From 227f0e406d7f36915d53b280ab470265d5ad0778 Mon Sep 17 00:00:00 2001 From: kevinrich1337 Date: Sun, 29 Sep 2024 01:41:16 -0700 Subject: [PATCH] update exploit.md --- .../linux/kernelctf/CVE-2023-4147_lts_cos/docs/exploit.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2023-4147_lts_cos/docs/exploit.md b/pocs/linux/kernelctf/CVE-2023-4147_lts_cos/docs/exploit.md index 2b73c65cd..aaffaff5d 100644 --- a/pocs/linux/kernelctf/CVE-2023-4147_lts_cos/docs/exploit.md +++ b/pocs/linux/kernelctf/CVE-2023-4147_lts_cos/docs/exploit.md @@ -38,7 +38,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, We can trigger the vulnerability in LTS as follows: -- Create three chains, `Base`, `Vulnerable`, and `Victim`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. +- Create three chains, `Base`, `Vulnerable`, and `Victim`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. If a chain with the `NFT_CHAIN_BINDING` flag set is bound to an immediate expr, when this expr is destroyed, the bound chain and its rules will also be destroyed. - Create a rule in `Base` with an immediate expr referencing the `Vulnerable`. - Create a rule in `Vulnerable` with an immediate expr referencing `Victim`. - Trigger the vulnerability by replacing the rule in `Vulnerable`. This results in the `Victim` having a reference count of 0 `(nft_chain->use)`. @@ -46,7 +46,7 @@ We can trigger the vulnerability in LTS as follows: We can trigger the vulnerability in COS as follows: -- Create two chains, `Base` and `Vulnerable`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. +- Create two chains, `Base` and `Vulnerable`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. If a chain with the `NFT_CHAIN_BINDING` flag set is bound to an immediate expr, when this expr is destroyed, the bound chain and its rules will also be destroyed. - Create an anonymous set `Victim`. - Create a set element in set `Victim`. - Create a rule `R1` in `Base` with an `immediate expr` referencing the `Vulnerable`. @@ -77,7 +77,7 @@ static void nft_commit_release(struct nft_trans *trans) The KASLR address is leaked through `chain->name`, which is stored in the verdict data of the immediate expr (`nft_immediate_expr.data.verdict`). The leak process is as follows: -- Create three chains, `Base`, `Vulnerable`, and `Victim`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. +- Create three chains, `Base`, `Vulnerable`, and `Victim`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. If a chain with the `NFT_CHAIN_BINDING` flag set is bound to an immediate expr, when this expr is destroyed, the bound chain and its rules will also be destroyed. - Create a rule in `Base` with an immediate expr referencing the `Vulnerable`. - Create a rule in `Vulnerable` with an immediate expr referencing `Victim`. - Trigger the vulnerability by replacing the rule in `Vulnerable`. This results in the `Victim` having a reference count of 0 `(nft_chain->use)`. @@ -293,7 +293,7 @@ Starting with commit [4bedf9ee] (https://git.kernel.org/pub/scm/linux/kernel/git The KASLR address and heap address are leaked through `nft_rule` allocated in `kmalloc-cg-192`. The leak process is as follows: -- Create four chains, `Base`, `Vulnerable`, `Chain_Victim`, and `Target`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. +- Create four chains, `Base`, `Vulnerable`, `Chain_Victim`, and `Target`. Set `NFT_CHAIN_BINDING` flag for `Vulnerable`. If a chain with the `NFT_CHAIN_BINDING` flag set is bound to an immediate expr, when this expr is destroyed, the bound chain and its rules will also be destroyed. - Create chains `Chain_Victim2_n`. In this exploit, 0x30 chains are sprayed. - Create an anonymous rhash set `Set_Victim`. - Create a set element in set `Set_Victim`. The element is allocated in `kmalloc-cg-256`.