Recently my team discovered a Linux kernel vulnerability affecting the netlink subsystem.
The bug can be exploited by an unprivileged user to escalate to root on systems that allow unprivileged namespace creation, such as Ubuntu. We developed an exploit targeting the latest version of Ubuntu (LTS 22.04).
In the talk I will discuss the details of the bug, but mostly focus on the exploitation methods we used to achieve fairly reliable privilege escalation. The vulnerability is a fairly limited UAF that only allows the write of a uncontrolled pointer into a slab object at an uncontrolled offset. We were able to leverage this to build new more powerful exploit primitives that allow us to bypass KASLR and execute ROP gadgets in the kernel. We were able to do this by triggering the UAF once to achieve an initial leak primitive and then a second time to trigger a separate UAF. The third UAF allows a more powerful info leak to bypass KASLR and orient ourselves on the heap. Finally a fourth UAF allows us to call a function pointer that allows us to trigger a ROP gadget.