Skip to content

LPE PoC of a user-after-free vulnerability in the Linux netfilter subsystem.

Notifications You must be signed in to change notification settings

ysanatomic/CVE-2022-32250-LPE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

CVE-2022-32250-LPE

LPE exploit for CVE-2022-32250 - a Use-After-Free vulnerability in netfilter.

My write-up of the vulnerability: Conquering a Use-After-Free in nf_tables: Detailed Analysis and Exploitation of CVE-2022-32250

Building

Building requires libmnl and libnftnl.

gcc -lmnl -lnftnl exploit.c -o exploit

Reliability

The vulnerability impacts both versions that have only KMALLOC_NORMAL caches and those that also have KMALLOC_CGROUP. When making the exploit I only used primitives that would work in both cases - however, testing was conducted on 5.12 which has just KMALLOC_NORMAL caches. In theory it works in both cases - in practice, it might take a little bit of work.

The reliability of the exploit is reasonable - bottlenecked by the key limit in Linux which limits our object spraying capabilities (the limit is 200 for non-root users).

The exploit is a Proof-of-Concept and is able to achieve local privilege escalation on 5.12.0. It was not my goal to weaponize it so I cannot at all speak about its reliance on any other version.

Disclaimer

The Proof-of-Concept and the write-up of the vulnerability are for educational and research purposes only. Use at your own risk.

About

LPE PoC of a user-after-free vulnerability in the Linux netfilter subsystem.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages