"Dirty Pagedirectory": New Linux Kernel Exploit Bypass Hardening Mitigations
A security researcher published a detailed technical blog post analyzing a new Linux kernel vulnerability in the nf_tables component and demonstrating novel exploitation techniques that bypass mitigations present even in hardened Linux distributions. The vulnerability, assigned CVE-2024-1086, enables local privilege escalation to gain root access.
The vulnerability exists in the nft_verdict_init() function, which handles user input for configuring netfilter verdict values when creating firewall rules using nf_tables. The function fails to properly sanitize positive drop error values, allowing a malicious user to trigger a double-free vulnerability when the nf_hook_slow() function later frees and continues processing a dropped network packet.
The researcher, who goes by the online handle "Notselwyn," developed an exploit that leverages this double-free bug to achieve code execution and privilege escalation on numerous Linux distributions and versions, including recent Debian and Ubuntu releases as well as Google's hardened KernelCTF systems.
The exploit centres around a new technique dubbed "Dirty Pagedirectory" that allows mapping physical memory for arbitrary read/write access from userspace by confusing the kernel's page tables. This overcomes mitigations like kernel address space layout randomization (KASLR), supervisor mode access prevention (SMAP), and supervisor mode execution prevention (SMEP).
Dirty Pagedirectory works by double-allocating a page table entry (PTE) and a page middle directory (PMD) to the same kernel memory region using the double-free vulnerability. The PMD then interprets values written to the PTE page as physical memory addresses, allowing the exploit to construct PTEs that map any desired physical page to unprivileged userspace addresses with customizable permissions.
To allocate PTE and PMD pages, the researcher developed methods to convert double-freed higher-order pages to lower orders usable for page tables, including draining the kernel's per-CPU page (PCP) allocator and leveraging race conditions on virtualized systems.
With the ability to read and map arbitrary kernel memory, the exploit can determine the physical base address of the kernel by scanning memory aligned with the CONFIG_PHYSICAL_START or CONFIG_PHYSICAL_ALIGN values, using signature scanning to locate the kernel code section.
It can then locate variables like modprobe_path by scanning the kernel data region, or resolving their offsets directly if the kernel version is known. Overwriting modprobe_path allows executing arbitrary code as root either by hijacking the module path or disabling CONFIG_STATIC_USERMODEHELPER_PATH protections.
The exploit includes other innovations like page reference count juggling, freeing skb network buffers instantly without the UDP/TCP stack, bypassing double-free mitigations in hardened KernelCTF instances, and a new technique for flushing the CPU's translation lookaside buffer (TLB) from userspace.
While a patch has been issued for the nf_tables vulnerability as of February 2024, the researcher's technical write-up provides an alarming perspective into the complexity of securing the Linux kernel, even with active hardening efforts. Software vendors and end-users are advised to apply kernel updates promptly and to implement other security best practices like minimizing kernel attack surfaces.
The kernel version has been upgraded officially to fix this vulnerability. Affected users are advised to update their versions as soon as possible for protection.
For Redhat, the following temporary protective measures can be taken:
If not required by the business service, mitigate by preventing the loading of the affected netfilter (nf_tables) kernel module. For instructions on how to blacklist a kernel module, please refer to https://access.redhat.com/solutions/41278.
If disabling the module is not feasible, restrict user namespaces in non-containerized deployments of Red Hat Enterprise Linux.
The full technical details, including proof-of-concept exploit code, have been published. However, the vulnerability underscores the challenges of preventing entire classes of bugs and the continual need for robust security mitigations in operating system kernels.
"Stunning" Backdoor in xz Compression Tool
Apart from this powerful Linux privilege escalation vulnerability which affects most Linux systems/kernels using Linux kernel versions v5.14 - v6.6 (excluding branch patch versions v5.15.149, v6.1.76 and v6.6.15), another nasty thing has been discovered that puts Linux community under risk.
A Microsoft developer accidentally discovered a subtle backdoor in the xz utils implementation that introduces a memory corruption vulnerability when decompressing a specially crafted xz archive.
Appearing as an inconspicuous off-by-one loop bounds error, the backdoor allows an attacker to overwrite a function pointer on the stack to hijack execution flow during the xz decompression routine.
Although no in-the-wild exploits have been reported yet, xz utils are used pervasively to compress and package software, including the Linux kernel source itself. The backdoor raises serious implications for software supply chain attacks.
The vulnerability is believed to have been deliberately planted, with the malicious code changes identified as originating from an unrecognized contributor masquerading as the xz maintainer.
In response, the kernel's build system was modified to use an internal decompressor implementation pending a comprehensive audit of xz utils, while distributions rushed to ship patched versions. The incident has prompted security reviews of other key system utilities.