15-Year-Old Linux Netfilter Vulnerability Let Hackers Bypass All Modern Security Mitigations

https://gbhackers.com/15-year-old-linux-netfilter-vulnerability/

Intensifying Privileges.

Exploitation Chain

An Information Security Engineer, Andy Nguyen has actually just recently found a 15-Year-Old Linux Netfilter vulnerability that permits any attackers to bypass all the modern-day security steps.

Here, the specialist has actually claimed that the syscall msgsnd() is currently used for several public exploits since for heap spraying the syscall msgsnd() is a widely known primitive, and not just that even it likewise uses the “GFP_KERNEL_ACCOUNT.”.

The security professional, Andy said that he will not able to designate any victim objects around struct xt_table_info on kernel 5.4 while he was messing around some victim items.

Kernel ROP chain: In this chain, later on to resume the execution procedure at some scratchpad address in kernel Andy conserved the worth of RBP. And here to set up kernel qualifications, he summoned commit_creds( prepare_kernel_cred( NULL)) and later to switch the namespace of process 1 to the one of the init procedure summoned switch_task_namespaces( find_task_by_vpid( 1 ), init_nsproxy).

While by learning more than DATALEN_MSG bytes the main message content could be leaked, and here, from the primary message the dripped mlist.next guideline exposes the secondary message.

by names like TCPMSS, TTL, or NFQUEUE, a user can choose various targets with different structure sizes; but, here, the user wont be able to manage the targetsize.

With 0x4C bytes primitive the typical targets are:-.

Now an aggressor can follow the struct msg_msg header and spray a great deal of messages with the assistance of unix sockets. An attacker can easily re-craft the phony struct msg_msg after understanding the address of a primary message.

Netfilter Vulnerability

Here, Andy affirmed that the security defect is in the “xt_compat_target_from_user()” where with an offset target->> targetsize “memset()” is convoked.

Apart from this, Andy also noted that in parallel to his own research of March 2021, among the security scientists, Alexander Popov likewise passed through a comparable structure in Four Bytes of Power that made use of the flaw “CVE-2021-26708” in the Linux kernel.

Escaping the container and popping a root shell: In this case, to change mnt, pid, and net namespaces to collapse and leave the container out of the kubernetes pod an assaulter will have the root consents.

In order to be prepared by the native functions, the structures need to be transformed from user to kernel in addition to 32-bit to 64-bit, when in the compatibility mode the IPT_SO_SET_REPLACE or IP6T_SO_SET_REPLACE is summoned.

Cybersecurity experts have tracked this 15-Year-Old Linux Netfilter vulnerability as “CVE-2021-22555,” and apart from security mitigations, they have actually likewise claimed that by exploiting this flaw threat stars can likewise achieve kernel code execution.

Utilizing the msgget() an aggressor can quickly initiate numerous message queues, later an opponent can develop a single message of the size of the overall message queues and send them utilizing msgsnd() for each of the message lines, that is understood as main message.

According to Jann Horn earlier to implement accounting different pieces were used prior to 5.9; thats why in the exploit chain the primitive used by Andy needs to likewise utilize the “GFP_KERNEL_ACCOUNT.”.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

In order to trigger the release that will start the JOP chain the last phase of the make use of need to close all the pipelines. And in order to execute a kernel ROP chain, rapidly attaining a kernel stack pivot is necessary, considering that, finding JOP gadgets is quite difficult.