GoKawiilA recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems.
The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel's RDS (Reliable Datagram Sockets) and was patched earlier this month.
"PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers," V12 said in a Tuesday advisory.
"The bug lived in the RDS zerocopy send path. rds_message_zcopy_from_user() pins user pages one at a time. If a later page faults, the error path drops the pages it already pinned, and later RDS message cleanup drops them again because the scatterlist entries and entry count remain live after the zcopy notifier is cleared. Each failed zerocopy send can steal one reference from the first page."
V12 also released a PoC exploit that steals FOLL_PIN references until io_uring is left holding a stolen page pointer, allowing it to obtain a root shell.
However, in addition to having the RDS module loaded on the target system, PinTheft also requires specific conditions for successful exploitation, including the io_uring Linux I/O API being enabled, a readable SUID-root binary, and x86_64 support for the included payload.
This drastically limits the attack surface, with V12 stating that the RDS module is enabled by default only on Arch Linux out of the most common Linux distros.
"Sadly, the RDS kernel module this requires is only default on Arch Linux among the common distributions we tested," V12 added.
PinTheft LPE exploit on Arch Linux (Will Dormann)
Linux users on affected distros are advised to install the latest kernel updates as soon as possible.
... continue reading