Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF

Presented at DEF CON 32 (2024), Aug. 11, 2024, 12:30 p.m. (45 minutes).

As the successor to the iptables, nftables stands as a crucial network component within the Linux kernel, managing packet filtering and other network-related functionalities. With continuous development and changes, features designed to increase its efficiency, such as batch commit, anonymous chains/sets, and asynchronous garbage collection, have been implemented, which in turn has significantly increased its complexity and made it an attractive target for attackers in recent years. Since the announcement of the kernelCTF bug bounty, multiple nftables 0-day vulnerabilities have been reported and patched to enhance its security. However, if not careful enough, the security patch may not only mitigate the bug but also introduce new security issues unintentionally. By researching the structural changes in the nftables codebase, we successfully uncover new vulnerabilities despite the intense competition in kernelCTF. Also, we managed to speedrun the exploitation just before Google removed nftables from LTS instance, becoming the last LTS nftables exploitation. In this presentation, we will share three nftables vulnerabilities we discovered in a storytelling fashion. We start with a brief introduction on how nftables works under the hood to familiarize attendees with the basics. After that, we dive into nftables internals and dissect three vulnerabilities discovered during our journey, two of which involved utilizing hard-to-exploit race conditions to pwn the flag. Alongside details of the exploitation, we will also share the roller-coaster story of kernelCTF experiences, filled with dramatic highs and lows, making it a tense and exhilarating journey. - Previous nf_tables research: - [link](https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/) - [link](https://starlabs.sg/blog/2023/09-nftables-adventures-bug-hunting-and-n-day-exploitation/) - [link](https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4004_lts_cos_mitigation/docs/exploit.md) - Container escape: - [link](https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2023-4622_lts/docs/exploit.md) - RCU related documentation: - [link](https://www.kernel.org/doc/Documentation/RCU/whatisRCU.txt) - [link](https://pdos.csail.mit.edu/6.828/2023/lec/rcu-faq.txt)

Presenters:

• Kuan-Ting "HexRabbit" Chen - Security Researcher at DEVCORE
  Kuan-Ting Chen, also recognized as HexRabbit, is a Security Researcher at DEVCORE and a member of the Balsn CTF team. Specializing in low-level exploitation, he is curious about how things work and enjoys the challenge of unraveling the complexities of modern computing systems. Currently, he focused on the topic of Linux kernel exploitation, his work includes discovering multiple 0-day vulnerabilities in key Linux components like io_uring, ksmbd (an in-kernel SMB server), and the nftables submodule.

Similar Presentations:

• DEF CON 32 (2024) / Modem Operandi, or: How I Owned Hundreds of Millions of Broadband Basebands
• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Defeating EDR Evading Malware with Memory Forensics