Critical Linux Kernel’ Double Free Vulnerability Let Attackers Escalate Privileges

A severe double-free vulnerability has been discovered in the Linux kernel’s NFT (netfilter) subsystem, specifically within the pipapo set module. 

This critical security flaw allows unprivileged attackers to achieve local privilege escalation by exploiting kernel memory corruption through specially crafted netlink messages.

Key Takeaways
1. Double-free bug in Linux kernel's NFT subsystem (versions 5.6-rc1 to 6.13-rc3) allows local privilege escalation.
2. Uninitialized stack variable in nft_add_set_elem function creates memory corruption when CONFIG_INIT_STACK_ALL_ZERO is disabled.
3. Attackers send crafted netlink messages to trigger double-free by deleting set elements then the entire set.
4. Enable CONFIG_INIT_STACK_ALL_ZERO and apply netfilter patch to properly initialize vulnerable structures.

Linux Kernel Double Free Vulnerability

The vulnerability resides in the nft_add_set_elem function located in net/netfilter/nf_tables_api.c, where an uninitialized stack variable struct nft_set_elem elem becomes the source of the security flaw. 

According to SSD advisory, the issue occurs when the CONFIG_INIT_STACK_ALL_ZERO configuration option is disabled, leaving uninitialized data on the stack that contaminates the element key during processing.

The vulnerable code path processes user-supplied NFTA_SET_ELEM_KEY data but only initializes memory up to the key length (klen), leaving remaining buffer contents with uninitialized stack data. 

This uninitialized memory typically contains pointers from previous kernel function calls, which triggers the double-free condition when the pipapo set attempts to remove elements.

The exploitation process involves a sophisticated heap exploitation technique that achieves KASLR bypass and establishes an arbitrary write primitive. Attackers can trigger the vulnerability by following these steps:

• Initial Setup: Create a netfilter table and pipapo set with specific field configurations that generate uninitialized padding bytes
• First Free: Delete the set element, causing the first deallocation of elem->priv while the element remains referenced in the pipapo set.
• Second Free: Delete the entire set, triggering the second deallocation of the same memory region.

The vulnerability affects Linux kernel versions 5.6-rc1 through 6.13-rc3 and requires specific kernel configurations including CONFIG_NETFILTER=y, CONFIG_NF_TABLES=y, CONFIG_USER_NS=y, and critically, CONFIG_INIT_STACK_ALL_ZERO=n. 

The exploit leverages the fact that the elem->priv structure can vary between 32-256 bytes, providing flexibility for kmalloc cache targeting.

Mitigation 

This vulnerability presents significant security risks as it provides a reliable double-free primitive that can be exploited for local privilege escalation. 

The attack achieves high stability through brute-force techniques that identify optimal key lengths for triggering the bug on specific kernel configurations.

Effective mitigation strategies include enabling the CONFIG_INIT_STACK_ALL_ZERO kernel compilation option, which initializes local variables to zero and prevents the uninitialized data contamination. 

Additionally, applying the available patch from the netfilter development team addresses the root cause by properly initializing the elem structure.

The vulnerability’s similarity to CVE-2023-4004 highlights recurring patterns in kernel memory management issues, emphasizing the importance of proper variable initialization and comprehensive stack protection mechanisms in kernel development.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now