tags:kCTFlinuxrace_conditionuafinfo_leaklpehypervisorkernel original link: CVE-2023-52447 - Exploit Technique newsletter link: exploits.club Weekly Newsletter 42 - Glitching With A Lighter, Pixel 9 Baseband Security, Node.js Pipe Madness, And More


Exploits Club Summary:

Honestly, this tweet feels very applicable recently. A new write-up hosted in the kCTF repo walks through CVE-2023-52447, a race condition leading to a UAF due to mismatched refcounts. The crux of the bug stems from the fact that bpf lock is running under rcu_lock, allowing for a lookup of arraymaps from array_of_maps (who names this shit) without increasing a refcount. As such the researcher demonstrated how this can be leveraged into a use-after-free, causing a kernel leak. From there, the post goes into further exploitation, demonstrating how this primitive can be used to achieve an eventual container escape.