# CVE-2023-32233 (CAP\_NET\_ADMIN) ## Theory **Netfilter nf\_tables** allows to update its configuration as an atomic operation. When using this feature, the user-mode clients send batch requests containing a list of basic operations. Netfilter nf\_tables then processes all the operations within the batch as single transaction. When processing the batch, Netfilter nf\_tables then checks the configuration state updates to ensure that each successive basic operation is valid and this also accounts for the state updates from all the previous operations within the batch. However, the currently implemented check is insufficient. **CVE-2023-32233** is a use-after-free vulnerability found in the **Netfilter** subsystem of the Linux kernel when processing batch requests to update **nf\_tables** configuration. This vulnerability can be abused to perform arbitrary reads and writes in kernel memory. A local user (with `CAP_NET_ADMIN` capability) could use this flaw to crash the system or potentially escalate their privileges on the system. ## Practice {% tabs %} {% tab title="Enumerate" %} The target system is likely to be vulnerable if it has a kernel version lower than 6.3.1. ```bash #get kernel version $ uname -r 5.15.70-051570-generic ``` Also, our current user need the `CAP_NET_ADMIN`capability ```bash #get current capabilities $ capsh --print #Or $ cat /proc/self/cap $ capsh --decode=0000003fffffffff 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37 ``` {% endtab %} {% tab title="Exploit" %} To exploit **CVE-2023-32233,** we may use [this exploit](https://github.com/Liuk3r/CVE-2023-32233) from Liuk3r. ```bash #Install dependencies sudo apt install gcc libmnl-dev libnftnl-dev #Compile gcc -Wall -o exploit exploit.c -lmnl -lnftnl #Exploit ./exploit ``` Built-in profile contains parameters specific to the Linux kernel distributed in binary form as the following packages from Ubuntu 23.04 (Lunar Lobster): {% hint style="info" %} **There is optional steps to override the built-in profile** when testing with other Linux kernels. See the [github page](https://github.com/Liuk3r/CVE-2023-32233) for more informations {% endhint %} {% endtab %} {% endtabs %} ## References {% embed url="" %} {% embed url="" %}