Easy privilege escalation exploit lands for Linux kernels

Summary: A new Linux privilege-escalation exploit has been discovered, allowing users to gain root access to vulnerable machines. The exploit affects various Linux distributions and has a high success rate on certain kernel versions.

Key Point:
⭐ Exploit grants root access to vulnerable Linux machines
⭐ Vulnerability tracked as CVE-2024-1086 with a severity rating of 7.8
⭐ Patch released at the end of January, but updates are still rolling out
⭐ Exploit technique involves manipulating page tables to gain unauthorized control over system memory
⭐ Source code for exploit PoC is available on GitHub


A Linux privilege-escalation proof-of-concept exploit has been published that, according to the bug hunter who developed it, typically works effortlessly on kernel versions between at least 5.14 and 6.6.14. 

Running the exploit as a normal user on a vulnerable machine will grant you root access to the box, allowing you to do whatever you want on it. This can be used by rogue insiders or malware already on a computer to cause further damage and problems.

This affects Debian, Ubuntu, Red Hat, Fedora, and no doubt other Linux distributions. The flaw finder, known by the handle Notselwyn, issued a highly detailed technical report of the bug this week, and said their exploit had a success rate of 99.4 percent on kernel 6.4.16, for instance.

The vulnerability is tracked as CVE-2024-1086. It is rated 7.8 out of 10 in terms of CVSS severity. It was patched at the end of January, updates have been rolling out since then, and if you haven’t yet upgraded your vulnerable kernel and local privilege escalation (LPE) is a concern, take a closer look at this thing.

“Never had I ever gotten so much joy developing a project, specifically when dropping the first root shell with the bug,” Notselwyn enthused.

The flaw is a double-free bug in the Linux kernel’s netfilter component involving nf_tables. As the US National Vulnerability Database explained:

The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. 

All of that can lead to a crash or arbitrary code execution in the kernel upon exploitation. Before heading out for the Easter weekend we’d suggest patching first, again if LPE is a critical issue for you, so the only headache that greets you on Monday morning is pain from too much chocolate.

In their analysis, Notselwyn details the steps needed to drop a universal root shell on nearly all affected Linux kernels using CVE-2024-1086. This includes a particularly interesting method that builds on an earlier Linux kernel universal exploit technique, dubbed Dirty Pagetable, that involves abusing heap-based bugs to manipulate page tables to gain unauthorized control over a system’s memory and thus operation.

The latest method has been called Dirty Pagedirectory, and Notselwyn says it allows unlimited, stable read/write access to all memory pages in a Linux system, which would give an attacker full control over the box: 

The technique is quite simplistic in nature: Allocate a Page Upper Directory (PUD) and Page Middle Directory (PMD) to the same kernel address using a bug like a double-free. The VMAs should be separate, to avoid conflicts (so do not allocate the PMD within the area of the PUD). Then, write an address to the page in the PMD range and read the address in the corresponding page of the PUD range.

Notselwyn has also shared the source code to an exploit PoC, which is “trivial” to run.

Exploiting the bug requires that the unprivileged-user namespaces option be set to access nf_tables, which is enabled by default on Debian, Ubuntu, and other major distributions. An attacker would then need to trigger a double-free, scan the physical memory for the kernel base address, bypassing KASLR, and then access the modprobe_path kernel variable with read/write privileges.

After overwriting the modprobe_path, the exploit starts a root shell, and then it’s game over. ®

Source: https://www.theregister.com/2024/03/29/linux_kernel_flaw/

“An interesting youtube video that may be related to the article above”