Researcher Publishes PoC Exploit for Privilege Escalation Flaw (CVE-2023-0179) in Linux Kernel

A proof-of-concept (PoC) local privilege escalation (LPE) exploit for the vulnerability tracked as CVE-2023-0179 (CVSS score: 7.8) has been detailed by the security researcher TurtleARM.

The flaw has been described as a stack-based buffer overflow in the Netfilter subsystem. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root. The flaw affects all Linux versions from 5.5 to 6.2-rc3.

CVE-2023-0179 PoC

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

The exploitation could allow the leakage of both stack and heap addresses and, potentially, a local privilege escalation to the root user via arbitrary code execution.

“The exploit will enter an unprivileged user and network namespace and add an nft_payload expression via the rule_add_payload function which, when evaluated, will trigger the stack buffer overflow and overwrite the registers,”  the researcher wrote.

“The content is then retrieved with the following nft command:

nft list map netdev mytable myset12

The output will leak several shuffled addresses relative to kernel data structures, among which we find a kernel instruction address and the regs pointer,”  the researcher added.

The working CVE-2023-0179 PoC exploit has been tested successfully against unpatched Linux kernel 6.1.6. The exploit creates a new user account needle:needle with UID 0.

It’s recommended that users update Linux servers immediately and apply the patches for distros as soon as possible. They’re also recommended to allow only trusted users to access local systems and always monitor affected systems.

If you are unable to patch this bug, disabling unprivileged user namespaces will prevent exploitation:

sysctl -w kernel.unprivileged_userns_clone = 0