StackRot Linux Kernel Vulnerability Shows Exploitability of UAFBR Bugs


A researcher has disclosed a Linux kernel vulnerability that he claims is the first to demonstrate that a type of bug called use-after-free-by-RCU (UAFBR) is exploitable.

The vulnerability, named StackRot and officially tracked as CVE-2023-3269, was reported to Linux kernel developers on June 15 by researcher Ruihan Li. 

The flaw has been present in the kernel since version 6.1 and patches were made available on July 1 with the release of versions 6.1.37, 6.3.11 and 6.4.1.

The researcher made public some information on StackRot this week, but a complete exploit and a detailed write-up are expected to be released at the end of July. 

According to the researcher, the issue impacts the memory management subsystem and it can allow an unprivileged local user to compromise the kernel and escalate privileges. 

While nearly all kernel configurations are affected and minimal capabilities are required to trigger the bug, the researcher pointed out that exploiting the vulnerability is not easy.

“The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues,” he explained. 

Advertisement. Scroll to continue reading.

“However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging,” he added. 

The researcher believes there are no other publicly available exploits targeting these UAFBR bugs and this is the first time it has been proven that they are exploitable. 

The exploit has been executed in the kCTF Kubernetes-based environment for CTF competitions provided by Google. 

Related: CISA Says ‘PwnKit’ Linux Vulnerability Exploited in Attacks

Related: CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware

Related: Polkit Vulnerability Provides Root Privileges on Linux Systems



Source link