CVE-2023-3609

HIGH

Linux Kernel 4.14-6.4 - Use-After-Free in cls_u32 Component

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-3609. PoCs published by Jturnxd.

AI-analyzed exploit summary This PoC exploits CVE-2023-3609, a Linux kernel vulnerability, by leveraging eBPF and netlink to achieve local privilege escalation. It uses a combination of socket spraying, eBPF program injection, and core_pattern manipulation to execute arbitrary code with root privileges.

Description

A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.

Exploits (1)

nomisec WORKING POC

by Jturnxd · poc

https://github.com/Jturnxd/CVE-2023-3609

View Code ZIP pw:eip

This PoC exploits CVE-2023-3609, a Linux kernel vulnerability, by leveraging eBPF and netlink to achieve local privilege escalation. It uses a combination of socket spraying, eBPF program injection, and core_pattern manipulation to execute arbitrary code with root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Linux kernel (specific versions affected by CVE-2023-3609)

No auth needed

Prerequisites: Local access to the vulnerable system · Kernel version vulnerable to CVE-2023-3609

MITRE ATT&CK