PoC Exploit Released for Linux Kernel Use-After-Free Vulnerability

A proof-of-concept (PoC) exploit has been released for a use-after-free vulnerability in the Linux kernel, identified as CVE-2024-36904.

This vulnerability is located in the TCP subsystem of the Linux kernel and is caused by the inet_twsk_hashdance() function inserting the time-wait socket into the established hash table before setting its reference counter.

CVE Overview

CVE-2024-36904 affects the Linux kernel by allowing an attacker to exploit a use-after-free condition, which can potentially lead to arbitrary code execution or denial-of-service attacks.

The vulnerability was discovered during an investigation that involved creating a modified kernel with KASAN (Kernel Address Sanitizer) enabled to confirm the presence of a real use-after-free issue.

Affected Systems

The vulnerability was tested on systems running Alma Linux 9 with kernel version 5.14.0-362.24.2.el9_3.x86_64, but it is likely that other versions of the Linux kernel are also affected if they have not been patched.

The vulnerability was fixed in Red Hat Enterprise Linux 9 on kernel version 5.14-427.26.1 as of July 16, 2024.

Proof of Concept (PoC) Code

For those interested in testing the vulnerability, a PoC exploit named CVE-2024-36904-trigger is available.

To test the vulnerability with KASAN enabled, you will need to apply a patch to the kernel and then build it. Here are the steps to apply the patch:

1. Install necessary packages:
   You will need flex, bison, elfutils-libelf-devel, openssl-devel, bc, perl, and dwarves installed to build the kernel.
2. Apply the patch:

cd kernels/linux-5.14.0-362.24.1.el9_3/

patch -n1 < ../mdelay_remove_rcu_flag.patch

3. Build the kernel:

cp ../linux-5.14.0-362.24.1.el9_3-RESEARCH-KASAN/.config .config

make oldconfig

make -j `nproc`

make -j `nproc` modules_install install

Running the Trigger

To run the trigger and observe the KASAN splat when using the modified kernel, execute the following command in a loop:

while true; do ./CVE-2024-36904-trigger; done

This command will continuously execute the trigger, which should cause the KASAN splat to appear in the kernel ring buffer within a short period when using the modified kernel.

CVE-2024-36904 highlights the importance of timely patching and testing of Linux kernel vulnerabilities.

As Linux distributions continue to update their kernels to address such vulnerabilities, ensuring that your system is updated is crucial for maintaining security.

Users and organizations should keep their Linux kernels up-to-date to protect against exploits targeting this and other vulnerabilities.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.