Achieving Linux Kernel Code Execution Through a Malicious USB Device
A Black Hat Europe 2021 talk about exploiting a double-free in the USB MIDI driver over USB. The exploit works against devices with writable code section. By Martijn Bogaard and Dana Geist.
This is the first Linux-kernel-host-code-execution-over-USB exploit known to me.
The exploit is based on the bug I found a few years ago. However, my exploit required cooperating userspace, so it didn't really count. Happy to see a purely USB one!
Exploiting a USB host from the device side is hard due to limited control: the device can only respond to host's requests. You can't simply start sending messages for heap shaping, etc. You need to find a way to make the kernel ask for those.
A Black Hat Europe 2021 talk about exploiting a double-free in the USB MIDI driver over USB. The exploit works against devices with writable code section. By Martijn Bogaard and Dana Geist.
This is the first Linux-kernel-host-code-execution-over-USB exploit known to me.
The exploit is based on the bug I found a few years ago. However, my exploit required cooperating userspace, so it didn't really count. Happy to see a purely USB one!
Exploiting a USB host from the device side is hard due to limited control: the device can only respond to host's requests. You can't simply start sending messages for heap shaping, etc. You need to find a way to make the kernel ask for those.
SLUB overflow CVE-2021-42327
A concise article about exploiting a slab buffer-overflow bug in the AMD GPU driver. By Thelford Williams.
The author didn't have access to an AMD GPU, so they manually replicated the vulnerable code. The exploit uses msg_msg elastic objects to leak the kernel address, overwrite slab freelist pointer, allocate memory containing modprobe_path, and overwrite it for code execution.
A concise article about exploiting a slab buffer-overflow bug in the AMD GPU driver. By Thelford Williams.
The author didn't have access to an AMD GPU, so they manually replicated the vulnerable code. The exploit uses msg_msg elastic objects to leak the kernel address, overwrite slab freelist pointer, allocate memory containing modprobe_path, and overwrite it for code execution.
The blog
CVE-2021-42327 GPU kernel driver SLUB overflow
Introduction
This year's education module on kernel security at pwn.college
Agenda of lectures and exercises:
🔘 Introduction
🔘 Environment Setup
🔘 Kernel Modules
🔘 Privilege Escalation
🔘 Escaping Seccomp
🔘 Memory Management
See more details in the announcement by Zardus.
Agenda of lectures and exercises:
🔘 Introduction
🔘 Environment Setup
🔘 Kernel Modules
🔘 Privilege Escalation
🔘 Escaping Seccomp
🔘 Memory Management
See more details in the announcement by Zardus.
pwn.college
Module: Kernel Security
Learn to hack!
Deep discussion of my pkill_on_warn version 2 on LKML
Topics:
⚙️ Fail-Fast principle
⚙️ Kernel error handling policy
⚙️ Safety-critical system design
⚙️ BUG_ON() vs WARN_ON()
⚙️ Brainstorming ideas
See this email thread if you're interested in system software development.
I don't think that pkill_on_warn version 3 will appear, though.
Topics:
⚙️ Fail-Fast principle
⚙️ Kernel error handling policy
⚙️ Safety-critical system design
⚙️ BUG_ON() vs WARN_ON()
⚙️ Brainstorming ideas
See this email thread if you're interested in system software development.
I don't think that pkill_on_warn version 3 will appear, though.
Fall of the machines: Exploiting the Qualcomm NPU kernel driver
An article about exploiting a use-after-free and two info-leaks in the Qualcomm Neural Processing Unit driver. By Man Yue Mo.
The exploit leaks pointers via info-leaks, overwrites and triggers a function pointer via a racy CPU/NPU use-after-free, runs arbitrary eBPF code via __bpf_prog_run32, disables SELinux by overwriting unprotected selinux_enforcing, and launches a shell via call_usermodehelper.
The article mentions that while Samsung's NPU driver is now restricted by SELinux, the Qualcomm's one is not. This makes the latter a target for untrusted_app->root exploits on devices with Qualcomm chipsets.
An article about exploiting a use-after-free and two info-leaks in the Qualcomm Neural Processing Unit driver. By Man Yue Mo.
The exploit leaks pointers via info-leaks, overwrites and triggers a function pointer via a racy CPU/NPU use-after-free, runs arbitrary eBPF code via __bpf_prog_run32, disables SELinux by overwriting unprotected selinux_enforcing, and launches a shell via call_usermodehelper.
The article mentions that while Samsung's NPU driver is now restricted by SELinux, the Qualcomm's one is not. This makes the latter a target for untrusted_app->root exploits on devices with Qualcomm chipsets.
Fuzzing the Linux kernel yet again
A text version of my PHDays "Fuzzing the Linux kernel" talk is now available in both English and Russian.
Contains an overview of Linux kernel fuzzing approaches and related tips.
Thanks to folks from @xakep_ru for transcribing and translating!
Links to the original talk: slides, video (ru), video (en-dub).
A text version of my PHDays "Fuzzing the Linux kernel" talk is now available in both English and Russian.
Contains an overview of Linux kernel fuzzing approaches and related tips.
Thanks to folks from @xakep_ru for transcribing and translating!
Links to the original talk: slides, video (ru), video (en-dub).
XAKEP
Распуши пингвина! Разбираем способы фаззинга ядра Linux
Последние пять лет я ищу уязвимости в ядре Linux с помощью фаззинга. За эти годы у меня скопилась коллекция ссылок и наработок. Сейчас я расскажу, какие есть способы фаззить ядро, и дам советы начинающим исследователям, которые решать заняться этой темой.
Exploiting CVE-2021-43267 — a bug in the TIPC module
Blasty published an article on how to escalate privileges via the slab-buffer-overflow in the Transparent Inter-Process Communication (TIPC) module. A PoC is provided as well.
The vulnerability was previously discovered by maxpl0it, and it's claimed to be exploitable both locally and remotely.
Blasty published an article on how to escalate privileges via the slab-buffer-overflow in the Transparent Inter-Process Communication (TIPC) module. A PoC is provided as well.
The vulnerability was previously discovered by maxpl0it, and it's claimed to be exploitable both locally and remotely.
haxx.in
Exploiting CVE-2021-43267
Exploiting a heap overflow in the TIPC subsystem of the Linux kernel. In this post we’ll exploit a N-day vulnerability (CVE-2021-43267) originally discovered by Max van Amerongen.
[CVE-2021-42008] Exploiting a 16-Year-Old Vulnerability in the Linux 6pack Driver
The researcher D3v17 published an article about exploiting an old heap OOB write in the N_6PACK tty line discipline. This bug has been reported by syzbot.
The researcher D3v17 published an article about exploiting an old heap OOB write in the N_6PACK tty line discipline. This bug has been reported by syzbot.
[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver
CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf…
CVE-2021-1048: refcount increment on mid-destruction file
This vuln analysis was published by Jann Horn in the "0-days In-the-Wild" blog maintained by Google Project Zero. However, they have no exploit sample to analyze.
This is an object state confusion with UAF that was patched in the upstream Linux kernel but forgotten by some Android vendors.
Jann says this situation is similar to the "Bad Binder" case.
This vuln analysis was published by Jann Horn in the "0-days In-the-Wild" blog maintained by Google Project Zero. However, they have no exploit sample to analyze.
This is an object state confusion with UAF that was patched in the upstream Linux kernel but forgotten by some Android vendors.
Jann says this situation is similar to the "Bad Binder" case.
Struggle with slab freelist hardening in a CTF task
Kileak described the solution of a kernel task IPS from VULNCON CTF. The researcher had a hard fight against SLAB_FREELIST_RANDOM and SLAB_FREELIST_HARDENED.
Kileak described the solution of a kernel task IPS from VULNCON CTF. The researcher had a hard fight against SLAB_FREELIST_RANDOM and SLAB_FREELIST_HARDENED.
Ubuntu LPE exploit from Pwn2Own
Flatt Security published a whitepaper on exploiting Linux kernel eBPF vuln leading to OOB RW primitive.
They used it against Ubuntu Desktop 20.10 at Pwn2Own 2021.
Flatt Security published a whitepaper on exploiting Linux kernel eBPF vuln leading to OOB RW primitive.
They used it against Ubuntu Desktop 20.10 at Pwn2Own 2021.
Nice improvement in my Linux Kernel Defence Map.
See how the Control Flow Hijack part looks now ⬆️
I'd appreciate your feedback.
See how the Control Flow Hijack part looks now ⬆️
I'd appreciate your feedback.
Attacking Samsung RKP
An article by Alexandre Adamski about vulnerabilities in Real-time Kernel Protection of Samsung phones. Two of the found bugs allow bypassing certain RKP restrictions, and the third one allows to compromise RKP itself.
The article is a follow-up to A Samsung RKP Compendium, which describes the internals of Samsung RKP.
An article by Alexandre Adamski about vulnerabilities in Real-time Kernel Protection of Samsung phones. Two of the found bugs allow bypassing certain RKP restrictions, and the third one allows to compromise RKP itself.
The article is a follow-up to A Samsung RKP Compendium, which describes the internals of Samsung RKP.
Impalabs
Attacking Samsung RKP
This is a follow-up to our compendium blog post that presented the internals of Samsung's security hypervisor, including all the nitty-gritty details. This extensive knowledge is put to use in today's blog post that explains how we attacked Samsung RKP. After…
Usenix 2021
Papers on Linux kernel security presented at Usenix back in August:
— SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning [paper] [slides] [video] presented by Daimeng Wang.
— ExpRace: Exploiting Kernel Races through Raising Interrupts [paper] [slides] [video] presented by Yoochan Lee.
— SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening [paper] [slides] [video] presented by Muhammad Abubakar.
— Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking [paper] [slides] [video] presented by Xin Tan.
— An Investigation of the Android Kernel Patch Ecosystem [paper] [slides] [video] presented by Zheng Zhang.
— Undo Workarounds for Kernel Bugs [paper] [slides] [video] presented by Seyed Mohammadjavad Seyed Talebi.
— An Analysis of Speculative Type Confusion Vulnerabilities in the Wild [paper] [slides] [video] presented by Ofek Kirzner.
Papers on Linux kernel security presented at Usenix back in August:
— SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning [paper] [slides] [video] presented by Daimeng Wang.
— ExpRace: Exploiting Kernel Races through Raising Interrupts [paper] [slides] [video] presented by Yoochan Lee.
— SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening [paper] [slides] [video] presented by Muhammad Abubakar.
— Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking [paper] [slides] [video] presented by Xin Tan.
— An Investigation of the Android Kernel Patch Ecosystem [paper] [slides] [video] presented by Zheng Zhang.
— Undo Workarounds for Kernel Bugs [paper] [slides] [video] presented by Seyed Mohammadjavad Seyed Talebi.
— An Analysis of Speculative Type Confusion Vulnerabilities in the Wild [paper] [slides] [video] presented by Ofek Kirzner.
CVE-2021-44733: Fuzzing and exploitation of a use-after-free in the Linux kernel TEE subsystem
An article about a bug in the Trusted Execution Environment subsystem. By Patrik Lantz.
The bug was found by syzkaller; denoscriptions are included in the article. An exploit for controlling PC is also provided along with instructions for reproducing. The exploit does not bypass PAN.
An article about a bug in the Trusted Execution Environment subsystem. By Patrik Lantz.
The bug was found by syzkaller; denoscriptions are included in the article. An exploit for controlling PC is also provided along with instructions for reproducing. The exploit does not bypass PAN.
GitHub
optee-qemu/README.md at main · pjlantz/optee-qemu
Environment with vulnerable kernel for exploitation of the TEE driver (CVE-2021-44733) - pjlantz/optee-qemu
Automated RE of Kernel Configurations
Brandon Miller published an article about his Binary Ninja plugin that analyzes Linux kernel binaries to recover kernel configuration options.
This tool is called bn-kconfig-recover. It can help when a kernel binary has CONFIG_IKCONFIG disabled.
Not all kconfig options are supported. Work on this tool is in progress.
Brandon Miller published an article about his Binary Ninja plugin that analyzes Linux kernel binaries to recover kernel configuration options.
This tool is called bn-kconfig-recover. It can help when a kernel binary has CONFIG_IKCONFIG disabled.
Not all kconfig options are supported. Work on this tool is in progress.
Linux kernel exploit development tutorial
ChrisTheCoolHut published a GitBook tutorial about writing Linux kernel exploits along with the source code for tasks and their solutions.
ChrisTheCoolHut published a GitBook tutorial about writing Linux kernel exploits along with the source code for tasks and their solutions.
breaking-bits.gitbook.io
Linux kernel exploit development | Breaking Bits
CVE-2021-45608: NetUSB RCE Flaw in Millions of End User Routers
Max Van Amerongen published an analysis of a vulnerability in the NetUSB proprietary driver, which is used in products of many network device vendors.
The researcher briefly describes the exploitation strategy but does not share many details.
Max Van Amerongen published an analysis of a vulnerability in the NetUSB proprietary driver, which is used in products of many network device vendors.
The researcher briefly describes the exploitation strategy but does not share many details.
SentinelOne
CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers
SentinelLabs has discovered a high severity flaw in NetUSB which could be remotely exploited to execute code in the kernel.
CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers
An article describing an exploit for a slab-out-of-bounds bug in the fsconfig syscall handler. By FizzBuzz101, @clubby789, @ryaagard, @Chronos190, @ginkoid, and @chop0_.
Authors managed to both get LPE on the Ubuntu kernel and escape the kCTF infrastructure container, and thus claim the kCTF VRP bounty.
The bug was found with syzkaller, and it was also reported by syzbot.
An article describing an exploit for a slab-out-of-bounds bug in the fsconfig syscall handler. By FizzBuzz101, @clubby789, @ryaagard, @Chronos190, @ginkoid, and @chop0_.
Authors managed to both get LPE on the Ubuntu kernel and escape the kCTF infrastructure container, and thus claim the kCTF VRP bounty.
The bug was found with syzkaller, and it was also reported by syzbot.
www.willsroot.io
CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers
Vulnerability Research on Low-Level Systems
CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup
An article by @lockedbyte with another write-up for the slab-out-of-bounds bug in the fsconfig syscall handler. The exploit is attached to the oss-security post.
An article by @lockedbyte with another write-up for the slab-out-of-bounds bug in the fsconfig syscall handler. The exploit is attached to the oss-security post.