LPE exploit for CVE-2022-32250 - a Use-After-Free vulnerability in netfilter.
My write-up of the vulnerability: Conquering a Use-After-Free in nf_tables: Detailed Analysis and Exploitation of CVE-2022-32250
Building requires libmnl
and libnftnl
.
gcc -lmnl -lnftnl exploit.c -o exploit
The vulnerability impacts both versions that have only KMALLOC_NORMAL
caches and those that also have KMALLOC_CGROUP
. When making the exploit I only used primitives that would work in both cases - however, testing was conducted on 5.12
which has just KMALLOC_NORMAL
caches. In theory it works in both cases - in practice, it might take a little bit of work.
The reliability of the exploit is reasonable - bottlenecked by the key limit in Linux which limits our object spraying capabilities (the limit is 200 for non-root users).
The exploit is a Proof-of-Concept and is able to achieve local privilege escalation on 5.12.0
. It was not my goal to weaponize it so I cannot at all speak about its reliance on any other version.
The Proof-of-Concept and the write-up of the vulnerability are for educational and research purposes only. Use at your own risk.