A newly uncovered Linux Local Privilege Escalation (LPE) vulnerability, known as “PinTheft,” has been revealed through a proof-of-concept (PoC) exploit made public by Aaron Esau of the V12 security team. This flaw enables local attackers to elevate privileges to root by exploiting a double-free bug in the Reliable Datagram Sockets (RDS) zerocopy mechanism. A patch for the kernel is available, encouraging researchers to disclose their PoC.
Understanding the PinTheft Exploit
PinTheft is part of a growing list of Linux kernel vulnerabilities, highlighting persistent security issues within complex networking and I/O subsystems. The vulnerability is situated in the RDS zerocopy send path, where the function rds_message_zcopy_from_user() sequentially pins user pages. Should a page fault occur, the error handling path incorrectly releases these pages twice, creating a critical security flaw. This double-free condition allows for reference count manipulation, enabling attackers to gain unauthorized access.
The exploit is executed using io_uring, where attackers register an anonymous page with a bias of 1024 references. By repeatedly executing failing RDS zerocopy sends, the exploit systematically depletes these references, ultimately capturing a page pointer. This unique method of reference theft underpins the exploit’s moniker, PinTheft.
Exploitation Methodology
The PoC outlines a structured sequence to achieve root access while mitigating permanent system damage. Initially, attackers target a readable SUID-root binary, such as /usr/bin/su or /usr/bin/mount, and create a backup of the binary. The exploit then sets up two pages, marking one as PROT_NONE to ensure predictable faults during RDS zcopy sends.
Next, a fixed-buffer registration pins the target page with IORING_REGISTER_BUFFERS, adding references. A child process maintains an open buffer to prevent io_buffer_unmap() from corrupting pages. The exploit then executes 1024 failing RDS zerocopy sends, resulting in double-dropping of the first page. This allows for the page-cache to be reclaimed and rewritten with a malicious payload, ultimately granting root access upon execution.
Mitigation and Security Recommendations
While the exploitation method is architecture-independent, the embedded shell ELF is tailored for x86_64 systems. Specific kernel configurations are necessary to trigger the vulnerability, requiring CONFIG_RDS, CONFIG_RDS_TCP, and active io_uring. The vulnerability’s default exposure is limited, primarily affecting Arch Linux by default among tested distributions.
Administrators are urged to apply the latest kernel updates from distribution maintainers. In cases where patching is not feasible, blacklisting the vulnerable RDS modules can mitigate risks. This can be achieved by configuring the system to prevent RDS modules from loading during boot and removing active modules from running systems. The release of this PoC coincides with a wave of Linux exploit disclosures, reinforcing the critical need for vigilance in addressing complex memory-corruption vulnerabilities in Linux systems.
Stay informed about the latest security updates by following us on Google News, LinkedIn, and X.
