Cybersecurity

A new technique has emerged to exploit a complex use-after-free (UAF) vulnerability in the Linux kernel, specifically targeting CVE-2024-50264. This vulnerability is a race condition bug in the AF_VSOCK subsystem, introduced in Linux version 4.8. It presents significant challenges for exploitation, including an unstable race condition and a narrow time window for memory corruption.

Alexander Popov has identified that an unprivileged user can trigger this bug, although it poses severe limitations, such as a high likelihood of kernel crash during the attempt. The original exploit method involved complex strategies like memory sprays and advanced techniques such as SLUBStick and Dirty Pagetable.

Linux Kernel Use-After-Free Vulnerability

The researcher has developed a new approach focusing on the msg_msg kernel object. This method allows for the corruption of an msg_msg object without causing the kernel to hang. The procedure involves:

1. Filling the message queue almost to capacity, leaving minimal free space.
2. Sending target msg_msg objects, which blocks the msgsnd() system call due to full queue, leading to the allocation of objects by the kernel.
3. Triggering the UAF while the system call is blocked, corrupting fields within the waiting msg_msg object.
4. Freeing space in the message queue, allowing the blocked system call to resume and add the corrupted msg_msg object to its queue, reconstructing list pointers and avoiding a crash.

This technique provides a reliable exploit primitive from a UAF write under challenging conditions without needing a prior kernel information leak.

Bypassing Kernel Defenses

Several obstacles were addressed to execute the attack successfully. The researcher employed a cross-cache attack to replace the freed virtio_vsock_sock object with the msg_msg object, circumventing kernel hardening features such as CONFIG_RANDOM_KMALLOC_CACHES. To slow down the kernel worker and widen the race window, a technique involving notifications from timerfd and epoll instances was used.

The msg_msg corruption enabled an out-of-bounds read, leaking kernel memory containing the address of the process’s credentials (struct cred). A second UAF was then performed against a pipe_buffer object to gain arbitrary address read and write capabilities, allowing direct modification of process credentials and privilege escalation to root.

The entire exploit development process was refined with kernel-hack-drill, a custom testing environment for experimenting with kernel exploit primitives in a controlled setting.