google · matrizzo · Jan 10, 2025 · Aug 7, 2024
diff --git a/pocs/linux/kernelctf/CVE-2024-27397_mitigation/docs/exploit.md b/pocs/linux/kernelctf/CVE-2024-27397_mitigation/docs/exploit.md
diff --git a/pocs/linux/kernelctf/CVE-2024-27397_mitigation/docs/vulnerability.md b/pocs/linux/kernelctf/CVE-2024-27397_mitigation/docs/vulnerability.md
@@ -0,0 +1,16 @@
+- Requirements:
+    - Capabilites: CAP_NET_ADMIN
+    - Kernel configuration: CONFIG_NF_TABLES=y
+    - User namespaces required: Yes
+- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=c3e1b005ed1c
+- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7395dfacfff65e9938ac0889dafa1ab01e987d15
+- Affected Version: v4.1 - v6.8
+- Affected Component: netfilter, nftables
+- URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27397
+- Cause: Use-After-Free
+
+A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
+NFT sets and their elements can have associated timeouts.
+These timeouts are checked against the live system clock to assess expiration (see `nft_set_elem_expired` in `nf_tables.h`).
+This causes issues when the elements expire during a transaction, leading to an asymmetric clean-up operation in a potential transaction
+rollback, missing f. e. required reference count updates.
diff --git a/pocs/linux/kernelctf/CVE-2024-27397_mitigation/exploit/mitigation-v3-6.1.55/Makefile b/pocs/linux/kernelctf/CVE-2024-27397_mitigation/exploit/mitigation-v3-6.1.55/Makefile
@@ -0,0 +1,6 @@
+
+exploit: exploit.c netlink.c
+	$(CC) -O3 -ggdb -static -Wall -lpthread -o $@ $^
+
+real_exploit: exploit.c netlink.c
+	$(CC) -O3 -ggdb -static -Wall -lpthread -DKASLR_BYPASS_INTEL=1 -o exploit $^
diff --git a/pocs/linux/kernelctf/CVE-2024-27397_mitigation/exploit/mitigation-v3-6.1.55/exploit b/pocs/linux/kernelctf/CVE-2024-27397_mitigation/exploit/mitigation-v3-6.1.55/exploit