Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2024-1086 PoC — Use-after-free in Linux kernel's netfilter: nf_tables component

Source
https://github.com/pl0xe/CVE-2024-1086
Associated Vulnerability
Title:Use-after-free in Linux kernel's netfilter: nf_tables component (CVE-2024-1086)
Description:A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.
Readme
# CVE-2024-1086

- [NIST NVD Article](https://nvd.nist.gov/vuln/detail/CVE-2024-1086)
- [Github PoC](https://github.com/notselwyn/cve-2024-1086)
- [Writeup](https://pwning.tech/nftables/)
## Affected Versions

- v5.14 to (including) v6.6
- excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>
- all versions (excluding patched stable branches) from v3.15 to v6.8-rc1.

## Caveats
- does not work on v6.4> kernels with kconfig CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y (including Ubuntu v6.5)
- requires user namespaces (kconfig CONFIG_USER_NS=y), that those user namespaces are unprivileged (sh command sysctl kernel.unprivileged_userns_clone = 1)
- nf_tables is enabled (kconfig CONFIG_NF_TABLES=y)
- Exploit may be very unstable on systems with a lot of network activity

    Systems with WiFi adapter, when surrounded by high-usage WiFi networks, will be very unstable.

- The kernel panic (system crash) after running the exploit is a side-effect which deliberately hasn't been fixed to prevent malicious usage of the exploit

## Research Log

### Environment Setup
Barely used QEMU before, so I am following the [instructions](https://ubuntu.com/server/docs/virtualisation-with-qemu) to install Default Ubuntu with QEMU from Ubuntu's official site.

[Install msys2](https://www.msys2.org/#installation) so we can get its package management capabilities to install QEMU on Windows 11

[Install QEMU](https://www.qemu.org/download/#windows) by using `pacman -S mingw-w64-x86_64-qemu`

We get this error after installing QEMU:

![alt text](imgs/1.png)

This is due to user error, instead of using msys.exe, I needed mingw64. More info on MSYS2 environments [here.](https://stackoverflow.com/questions/76552264/what-are-msys2-environments-how-do-i-pick-one)

Gained the ability to call QEMU now after uninstalling from MSYS2 and into a MINGW64 Shell

Now a new error where it could not read the image for whatever reason.


![alt text](imgs/2.png)

After downloading the latest release of Ubuntu 24.04 we replace the link in the command for netboot image with the physical location of the ISO. Sidenote also removed the `-enable-kvm` switch this will only work on Linux Hosts. More info on [KVM](https://wiki.archlinux.org/title/KVM). Alternatives would be [HAXM](https://www.qemu.org/2017/11/22/haxm-usage-windows/) `-enable-hax` on windows which requires a CPU that has Intel VT-x with Extended Page Tables (EPT) capabilities. Hyper-V must be disabled.

![alt text](imgs/3.png)

Success on launching QEMU and getting to grub. However the VM will not actually be able to boot. We are presented with a memory error then a kernel panic. This is due to not building an image or specifying memory amounts for the VM.

Creating a virtual image:
`qemu-img create -f qcow2 ubuntu24.04.img 12G`

Booting the virtual machine:
`qemu-system-x86_64 -cdrom ubuntu-24.04-desktop-amd64.iso -boot menu=on -drive file=ubuntu24.04.img -m 4G -cpu qemu64 -smp 4`

-cdrom
    virtual cd/dvd drive to hold the ISO
-boot
    choose boot behavior, boot directly off ISO, drives, etc
-drive
    path to the image we created that represents the VM
-m
    set the amount of memory
-cpu
    set virtualized CPU type
-smp
    set how many cores are dedicated to the VM

![alt text](imgs/4.png)

After getting a successfull boot, the performance is very slow and undesirable. Will re-attempt with a host machine that runs linux.

## Environment 2

Installed Ubuntu 24.04 LTS on a new machine, all default settings.
Will be attempting the same type of install above to get a solid base line that my tools are working.

Install qemu

`sudo apt-get install qemu-system`

Download Ubuntu 24.04 LTS

`wget https://releases.ubuntu.com/24.04/ubuntu-24.04-desktop-amd64.iso?_gl=1*1dpopbp*_gcl_au*ODE2NDcxMTIwLjE3MjM2ODcyMjI.&_ga=2.206772948.633577881.1723687219-264703441.1723687219`

Create QCOW2 Image

`qemu-img create -f qcow2 ubuntu-lts.img 12G`

Start VM up w/ KVM and virtio acceleration ( all features c: )

`qemu-system-x86_64 -enable-kvm -boot menu=on -drive file=ubuntu-24.04-desktop-amd64.img -m 4G -cpu host -smp 4 -vga virtio -display sdl,gl=on`

The emulation was able to install the system way faster and the GUI is 10x smoother and bearable to work in now.

![alt text](imgs/6.png)
File Snapshot

 [4.0K]  /data/pocs/29fad501c5750713a038f54c603baf7db921d132
├── [4.0K]  imgs
│   ├── [ 15K]  1.png
│   ├── [ 48K]  2.png
│   ├── [117K]  3.png
│   ├── [192K]  4.png
│   ├── [965K]  5.png
│   └── [965K]  6.png
└── [4.2K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →