New Technique Uncovered To Exploit Linux Kernel Use-After-Free Vulnerability

A new technique to exploit a complex use-after-free (UAF) vulnerability in the Linux kernel successfully bypasses modern security mitigations to gain root privileges.

The method targets CVE-2024-50264, a difficult-to-exploit race condition bug in the AF_VSOCK subsystem that was recognized with a Pwnie Award for its complexity. The vulnerability, introduced in Linux v4.8, presents significant challenges for exploitation.

According to Alexander Popov, an unprivileged user can trigger the bug, but it comes with severe limitations, including an unstable race condition, an extremely short time window for memory corruption, and multiple ways for the kernel to crash during the attempt.

The original exploit strategy was highly complex, involving large-scale memory sprays and advanced techniques like SLUBStick and Dirty Pagetable.

Linux Kernel Use-After-Free Vulnerability

Seeking a simpler path, the researcher devised a new approach centered on the msg_msg kernel object. The core of the new method is a technique that allows for the corruption of an msg_msg object without causing the kernel to hang.

Typically, a UAF write on this object would fail because a pointer field, m_list.prev, would be non-zero, causing a system hang when the kernel tries to acquire a spinlock.

The researcher’s solution involves a clever manipulation of the message queue:

1. The message queue is filled almost to capacity, leaving only a few bytes of free space.
2. The exploit then attempts to send the target msg_msg objects. Because the queue is full, the kernel allocates the objects but blocks the msgsnd() system call, forcing it to wait for space.
3. While the system call is blocked, the UAF is triggered, corrupting fields within the waiting msg_msg object.
4. Finally, space is freed in the message queue, allowing the blocked system call to resume. The kernel then proceeds to add the corrupted msg_msg object to its queue, conveniently fixing the corrupted list pointers in the process and avoiding a crash.

This technique effectively creates a reliable exploit primitive from a UAF write, even under difficult conditions, without needing a prior kernel information leak.

Bypassing Kernel Defenses

To successfully execute the attack, several other hurdles had to be overcome.

The researcher used a cross-cache attack to replace the freed virtio_vsock_sock object with the msg_msg object, navigating around kernel hardening features like CONFIG_RANDOM_KMALLOC_CACHES. The UAF write also occurred too quickly for this attack to work reliably.

To solve this, a technique was used to slow down the responsible kernel worker by overwhelming it with notifications from timerfd and epoll instances, widening the race window significantly, Alexander said.

This msg_msg corruption was used to achieve an out-of-bounds read, leaking kernel memory that included the address of the process’s credentials (struct cred).

With this information, a second UAF was performed against a pipe_buffer object to gain arbitrary address read and write capabilities.

This allowed the attacker to directly modify the process credentials and escalate privileges to root, completing the data-only attack.

The entire exploit development process was refined using kernel-hack-drill, a custom testing environment for experimenting with kernel exploit primitives in a controlled manner.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.