Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kernelCTF CVE-2024-26642_mitigation #131

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 126 additions & 0 deletions pocs/linux/kernelctf/CVE-2024-26642_mitigation/docs/exploit.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
# Exploit detail about CVE-2024-26642
If you want to get some base information about CVE-2023-6817, please read [vulnerability.md](./vulnerability.md) first.

## Background
nftables is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework, providing a new packet filtering framework for {ip,ip6}tables, a new userspace utility (nft) and A compatibility layer. It uses existing hooks, link tracking system, user space queuing component and netfilter logging subsystem.

It consists of three main components: kernel implementation, libnl netlink communication and nftables user space front-end. The kernel provides a netlink configuration interface and runtime rule set evaluation. libnl contains basic functions for communicating with the kernel. The nftables front end is for user interaction through nft.

nftables implements data packet filtering by using some components like `table`, `set`, `chain`, `rule`.

## Some additional stories
After reading `vulnerability.md` or `cause analysis`, you may wonder why the root cause and patch do not seem to match. I can only talk about the vulnerability reporting process for this question.
I sent a vulnerability report to [email protected] at 2024.2.29 13:33:
```
Hi, I've found a new vulnerability in Linux netfilter/nftable subsystem. In the function nf_tables_deactivate_set, it does not set "set->dead = 1". This makes it possible to call nft_setelem_data_deactivate with a set element more than once by following this step:
1. Create a pipapo set with flag NFT_SET_TIMEOUT and NFT_SET_ANONYMOUS.
2. Create a set element of this pipapo set with flag NFTA_SET_ELEM_EXPIRATION.
3. Create a chain.
4. Create a rule with nft_lookup expr, which will bind the pipapo set we create in step 1.
5. Delete the chain And finally nft_setelem_data_deactivate will be called for the same set element both in nft_map_deactivate and in function pipapo_gc.

Attachment is the poc I wrote for this vulnerability, which leaks some kernel pointers. I tested it on linux 6.1.78.

Thanks,
lonial con
```
The email also attached a poc I wrote based on the trigger idea (it can cause the latest kernel at that time to produce crahs). I did not receive any reply emails afterwards.
On 2024.3.5, I noticed that the maintainer of netfilter pushed a patch to netfilter (https://patchwork.ozlabs.org/project/netfilter-devel/patch/[email protected]/). He pushed the corresponding patch without asking for any opinion from me.

The patch did make my poc not work, but this patch did not fix the core of the problem `set->dead = 1`. Therefore, I added two patch commits to `vulnerability.md`.

## Cause anaylysis

In the function nf_tables_deactivate_set, it does not set "set->dead = 1". This makes it possible to call nft_setelem_data_deactivate with a set element more than once by following this step:

1. Create a pipapo set with flag NFT_SET_TIMEOUT and NFT_SET_ANONYMOUS.
2. Create a set element of this pipapo set with flag NFTA_SET_ELEM_EXPIRATION.
3. Create a chain.
4. Create a rule with nft_lookup expr, which will bind the pipapo set we create in step 1.
5. Delete the chain

After you send these commands in a message list, when you reach step 5 `delete the chain`, the following call chain will occur:
```
nf_tables_delchain -> nft_delrule -> nft_rule_expr_deactivate -> (expr->ops->deactivate) -> nft_lookup_deactivate -> nf_tables_deactivate_set -> case NFT_TRANS_PREPARE: nft_map_deactivate
```
`nft_map_deactivate` will eventually call `nft_setelem_data_deactivate` for all set elements in the set.

But at the same time, after all commands are executed, nftable will also call `nf_tables_commit`, which triggers another call chain:

```
nf_tables_commit -> (set->ops->commit) -> nft_pipapo_commit -> pipapo_gc -> nft_pipapo_gc_deactivate -> nft_setelem_data_deactivate
```

Finally, `nft_setelem_data_deactivate` will be called for elements which are timed out in the pipapo set, which may result in multiple calls to `nft_setelem_data_deactivate` for the same set element.

## Triggering the vulnerability

It's easy to trigger it by following this steps:

- Create a pipapo set with flag NFT_SET_TIMEOUT and NFT_SET_ANONYMOUS.
- Create a set element of this pipapo set with flag NFTA_SET_ELEM_EXPIRATION.
- Create a chain.
- Create a rule with nft_lookup expr, which will bind the pipapo set we create in step 1.
- Delete the chain


## Exploit it

Using CVE-2024-26642 to exploit a mitigation instance is completely different from exploiting a LTS or COS instance. But it can use the same idea as [this article](https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-6817_mitigation/docs/exploit.md). My exploit is implemented by simply modifying the exploit code [here](https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-6817_mitigation/exploit/mitigation-v3-6.1.55/exploit.c). This article only details the modified part of the original exploit(How to trigger the vulnerability so that chain B use count being decremented an additional time). For the content of the original exploit, please read [this article](https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-6817_mitigation/docs/exploit.md).

## Primitive

### Primitive_1
I build a function named as `primitive_1` to change the nft_chain->use by triggering the vulnerabiltiy:

```c
//make target_chain->use = target_chain->use - 1
void primitive_1(struct nl_sock *socket, char *table, char *target_chain){
char *pad = malloc(0x100);
memset(pad,0x41,0x100);
int i;
struct nlmsghdr **msg_list = malloc(sizeof(struct nlmsghdr *)*0x200);
char *set_name = "set for primitive1";
char *chain_name = "chain for primitive1";
char *key = malloc(0x40);
msg_list[0] = new_set_pipapo_for_timeout_and_chain_with_anonymous_msg(table, set_name, 0x40);
msg_list[1] = new_chain_msg(table, chain_name, 0);
msg_list[2] = new_setelem_with_chain_and_expiration_msg(table, set_name, pad, 0xc0, target_chain, NULL, 0, NULL, 0, 1,0x0100000000000000);
msg_list[3] = new_rule_lookup_for_chain_msg(table, chain_name, set_name, 1);
msg_list[4] = del_chain_msg(table, chain_name);
char *tmp = malloc(0x40);
for(i=0;i<0x100;i++){
snprintf(tmp, 0x40, "table for primitive %d", i);
msg_list[5+i] = new_table_with_udata_msg(tmp, key, 0x40);
}
send_msg_list(socket, msg_list, 0x105);

free(msg_list);
free(pad);
}
```

How it works:
1. message 0: Create a pipapo set with flags `NFT_SET_TIMEOUT` and `NFT_SET_ANONYMOUS`
2. message 1: Create a chain
3. message 2: Create a set elements, all of which contain `NFTA_SET_ELEM_EXPIRATION` and `NFTA_SET_ELEM_TIMEOUT`.
4. message 3: Create a rule on the chain, which contains an expr of type `lookup`. `lookup` expr can be bound to an `nft_set` when initialized, and we let it bind the pipapo set created by message[0].
5. message 4: Delete the chain created by message 2
6. mseesage 5 - 0x104: Create 0x100 table with `udata`. This is just to increase the number of messages to ensure that the set element created by message 2 will time out when the vulnerability is triggered.

When the above message is sent, two rounds of calls to `nft_setelem_data_deactivate` for the same set element will be triggered:

The first round is when executing message 4, and the following call path will be generated in the end:

```c
nf_tables_delchain -> nft_delrule -> nft_rule_expr_deactivate -> (expr->ops->deactivate) -> nft_lookup_deactivate -> nf_tables_deactivate_set -> nft_map_deactivate
```

The `nft_map_deactivate` function will call `nft_mapelem_deactivate` -> `nft_setelem_data_deactivate` for all elements in the pipapo set created by message 0.

The second round is after all messages are executed, `netfilter` will call the `nf_tables_commit` function, and finally generate the calling path:
```c
nft_set_commit_update -> (set->ops->commit) -> nft_pipapo_commit -> pipapo_gc -> nft_pipapo_gc_deactivate -> nft_setelem_data_deactivate
```
The function `pipapo_gc` will also call `nft_setelem_data_deactivate` for all timeout elements in pipapo set.
(This is why it is necessary to add `set->dead = 1` in nf_tables_deactivate_set to fix the vulnerability, because after adding this line of code, the subsequent operations will not be executed in the function nft_set_commit_update.)
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Vulneribility
The function `nf_tables_deactivate_set` does not set "set->dead = 1". This makes it possible to call `nft_setelem_data_deactivate` with a set element more than once.

## Requirements to trigger the vulnerability
- Capabilities: `CAP_NET_ADMIN` capability is required.
- Kernel configuration: `CONFIG_NETFILTER`, `CONFIG_NF_TABLES`
- Are user namespaces needed?: Yes

## Commit which introduced the vulnerability
- [commit d60be2da67d172aecf866302c91ea11533eca4d9](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/nf_tables_api.c?h=linux-6.1.y&id=d60be2da67d172aecf866302c91ea11533eca4d9)

## Commit which fixed the vulnerability
- [commit 16603605b667b70da974bea8216c93e7db043bf1](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter?id=16603605b667b70da974bea8216c93e7db043bf1)
- [commit 552705a3650bbf46a22b1adedc1b04181490fc36](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=552705a3650bbf46a22b1adedc1b04181490fc36)

## Affected kernel versions
- 6.1.35 and later
- 5.15.121 and later

## Affected component, subsystem
- net/netfilter (nf_tables)

## Cause
- UAF

Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
exploit:
gcc -o exploit exploit.c -I/usr/include/libnl3 -lnl-nf-3 -lnl-route-3 -lnl-3 -static
prerequisites:
sudo apt-get install libnl-nf-3-dev
run:
./exploit
clean:
rm exploit
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Exploit for kctf mitigation-v3-6.1.55
Run command "nsenter --target 1 -m -p" after run the poc.
Loading
Loading