The vulnerability is a Use-After-Free (UAF) in nf_tables, that makes it possible to escalate privileges from any user to root, and it is present since kernel version v3.16-rc1. To exploit this bug we need to enter a new network namespace to obtain `CAP_NET_ADMIN` (i.e: unprivileged user namespaces must be enabled, which is the case on most Linux distributions nowadays).
Our exploit has been tested in a Ubuntu 20.04 with kernel 5.12.13.
In this post we will analyze the process we adopted to exploit this use-after-free to achieve Local Privilege Escalation (LPE), bypassing all the default mitigations (SMEP, SMAP, KASLR, Heap randomization, …)
This post was created with our nice and easy submission form. Create your post!