PoC Code for Linux Kernel Privilege Escalation Flaw (CVE-2023-259) Published
Cybersecurity researcher Yordan has released the details, and a proof-of-concept (PoC) exploit for a high-severity vulnerability (CVE-2023-2598, CVSS score of 7.8) that exists in Linux kernel 6.3-rc1.
Discovered by white hat hacker Tobias Holl, the kernel vulnerability is an out-of-bounds access flaw to physical memory in the buffer registration code for io_uring. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges. This ability to manipulate memory could be used to gain elevated privileges and execute arbitrary code, effectively compromising the system.
In a nutshell, io_uring is an API for Linux allowing applications to perform “system calls” asynchronously. It provides significant performance improvements over using normal syscalls. It allows your program to not wait on blocking syscalls and because of how it is implemented, lowers the number of actual syscalls needed to be performed.
“The root cause of the vulnerability is a faulty optimization when buffers are registered,” Yordan wrote in the write-up.
“Buffers get registered through an io_uring_register system call by passing the IORING_REGISTER_BUFFERS opcode. This invokes io_sqe_buffers_register, which in return calls io_sqe_buffer_register to register each of the buffers. This is where the vulnerability arises,” Yordan added.
Bug reproduction steps:
- Create a memfd
- fallocate a single page in that file descriptor
- Use MAP_FIXED to map this page repeatedly, in consecutive locations
- Register the entire region that you just filled up with that page as a fixed buffer with IORING_REGISTER_BUFFERS
- Use IORING_OP_WRITE_FIXED to write the buffer to some other file (OOB read) or IORING_OP_READ_FIXED to read data into the buffer (OOB write).
Yordan also released a proof-of-concept (PoC) exploit demonstrating the CVE-2023-2598 flaw’s impact.
The Linux kernel vulnerability was promptly addressed in the kernel version 6.4-rc1, released shortly after its disclosure. However, system administrators must ensure that their Linux installations are updated to the latest version to mitigate the risk of exploitation.