f6ac62fdd6
Signed-off-by: ZZlz2580 <liuzhenglz@buaa.edu.cn> |
||
|---|---|---|
| .. | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| config | ||
| exploit.c | ||
| exploit.h | ||
| helpers.c | ||
| helpers.h | ||
| needle.c | ||
| reg.log | ||
| run.sh | ||
| setup.sh | ||
README.md
Needle (CVE-2023-0179) exploit
This repository contains the exploit for my recently discovered vulnerability in the nftables subsystem that was assigned CVE-2023-0179, affecting all Linux versions from 5.5 to 6.2-rc3, although the exploit was tested on 6.1.6.
The vulnerability details and writeup can be found on oss-security
Building instructions
Just invoke the make needle command to generate the corresponding executable.
libmnl and libnftnl are required for the build to succeed:
sudo apt-get install libmnl-dev libnftnl-dev
Infoleak
The exploit will enter an unprivileged user and network namespace and add an nft_payload expression via the rule_add_payload function which, when evaluated, will trigger the stack buffer overflow and overwrite the registers.
The content is then retrieved with the following nft command:
nft list map netdev mytable myset12
The output will leak several shuffled addresses relative to kernel data structures, among which we find a kernel instruction address and the regs pointer.
LPE
The exploit creates a new user account needle:needle with UID 0 by abusing the modprobe_path variable.
Enjoy root privileges.
Demo
Credits
- David Bouman's
libnftnlimplementation and detailed blog post