kernelCTF: add CVE-2023-3390_lts_cos_mitigation (#40)

* kernelCTF: add CVE-2023-3390_lts_cos_mitigation

* Update pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/metadata.json

Co-authored-by: Tamás Koczka <[email protected]>

* Update pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/metadata.json

Co-authored-by: Tamás Koczka <[email protected]>

* Update pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/metadata.json

Co-authored-by: Tamás Koczka <[email protected]>

* Remove exploit archive file

* Rename directory exploit/refined to exlpoit/extra-refined

* Remove user interaction from lts/mitigation exploits

* Rename directory exploit/cos-105-17412-101.17 to exlpoit/cos-105-17412.101.17

* Updata Makefile

* Update Makefile (Add pkgconfig of libmnl)

* Update Makefile (remove current pkgconfig env)

* Updatae Makefile (fix typo on pkgconfig path)

* Update Makefile (Add include path for libnftnl build)

* Update Makefile (Fix include/library paths)

---------

Co-authored-by: Tamás Koczka <[email protected]>

pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/README.md

@@ -0,0 +1,27 @@
+# CVE-2023-3390_lts_cos_mitigation
+Vulnerability and Exploit descriptions for CVE-2023-3390
+## Directory structure
+* [README.md](./README.md)
+* [metadata.json](./metadata.json)
+* [exploit](./exploit)
+    * [lts-6.1.31](./exploit/lts-6.1.31)
+        * [exploit.c](./exploit/lts-6.1.31/exploit.c)
+        * [exploit](./exploit/lts-6.1.31/exploit)
+        * [Makefile](./exploit/lts-6.1.31/Makefile)
+    * [cos-105-17412.101.17](./exploit/cos-105-17412.101.17)
+        * [exploit.c](./exploit/cos-105-17412.101.17/exploit.c)
+        * [exploit](./exploit/cos-105-17412.101.17/exploit)
+        * [Makefile](./exploit/cos-105-17412.101.17/Makefile)
+    * [mitigation-6.1](./exploit/mitigation-6.1)
+        * [exploit.c](./exploit/mitigation-6.1/exploit.c)
+        * [exploit](./exploit/mitigation-6.1/exploit)
+        * [Makefile](./exploit/mitigation-6.1/Makefile)
+    * [extra-refined](./exploit/extra-refined)
+        * [exploit.c](./exploit/extra-refined/exploit.c)
+        * [exploit](./exploit/extra-refined/exploit)
+        * [Makefile](./exploit/extra-refined/Makefile)
+* [docs](./docs)
+    * [vulnerability.md](./docs/vulnerability.md)
+    * [novel-techniques.md](./docs/novel-techniques.md)
+    * [exploit.md](./docs/exploit.md)
+

pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/docs/vulnerability.md

@@ -0,0 +1,32 @@
+# Vulnerability
+
+A use-after-free vulnerability was found in the Linux kernel's Netfilter nf_tables subsystem (`net/netfilter/nf_tables_api.c`). Mishandled error handling with `NFT_MSG_NEWRULE` makes it possible to use a dangling pointer in the same transaction, causing a use-after-free vulnerability. This flaw leads to local privilege escalation (LPE).
+
+## Requirements to trigger the vulnerability:
+- Capabilities: To trigger the vulnerability, `CAP_NET_ADMIN` capability is required to access the Netfilter system.
+- Kernel configuration: Kernel configs related to the Netfilter nf_tables system (e.g., `CONFIG_NETFILTER`, `CONFIG_NF_TABLES`) are required to trigger this vulnerability. This config is generally enabled by default (ex. x86_64_defconfig).
+- Are user namespaces needed?:  Yes. As this vulnerability requires `CAP_NET_ADMIN`, which is not usually given to the normal user, we used the unprivileged user namespace to achieve this capability.
+
+## Commit which introduced the vulnerability
+- This vulnerability was introduced in Linux v3.1-rc1, with commit [958bee14d0718ca7a5002c0f48a099d1d345812a](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=958bee14d0718ca7a5002c0f48a099d1d345812a)
+- This commit introduced a new functionality that uses a transaction infrastructure to handle the nf_tables set struct.
+
+## Commit which fixed the vulnerability
+- This vulnerability was fixed in Linux v6.4-rc1, with commit [1240eb93f0616b21c675416516ff3d74798fdc97](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97)
+- This commit fixes mishandled error path in `NFT_MSG_NEWRULE`, which incorrectly deactivates the anonymous set and causes a dangling pointer of the anonymous set in the same transaction context.
+
+## Affected kernel versions
+- Linux version v.3.1-rc1 ~ v6.4-rc1 affects to this vulnerability
+- For LTS versions, lower versions of the versions below are affected by this vulnerability
+    - ~ v6.1.35
+    - ~ v5.15.118
+
+## Affected component, subsystem
+- net/netfilter (nf_tables)
+
+## Cause (UAF, BoF, race condition, double free, refcount overflow, etc)
+- Use-after-free
+
+## Which syscalls or syscall parameters are needed to be blocked to prevent triggering the vulnerability? (If there is any easy way to block it.)
+- Disable syscalls for Netfilter (specifically, Netfilter nf_tables) system (ex. `socket`, `sendmsg` with Netlink socket) to prevent this vulnerability.
+- Disable syscalls for unprivileged user namespace (ex. `clone`, `unshare`) can reduce the attack surface since the Netfilter system requires `CAP_NET_ADMIN` to use.

pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/exploit/cos-105-17412.101.17/Makefile

@@ -0,0 +1,41 @@
+CC ?= gcc
+SRCS := ./exploit.c
+TARGET := exploit
+LIBMNL_DIR = $(realpath ./)/libmnl_build
+LIBNFTNL_DIR = $(realpath ./)/libnftnl_build
+
+CFLAGS = -w -static -Wall 
+LIBS = -L$(LIBMNL_DIR)/install/usr/local/lib -L$(LIBNFTNL_DIR)/install/usr/local/lib -lnftnl -lmnl 
+INCLUDES = -I$(LIBMNL_DIR)/install/usr/local/include -I$(LIBNFTNL_DIR)/install/usr/local/include
+
+$(TARGET) : libmnl-build libnftnl-build
+	$(CC) $(CFLAGS) $(SRCS) -o $(TARGET) $(INCLUDES) $(LIBS) 
+
+libmnl-build : libmnl-download
+	tar -C $(LIBMNL_DIR) -xvf $(LIBMNL_DIR)/libmnl-1.0.5.tar.bz2
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && ./configure --enable-static
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make -j`nproc`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && mkdir ../install && make DESTDIR=`realpath ../install` install
+
+libnftnl-build : libmnl-build libnftnl-download
+	tar -C $(LIBNFTNL_DIR) -xvf $(LIBNFTNL_DIR)/libnftnl-1.2.1.tar.bz2
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.1 && PKG_CONFIG_PATH=$(LIBMNL_DIR)/install/usr/local/lib/pkgconfig ./configure --enable-static
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.1 && C_INCLUDE_PATH=$(C_INCLUDE_PATH):$(LIBMNL_DIR)/install/usr/local/include LD_LIBRARY_PATH=$(LD_LIBRARY_PATH):$(LIBMNL_DIR)/install/usr/local/lib make  -j`nproc`
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.1 && mkdir ../install && make DESTDIR=`realpath ../install` install
+
+libmnl-download :
+	mkdir $(LIBMNL_DIR)
+	wget -P $(LIBMNL_DIR) https://netfilter.org/projects/libmnl/files/libmnl-1.0.5.tar.bz2 
+
+
+libnftnl-download :
+	mkdir $(LIBNFTNL_DIR)
+	wget -P $(LIBNFTNL_DIR) https://netfilter.org/projects/libnftnl/files/libnftnl-1.2.1.tar.bz2
+
+.PHONY: libmnl-build libnftnl-build libmnl-download libnftnl-download clean
+clean:
+	rm -f $(TARGET)
+	if [ -d  $(LIBMNL_DIR)/libmnl-1.0.5 ]; then cd $(LIBMNL_DIR)/libmnl-1.0.5 && make DESTDIR=`realpath ../install` uninstall; fi
+	if [ -d $(LIBNFTNL_DIR)/libnftnl-1.2.1 ]; then cd $(LIBNFTNL_DIR)/libnftnl-1.2.1 && make DESTDIR=`realpath ../install` uninstall; fi
+	rm -rf $(LIBMNL_DIR)
+	rm -rf $(LIBNFTNL_DIR)