A Linux privilege-escalation proof-of-concept exploit has been published that, according to the bug hunter who developed it, typically works effortlessly on kernel versions between at least 5.14 and 6.6.14.
Running the exploit as a normal user on a vulnerable machine will grant you root access to the box, allowing you to do whatever you want on it. This can be used by rogue insiders or malware already on a computer to cause further damage and problems.
This affects Debian, Ubuntu, Red Hat, Fedora, and no doubt other Linux distributions. The flaw finder, known by the handle Notselwyn, issued a highly detailed technical report of the bug this week, and said their exploit had a success rate of 99.4 percent on kernel 6.4.16, for instance.
The vulnerability is tracked as CVE-2024-1086. It is rated 7.8 out of 10 in terms of CVSS severity. It was patched at the end of January, updates have been rolling out since then, and if you haven’t yet upgraded your vulnerable kernel and local privilege escalation (LPE) is a concern, take a closer look at this thing.
“Never had I ever gotten so much joy developing a project, specifically when dropping the first root shell with the bug,” Notselwyn enthused.
The flaw is a double-free bug in the Linux kernel’s netfilter component involving nf_tables. As the US National Vulnerability Database explained:
All of that can lead to a crash or arbitrary code execution in the kernel upon exploitation. Before heading out for the Easter weekend we’d suggest patching first, again if LPE is a critical issue for you, so the only headache that greets you on Monday morning is pain from too much chocolate.
In their analysis, Notselwyn details the steps needed to drop a universal root shell on nearly all affected Linux kernels using CVE-2024-1086. This includes a particularly interesting method that builds on an earlier Linux kernel universal exploit technique, dubbed Dirty Pagetable, that involves abusing heap-based bugs to manipulate page tables to gain unauthorized control over a system’s memory and thus operation.
The latest method has been called Dirty Pagedirectory, and Notselwyn says it allows unlimited, stable read/write access to all memory pages in a Linux system, which would give an attacker full control over the box:
Notselwyn has also shared the source code to an exploit PoC, which is “trivial” to run.
Exploiting the bug requires that the unprivileged-user namespaces option be set to access nf_tables, which is enabled by default on Debian, Ubuntu, and other major distributions. An attacker would then need to trigger a double-free, scan the physical memory for the kernel base address, bypassing KASLR, and then access the modprobe_path kernel variable with read/write privileges.
After overwriting the modprobe_path, the exploit starts a root shell, and then it’s game over. ®
Laura Adams is a tech enthusiast residing in the UK. Her articles cover the latest technological innovations, from AI to consumer gadgets, providing readers with a glimpse into the future of technology.
