Re: Linux Kernel use-after-free write in netfilter

[Solar Designer <solar () openwall com>]

On Tue, May 31, 2022 at 10:00:32AM +0100, EDG EDG wrote:
> A use-after-free write vulnerability was identified within the
> netfilter subsystem
> which can be exploited to achieve privilege escalation to root.
>
> In order to trigger the issue it requires the ability to create user/net
> namespaces.
>
> This issue has been fixed within the following commit:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd
>
> The issue was previously confirmed on the latest linux master (commit
> 143a6252e1b8ab424b4b293512a97cca7295c182) and we have confirmed it can be
> exploited for privilege escalation on Ubuntu 22.04 (Linux kernel
> 5.15.0-27-generic).
[...]
> # POC Code
[...]
>     printf("should have triggered KASAN\n");

While the message above included PoC code, there's now also a blog post
and GitHub repo with a full exploit:

https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
https://github.com/theori-io/CVE-2022-32250-exploit

"In this post, we have shown the process of exploiting CVE-2022-32250.
We were able to leak KASLR and overwrite modprobe_path by utilizing the
mqueue functions, and as a result, we successfully gained root
privileges in Ubuntu 22.04."

Alexander