A critical Proof-of-Concept (PoC) exploit has been released for a significant vulnerability in the Linux kernel\u2019s nftables subsystem, tracked as CVE-2024-26809.\u00a0<\/p>\n
This flaw, rooted in the kernel\u2019s netfilter infrastructure, exposes affected systems to local privilege escalation<\/a> through a sophisticated double-free attack.\u00a0<\/p>\n Security researchers, including the user \u201cconlonialC,\u201d have demonstrated how this bug can be weaponized to achieve root-level access, underscoring the urgency for system administrators to apply available patches.<\/p>\n The vulnerability resides in the nftables subsystem, which is designed to replace legacy packet filtering frameworks like iptables and ip6tables.\u00a0<\/p>\n nftables relies on several core kernel components, including the nft_set_pipapo structure, to manage sets of filtering rules.\u00a0<\/p>\n The flaw specifically affects the nft_pipapo_destroy() function within the kernel\u2019s net\/netfilter module.\u00a0<\/p>\n Under certain conditions, this function may attempt to free the same memory region twice-a classic double-free scenario-when a set is marked as \u201cdirty\u201d and contains overlapping elements in both its \u201cmatch\u201d and \u201cclone\u201d representations.<\/p>\n The vulnerable code path can be summarized as follows:<\/p>\n Here, if the set is dirty, nft_set_pipapo_match_destroy() may be called twice on elements that exist in both \u201cmatch\u201d and \u201cclone,\u201d leading to a double-free condition.<\/p>\n The released<\/a> PoC exploit, authored by conlonialC, meticulously demonstrates how to leverage this vulnerability for local privilege escalation.\u00a0<\/p>\n The attack begins with the creation of a pipapo set and the insertion of multiple elements to ensure the set is marked as dirty.\u00a0<\/p>\n The attacker then triggers the destruction of the set, causing the kernel to free the same set elements twice. This double-free corrupts the kernel\u2019s heap, specifically targeting the kmalloc-256 object cache, which is commonly used for kernel object allocations.<\/p>\n By carefully orchestrating heap allocations and deallocations, the exploit achieves several advanced objectives:<\/p>\n A crucial part of the exploit involves manipulating the kernel\u2019s internal data structures to gain control over the instruction pointer (RIP).\u00a0<\/p>\n The attacker crafts a fake nft_expr object and uses a ROP gadget to pivot the stack, ultimately executing arbitrary code in kernel context.\u00a0<\/p>\n The exploit\u2019s reliability is enhanced by its ability to reclaim freed heap chunks and leak kernel addresses, bypassing common mitigations.<\/p>\n The following excerpt illustrates the heap manipulation and ROP setup used in the PoC:<\/p>\n This sequence demonstrates how the attacker redirects execution to a custom ROP gadget, culminating in root access.<\/p>\n CVE-2024-26809 affects Linux kernel<\/a> versions 5.15.54 and later, including the 6.1 and 6.6 LTS branches.\u00a0<\/p>\n The vulnerability has been addressed in recent kernel updates, with distributions such as Debian, Ubuntu, and SUSE releasing patches for all supported versions.\u00a0<\/p>\n The fix ensures that elements are only released from the \u201cclone\u201d path during set destruction, preventing double-free conditions.<\/p>\n System administrators are strongly advised to apply the latest security updates immediately. Unpatched systems remain vulnerable to local attackers who can exploit this flaw to gain full control over affected machines.<\/p>\n The public release of a functional exploit for CVE-2024-26809 marks a significant escalation in the threat landscape for Linux servers and workstations.\u00a0<\/p>\n The exploit showcases advanced heap manipulation and kernel exploitation<\/a> techniques, making it a potent tool for attackers.\u00a0<\/p>\n Prompt patching and adherence to security best practices are essential to mitigate the risk posed by this vulnerability.<\/p>\n Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points \u2013 Free Webinar<\/a><\/strong><\/p>\n The post PoC Exploit Released For Linux Kernel\u2019s nftables Subsystem Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Overview of CVE-2024-26809<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXd2Xx2DgTzvEVawsiHpzBJd8E37IJd0YjAhSWqp4QSXAy_gR5jiXZm5uo82jzE77cfnmcWw_0ycU-ESP_Upn-sI63qDP19J5ERFosuXdd9X6zFWcYqEZNygDg9ghDjWo6zAG3JN?key=BBbECsWVhhDWxpbNzMhkJA\")
Exploitation Process\u00a0<\/strong><\/h2>\n
\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfqnOlchAGtb_BUJMRoEa7-ASN0gDSfo8D6eJV-pk9Dz-n6xZhjljlE0Ac6IMcFCq4Savd-ehTU8RqmGmPuh0_8KqPrL1nz8wZZ7KpeUvilu-g0koB8Y75z6sSF89TaxtqPPHN06Q?key=BBbECsWVhhDWxpbNzMhkJA\")
Affected Versions\u00a0<\/strong><\/h2>\n