1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
// AF_NETLINK Socket - Kernel Interface Access Attack
//
// WHAT IS NETLINK:
// Netlink is a Linux-specific socket family for communication between
// userspace and the kernel. It provides access to many kernel subsystems
// including networking, routing, firewall rules, and more.
//
// WHY AF_NETLINK IS DANGEROUS:
// 1. Direct interface to kernel subsystems
// 2. Many netlink handlers have had vulnerabilities
// 3. Access to nf_tables (CVE-2024-1086)
// 4. Can modify network configuration
// 5. Enables kernel exploitation from userspace
//
// NETLINK PROTOCOLS:
// - NETLINK_ROUTE (0): Routing tables, interfaces
// - NETLINK_FIREWALL (3): Deprecated firewall interface
// - NETLINK_NETFILTER (12): nf_tables, iptables - VERY DANGEROUS
// - NETLINK_KOBJECT_UEVENT (15): Device events
// - NETLINK_AUDIT (9): Audit system
//
// CVEs USING NETLINK:
// - CVE-2024-1086: nf_tables use-after-free via NETLINK_NETFILTER
// - CVE-2021-22555: Netfilter heap out-of-bounds write
// - CVE-2017-8890: Double free in net/ipv4/inet_connection_sock.c
// - Many other kernel networking vulnerabilities
//
// WHY BLOCK IT:
// 1. No legitimate use for netlink in sandboxed code execution
// 2. Major attack surface for kernel exploits
// 3. Docker blocks AF_NETLINK by default
// 4. Even "safe" netlink operations can leak information
//
// WHY THIS PAYLOAD:
// This payload attempts to create an AF_NETLINK socket with
// NETLINK_NETFILTER protocol - the exact attack vector for
// CVE-2024-1086 and other nf_tables exploits.
//
// EXPECTED RESULT:
// Sandbox should kill the process with SIGSYS (signal 31) when
// socket(AF_NETLINK, ...) is called.
//
// REFERENCES:
// - https://man7.org/linux/man-pages/man7/netlink.7.html
// - CVE-2024-1086: https://github.com/Notselwyn/CVE-2024-1086
// - https://www.sysdig.com/blog/detecting-cve-2024-1086
//
int