The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal

Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.

https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf

Video of this talk is published:

https://m.youtube.com/watch?v=7UXtirV1Vzg

Solving the Kernote CTF task from 0CTF/TCTF Final 2021 by Matteo Rizzo

Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.

https://org.anize.rs/0CTF-2021-finals/pwn/kernote

Mitigating Linux kernel memory corruptions with Arm Memory Tagging

Memory tagging is coming to kill all of your favorite Linux kernel exploits.

I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in the YouTube chat during the talk to answer questions.

https://www.youtube.com/watch?v=UwMt0e_dC_Q

The video is now public. The slides are here.

Linux Plumbers 2021

A few security-related talks from the Linux Plumbers conference this year:

- Detecting semantic bugs using differential fuzzing by Mara Mihali [video] [slides]
- Compiler Features for Kernel Security by Kees Cook [slides] [video]
- Rust for Linux by Miguel Ojeda [slides] [video]
- Android drivers in Rust by Wedson Almeida Filho [slides] [video]
- A proof-carrying approach to building correct and flexible BPF verifiers by Luke Nelson [slides] [video]

And there are many generic Linux and Android kernel–related talks, see the schedule and YouTube.

pkill_on_warn

I've got an idea that can improve the Linux kernel security and safety. It's inspired by the exploit dev practice.

See my patch introducing pkill_on_warn: https://lore.kernel.org/linux-doc/20210929185823.499268-1-alex.popov@linux.com/T/#u

It provoked an interesting discussion with the Linux kernel rockstars, including Linus.

An eBPF fuzzer

A proof-of-concept fuzzer targeting bugs in eBPF JIT. Implemented by zerons. Inspired by a related article by Simon Scannell.

How a simple Linux kernel memory corruption bug can lead to complete system compromise

An article by Jann Horn describing an exploit for a locking bug leading to a corrupted reference counter in the TTY subsystem. The article also thoroughly discusses ways to mitigate memory corruption bugs.

The exploit frees a buggy slab object leaving a dangling reference to it, flushes out the page with the object to page allocator, reallocates that page and fills it with a page table, and then corrupts it via the dangling reference to gain write access to the text segment of a setuid binary.

SuDump: Exploiting suid binaries through the kernel

An article by Itai Greenhut covering a logical bug in the Linux kernel coredump generation code.

The researchers failed to find a way to exploit the bug in default distro configurations, but they showed how to gain root privileges on Ubuntu when a user is allowed to run at least one binary as root through sudo.

Exciting to see a logical bug as a change from all those countless memory corruptions.

Virtio snapshotting with KVM VMI for fuzzing

Tamas Lengyel posted the instructions for fuzzing KVM/virtio snapshots on Xen:

https://github.com/intel/kernel-fuzzer-for-xen-project/wiki/Virtio-snapshotting-with-KVM-VMI

Blue Klotski (CVE-2021-3573) and the story for fixing

An article by f0rm2l1n about an LPE exploit for a use-after-free bug in the Bluetooth stack. Triggering requires CAP_NET_ADMIN.

CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution

An article about a remotely-triggerable slab-buffer-overflow in the packet parsing paths for the TIPC protocol. By Max Van Amerongen.

The bug was found with CodeQL. Neither a remote nor a local exploit is provided. The TIPC module needs to be loaded manually for the bug to be triggerable.

CVE-2021-34866 Writeup

An article covering exploitation of a type confusion in the eBPF subsystem. By HexRabbit. Written in Chinese.

The exploit requires having CAP_BPF (or CAP_SYS_ADMIN on older systems) in the root user namespace.

Linux Security Summit 2021

Talks on Linux kernel security:

— CVEHound: Audit Kernel Sources for Missing CVE Fixes by Denis Efremov [slides] [video]: A tool to detect missing CVE fixes in given kernel sources based on manually-written Coccinelle rules; covers 300 CVEs at the moment.

— Kernel Self-Protection Project by Kees Cook [slides] [video]: New security features in kernel versions 5.3–5.16.

— Triaging Kernel Out-Of-Bounds Write Vulnerabilities by Weiteng Chen [slides] [video]: Automating exploitation of out-of-bounds bugs to achieve IP-hijacking.

— Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel by Xiaochen Zou [slides] [video] [LWN writeup]: Assessing security impact of Syzkaller-found bugs via symbolic execution.

— Finding Multiple Bug Effects for More Precise Exploitability Estimation by Zhenpeng Lin and Yueqi Chen [slides] [video]: Assessing security impact of Syzkaller-found bugs via targeted fuzzing.

And the already mentioned:

— Mitigating Linux Kernel Memory Corruptions with ARM Memory Tagging by Andrey Konovalov [slides] [video]: Using Arm Memory Tagging to protect the kernel against memory corruptions exploits.

The Art of Exploiting UAF by Ret2bpf in Android Kernel

A Black Hat Europe 2021 talk [slides] [writeup] about exploiting a use-after-free in the xt_qtaguid netfilter module. Includes analysis of mitigations that would prevent the exploit. By Xingyu Jin and Richard Neal.

Achieving Linux Kernel Code Execution Through a Malicious USB Device

A Black Hat Europe 2021 talk about exploiting a double-free in the USB MIDI driver over USB. The exploit works against devices with writable code section. By Martijn Bogaard and Dana Geist.

This is the first Linux-kernel-host-code-execution-over-USB exploit known to me.

The exploit is based on the bug I found a few years ago. However, my exploit required cooperating userspace, so it didn't really count. Happy to see a purely USB one!

Exploiting a USB host from the device side is hard due to limited control: the device can only respond to host's requests. You can't simply start sending messages for heap shaping, etc. You need to find a way to make the kernel ask for those.

SLUB overflow CVE-2021-42327

A concise article about exploiting a slab buffer-overflow bug in the AMD GPU driver. By Thelford Williams.

The author didn't have access to an AMD GPU, so they manually replicated the vulnerable code. The exploit uses msg_msg elastic objects to leak the kernel address, overwrite slab freelist pointer, allocate memory containing modprobe_path, and overwrite it for code execution.

This year's education module on kernel security at pwn.college

Agenda of lectures and exercises:
🔘 Introduction
🔘 Environment Setup
🔘 Kernel Modules
🔘 Privilege Escalation
🔘 Escaping Seccomp
🔘 Memory Management

See more details in the announcement by Zardus.

Deep discussion of my pkill_on_warn version 2 on LKML

Topics:
⚙️ Fail-Fast principle
⚙️ Kernel error handling policy
⚙️ Safety-critical system design
⚙️ BUG_ON() vs WARN_ON()
⚙️ Brainstorming ideas

See this email thread if you're interested in system software development.

I don't think that pkill_on_warn version 3 will appear, though.