The vulnerability is a Use-After-Free (UAF) in nf_tables, that makes it possible to escalate privileges from any user to root, and it is present since kernel version v3.16-rc1. To exploit this bug we need to enter a new network namespace to obtain `CAP_NET_ADMIN` (i.e: unprivileged user namespaces must be enabled, which is the case on most Linux distributions nowadays).
Our exploit has been tested in a Ubuntu 20.04 with kernel 5.12.13.
In this post we will analyze the process we adopted to exploit this use-after-free to achieve Local Privilege Escalation (LPE), bypassing all the default mitigations (SMEP, SMAP, KASLR, Heap randomization, …)
