On Mon, May 8, 2023 at 4:58 PM Piotr Krysiuk <piotras () gmail com> wrote:
Therefore, according to the linux-distros list policy, the exploit must
be published within 7 days from this advisory. In order to comply with
that policy, I intend to publish both the description of exploitation
techniques and also the exploit source code on Monday 15th by email to
this list.
Per the announcement above, we are publishing the description of
exploitation techniques and also the exploit source code as attachments
to this email.
The attached instructions have been tested against Ubuntu 23.04 Desktop
for amd64. However, the vulnerability is not limited to Ubuntu. The
affected code originates from the upstream Linux kernel from
https://kernel.org/ and we confirmed that exploitation is possible
against some other popular distributions.
# Affected Configurations
The following describes minimum set of configurations where the bug is
exploitable. The attached exploit adds a few additional dependencies.
However, an alternative exploitation method could be developed that
avoids those additional dependencies.
The capability CAP_NET_ADMIN over the network namespace is required in
order to exploit the vulnerability.
A well-known technique to obtain that capability is by creating a new
user/network namespace. In case of the current stable and longterm
Linux kernels from https://kernel.org/ an unprivileged local user can
create such namespace when the following configuration option is
enabled explicitly on top of `x86_64_defconfig`:
CONFIG_USER_NS
For these kernels, Netfilter nf_tables is also disabled by default and
the following configuration option must be set explicitly to compile
it:
CONFIG_NF_TABLES
And then at least one of the families must also be enabled:
CONFIG_NF_TABLES_INET
CONFIG_NF_TABLES_IPV4
CONFIG_NF_TABLES_ARP
CONFIG_NF_TABLES_NETDEV
CONFIG_NF_TABLES_BRIDGE
CONFIG_NF_TABLES_IPV6
For certain older kernels, `nft_set` functionality is disabled by
default and one of the following configuration option must be set
explicitly for any such system to be affected (depending on release):
CONFIG_NF_TABLES_SET
CONFIG_NFT_SET_RBTREE
CONFIG_NFT_SET_HASH
CONFIG_NFT_SET_BITMAP
暂无评论