Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow! If I understand correctly this is a local privilege escalation (the blog post doesn't mention "local" or "remote"). But it seems it could also be used to get remote code execution?

I wish there was a list of distribution kernels that are vulnerable and which have already patched this. Would be valuable to add to the blog post and the GitHub repo. https://github.com/randorisec/CVE-2022-34918-LPE-PoC



Yup, it is essentially exploiting the subsystem firewalls like iptables use under the hood, you can't mess with that remotely.


"...you can't mess with that remotely."

I don't know enough about the subject to agree or disagree with this statement but you've got me curious. Is that a:

A. "It's fundamentally impossible to make this change because operating systems cannot be modified in this way by a remote system" (i.e. making a change at this level of the architecture would result in the remote connection being dropped and all of the attackers work becomes moot.)

B. "The code has been reviewed and hardened sufficiently that experts are universally assured that attempting this type of remote change will fail."

...or am I looking at this the wrong way and it's secure for a completely different reason? I've always been taught to be skeptical of any statement of perceived certainty when it involves computer security so I appreciate additional details so I can expand my knowledge.

Thank you in advance!


API used in the PoC is not used during parsing of the traffic. In order to trigger the bug remotely you'd either need to chain it with another exploit or have a way of running arbitrary commands as a local user (e.g. by exploiting webapp).


I think you are looking at it wrong way. A remote exploit is one where the exploit makes use of a vuln over network. The bug/vuln is exposed in either the networking or applications accessible over the net. In this case, you need to use a remote exploit to get local access and then use this to elevate the local access to root access. You can still do it through a remote system, but not without the intermediate step.


You can look at the code to see to what great lengths it goes to exploit this.


I looked at the code within the original article, and while I could follow the general flow and function, that's about it.

Thus my question about the OP's (seemingly) confident statement and why they were comfortable making it.


It requires access to netlink socket. These are not remotely accessible.


That looks like nftables (the successor to iptables).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: