Some cracks in the Linux firewall

Netfilter is the well-known firewall available for Linux systems.
It is mainly known through its userland interface *iptables*, but most of its codebase resides in kernel land in order to perform hooks in the network stack.
Initially, to perform such operations, the user must have specific privileges.
Since unprivileged users are able to create new namespaces, they are able to perform new privileged operations, such as setting up a firewall.
Consequently, the attack surface on the Linux kernel is widely increased.
And, Netfilter is one of the targets for vulnerability research focusing on local privilege escalation.

The variant analysis is a recent technique that can be used to do vulnerability research on open source software.
Thanks to variant analysis, I was able to find bugs and vulnerabilities within the Netfilter subsystem of the Linux kernel.
The vulnerabilities allowed an attacker to get a privilege escalation on Ubuntu.

In this talk, I will explain how I used the variant analysis to discover two vulnerabilities, CVE-2022-1972 and CVE-2022-34918.
The techniques used to perform an information leak using CVE-2022-1972 and a privilege escalation on Ubuntu 22.04 exploiting the CVE-2022-34918.