules`

Package the kernel to send it over to the VM

`tar -cvf linux-6.6.14-compiled.tar.gz arch/x86/boot/bzImage`

`tar -cvf modules-6.6.14.tar.gz /lib/modules/6.6.14`

Setup the VM with a networking interface so we `scp` the files over

```
#!/usr/bin/env bash

qemu-system-x86_64 \
  -enable-kvm \
  -boot menu=on \
  -drive file=ubuntu-24.04-desktop-amd64.img \
  -m 4G \
  -cpu host \
  -smp 4 \
  -vga virtio \
  -display sdl,gl=on \
  -netdev user,id=unet,hostfwd=tcp:127.0.0.1:2222-:22 \
  -device virtio-net,netdev=unet
```

After doing this I install `sudo apt install openssh-server` then from the host I test the connection by doing `ssh -p 2222 user@127.0.0.1`

Then copy my ssh key for easy access `ssh-copy-id -p 2222 user@127.0.0.1`

now we can use `scp` to transfer over the kernel we built for the guest

`scp -P 2222 ./linux-6.6.14-compiled.tar.gz user@127.0.0.1:~`

`scp -P 2222 ./modules-6.6.14.tar.gz user@127.0.0.1:~`

![alt text](imgs/7.png)

Now we unpack the kernel to its appropriate directories

`sudo tar -xvf linux-6.6.14-compiled.tar.gz -C /boot/`

`sudo tar -xvf modules-6.6.14.tar.gz -C /`

`sudo update-grub`

However none of this worked. So I just rebuilt it in the VM and installed
the kernel that way using the same instructions as before.

Had an issue accessing the `grub` menu so I edited the `/etc/default/grub`
file and commenting out this line `# GRUB_TIMEOUT_STYLE=hidden` and setting
`GRUB_TIMEOUT=5`

Now we have the kernel installed !

![alt text](imgs/8.png)

After booting into this the mouse no longer worked, some default icons are missing from the ubuntu instance and the whole system became very unstable. This is probably due to how I made the config for this kernel or something easy.

## Environment WSL Setup
Must be using WSL 2 with updated upgrahic drives.

Install QEMU
`sudo apt-get install qemu-system -y`

`sudo apt-get install qemu-user-static -y`

Download Ubuntu Image

`wget https://releases.ubuntu.com/22.04/ubuntu-22.04.4-desktop-amd64.iso`

Create QCOW2 Image for ubuntu to install on

`qemu-img create -f qcow2 ubuntu-22.04.4-desktop-amd64.img 15G`

Create launch script with CDROM to boot into the ubuntu system

```
#!/usr/bin/env bash

qemu-system-x86_64 \
  -enable-kvm \
  -boot menu=on \
  -drive file=ubuntu-22.04.3-desktop-amd64.img \
  -m 4G \
  -cpu host \
  -smp 4 \
  -vga virtio \
  -display sdl,gl=on \
  -netdev user,id=unet,hostfwd=tcp:127.0.0.1:2222-:22 \
  -device virtio-net,netdev=unet \
  -cdrom ubuntu-22.04.3-desktop-amd64.img
```

After running that and installing ubuntu, rerun again with
out the CDROM portion, it should not matter as long as you
boot from drive.

The kernel version should already be 6.2.X but if necessary
use the package manager to install a similar version of the
kernel by using the package manager and you can select the new
version in grub.

Testing the exploit

just build the PoC from the github link and scp the binary to the
guest system.

`scp -P 2222 ./exploit user@127.0.0.1:~/`

# WSL2/QEMU/NO Distro Environment setup

## Finding the Linux Kernel

https://www.josehu.com/technical/2021/01/02/linux-kernel-build-debug.html

I believe searching for tags in the stable releases of the linux
kernel is the best bet.

Based off of the exploitable versions table from the creators writeup
lets try to use 6.2.16, without a distribution and just the kernel.

Heres the site to search for the right version.

`https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/refs/tags`

Heres the command to download our version

`wget https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/snapshot/linux-6.2.16.tar.gz`

`tar -xvf ./linux-6.2.16.tar.gz`

Install deps to compile kernel

`sudo apt install bc binutils bison dwarves flex gcc git gnupg2 gzip libelf-dev libncurses5-dev libssl-dev make openssl pahole perl-base rsync tar xz-utils -y`

Obtain a kernel config file. 

The defaults should be fine for this command unless you need special kernel
flags/options enabled

`make menuconfig`