A vulnerability (CVE-2021-22555) has been identified in Netfilter, a Linux kernel subsystem used to filter and modify network packets, that could allow a local user to gain root privileges on the system, including while in an isolated container. A working prototype of an exploit has been prepared for testing, bypassing the KASLR, SMAP and SMEP protection mechanisms. The researcher who identified the vulnerability received a $20 reward from Google for discovering a method to bypass the isolation of Kubernetes containers in a kCTF cluster.
The problem has been present since kernel 2.6.19, released 15 years ago, and is caused by a bug in the IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE handlers causing a buffer overflow when sending specially crafted options via setsockopt in compat mode. Under normal circumstances, compat_setsockopt() can only be called by the root user, but the necessary privileges to carry out an attack can also be obtained by an unprivileged user on systems with user namespaces enabled.
The user can create a container with a separate root user and exploit the vulnerability from there. For example, "user namespaces" is enabled by default on Ubuntu and Fedora, but not enabled on Debian and RHEL. The patch fixing the vulnerability was accepted into the Linux kernel on April 13. Package updates have already been generated by the Debian, Arch Linux and Fedora projects. Ubuntu, RHEL and SUSE have updates in progress.
The problem occurs in the xt_compat_target_from_user() function due to an incorrect calculation of the memory size when saving kernel structures after converting from 32-bit to 64-bit representation. The error allows four null bytes to be written to any position outside the allocated buffer bounded by offset 0x4C. This opportunity turned out to be enough to create an exploit that allows obtaining root rights - by clearing the m_list->next pointer in the msg_msg structure, conditions were created for accessing data after the memory was freed (use-after-free), which was then used to obtain information about addresses and changes to other structures through manipulation of the msgsnd() system call.
Source: opennet.ru