3.4 C
New York
Tuesday, March 18, 2025

PoC Exploit Launched for Linux Kernel Use-After-Free Vulnerability


A proof-of-concept (PoC) exploit has been launched for a use-after-free vulnerability within the Linux kernel, recognized as CVE-2024-36904.

This vulnerability is situated within the TCP subsystem of the Linux kernel and is attributable to the inet_twsk_hashdance() perform inserting the time-wait socket into the established hash desk earlier than setting its reference counter.

CVE Overview

CVE-2024-36904 impacts the Linux kernel by permitting an attacker to use a use-after-free situation, which might doubtlessly result in arbitrary code execution or denial-of-service assaults.

The vulnerability was found throughout an investigation that concerned making a modified kernel with KASAN (Kernel Handle Sanitizer) enabled to substantiate the presence of an actual use-after-free problem.

Affected Methods

The vulnerability was examined on methods operating Alma Linux 9 with kernel model 5.14.0-362.24.2.el9_3.x86_64, however it’s probably that different variations of the Linux kernel are additionally affected in the event that they haven’t been patched.

The vulnerability was fastened in Pink Hat Enterprise Linux 9 on kernel model 5.14-427.26.1 as of July 16, 2024.

Proof of Idea (PoC) Code

For these excited by testing the vulnerability, a PoC exploit named CVE-2024-36904-trigger is out there.

To check the vulnerability with KASAN enabled, you’ll need to use a patch to the kernel after which construct it. Listed here are the steps to use the patch:

  1. Set up obligatory packages:
    You have to flex, bison, elfutils-libelf-devel, openssl-devel, bc, perl, and dwarves put in to construct the kernel.
  2. Apply the patch:
cd kernels/linux-5.14.0-362.24.1.el9_3/

patch -n1 < ../mdelay_remove_rcu_flag.patch
  1. Construct the kernel:
cp ../linux-5.14.0-362.24.1.el9_3-RESEARCH-KASAN/.config .config

make oldconfig

make -j `nproc`

make -j `nproc` modules_install set up

Operating the Set off

To run the set off and observe the KASAN splat when utilizing the modified kernel, execute the next command in a loop:

whereas true; do ./CVE-2024-36904-trigger; completed

This command will constantly execute the set off, which ought to trigger the KASAN splat to seem within the kernel ring buffer inside a brief interval when utilizing the modified kernel.

CVE-2024-36904 highlights the significance of well timed patching and testing of Linux kernel vulnerabilities.

As Linux distributions proceed to replace their kernels to handle such vulnerabilities, guaranteeing that your system is up to date is essential for sustaining safety.

Customers and organizations ought to preserve their Linux kernels up-to-date to guard in opposition to exploits concentrating on this and different vulnerabilities.

Are you from SOC/DFIR Groups? – Analyse Malware Incidents & get dwell Entry with ANY.RUN -> Begin Now for Free. 

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles