CVE-2021-44733: Fuzzing and exploitation of a use-after-free in the Linux kernel TEE subsystem
An article about a bug in the Trusted Execution Environment subsystem. By Patrik Lantz.
The bug was found by syzkaller; denoscriptions are included in the article. An exploit for controlling PC is also provided along with instructions for reproducing. The exploit does not bypass PAN.
An article about a bug in the Trusted Execution Environment subsystem. By Patrik Lantz.
The bug was found by syzkaller; denoscriptions are included in the article. An exploit for controlling PC is also provided along with instructions for reproducing. The exploit does not bypass PAN.
GitHub
optee-qemu/README.md at main · pjlantz/optee-qemu
Environment with vulnerable kernel for exploitation of the TEE driver (CVE-2021-44733) - pjlantz/optee-qemu
Automated RE of Kernel Configurations
Brandon Miller published an article about his Binary Ninja plugin that analyzes Linux kernel binaries to recover kernel configuration options.
This tool is called bn-kconfig-recover. It can help when a kernel binary has CONFIG_IKCONFIG disabled.
Not all kconfig options are supported. Work on this tool is in progress.
Brandon Miller published an article about his Binary Ninja plugin that analyzes Linux kernel binaries to recover kernel configuration options.
This tool is called bn-kconfig-recover. It can help when a kernel binary has CONFIG_IKCONFIG disabled.
Not all kconfig options are supported. Work on this tool is in progress.
Linux kernel exploit development tutorial
ChrisTheCoolHut published a GitBook tutorial about writing Linux kernel exploits along with the source code for tasks and their solutions.
ChrisTheCoolHut published a GitBook tutorial about writing Linux kernel exploits along with the source code for tasks and their solutions.
breaking-bits.gitbook.io
Linux kernel exploit development | Breaking Bits
CVE-2021-45608: NetUSB RCE Flaw in Millions of End User Routers
Max Van Amerongen published an analysis of a vulnerability in the NetUSB proprietary driver, which is used in products of many network device vendors.
The researcher briefly describes the exploitation strategy but does not share many details.
Max Van Amerongen published an analysis of a vulnerability in the NetUSB proprietary driver, which is used in products of many network device vendors.
The researcher briefly describes the exploitation strategy but does not share many details.
SentinelOne
CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers
SentinelLabs has discovered a high severity flaw in NetUSB which could be remotely exploited to execute code in the kernel.
CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers
An article describing an exploit for a slab-out-of-bounds bug in the fsconfig syscall handler. By FizzBuzz101, @clubby789, @ryaagard, @Chronos190, @ginkoid, and @chop0_.
Authors managed to both get LPE on the Ubuntu kernel and escape the kCTF infrastructure container, and thus claim the kCTF VRP bounty.
The bug was found with syzkaller, and it was also reported by syzbot.
An article describing an exploit for a slab-out-of-bounds bug in the fsconfig syscall handler. By FizzBuzz101, @clubby789, @ryaagard, @Chronos190, @ginkoid, and @chop0_.
Authors managed to both get LPE on the Ubuntu kernel and escape the kCTF infrastructure container, and thus claim the kCTF VRP bounty.
The bug was found with syzkaller, and it was also reported by syzbot.
www.willsroot.io
CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers
Vulnerability Research on Low-Level Systems
CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup
An article by @lockedbyte with another write-up for the slab-out-of-bounds bug in the fsconfig syscall handler. The exploit is attached to the oss-security post.
An article by @lockedbyte with another write-up for the slab-out-of-bounds bug in the fsconfig syscall handler. The exploit is attached to the oss-security post.
CVE-2022-0435: Linux Kernel Remote Stack Overflow
Samuel Page disclosed remotely and locally reachable stack overflow in Transparent Inter-Process Communication (TIPC).
This bug exists since kernel version 4.8. For RCE, a vulnerable system must have TIPC module loaded and TIPC bearer enabled.
Samuel also posted a funny overview of his experience in disclosing Linux kernel vulnerabilities.
Samuel Page disclosed remotely and locally reachable stack overflow in Transparent Inter-Process Communication (TIPC).
This bug exists since kernel version 4.8. For RCE, a vulnerable system must have TIPC module loaded and TIPC bearer enabled.
Samuel also posted a funny overview of his experience in disclosing Linux kernel vulnerabilities.
Zenith: Linux kernel RCE exploit for NetUSB driver
Axel Souchet published the Zenith exploit used at Pwn2Own Austin 2021.
Zenith exploits a memory corruption vulnerability in the NetUSB proprietary driver to get remote code execution on the TP-Link Archer C7 V5 router.
This router has no KASLR and executable kernel heap (unbelievable!).
Axel Souchet published the Zenith exploit used at Pwn2Own Austin 2021.
Zenith exploits a memory corruption vulnerability in the NetUSB proprietary driver to get remote code execution on the TP-Link Archer C7 V5 router.
This router has no KASLR and executable kernel heap (unbelievable!).
GitHub
GitHub - 0vercl0k/zenith: Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on…
Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021. - 0vercl0k/zenith
CVE-2022-0185: Exploiting a kernel heap buffer overflow for LPE
clubby789 published a detailed write-up about discovering and exploiting CVE-2022-0185 in the FS subsystem of the Linux kernel.
Exploit primitives:
▪️Kernel pointer leak and arbitrary writing using msg_msg
▪️Exploiting FUSE to control the race condition
▪️Overwriting the modprobe_path for privilege escalation
clubby789 published a detailed write-up about discovering and exploiting CVE-2022-0185 in the FS subsystem of the Linux kernel.
Exploit primitives:
▪️Kernel pointer leak and arbitrary writing using msg_msg
▪️Exploiting FUSE to control the race condition
▪️Overwriting the modprobe_path for privilege escalation
Hack The Box
CVE-2022-0185: A Case Study
A tale on discovering a linux kernel privesc
😱1
How to simplify exploiting CVE-2021-26708 using sshd
HardenedVault published a nice write-up that describes how to simplify my PoC exploit for CVE-2021-26708 in the Linux kernel.
They discovered how to perform heap spraying in the cred_jar slab cache for privilege escalation.
HardenedVault published a nice write-up that describes how to simplify my PoC exploit for CVE-2021-26708 in the Linux kernel.
They discovered how to perform heap spraying in the cred_jar slab cache for privilege escalation.
The Dirty Pipe Vulnerability
An article by Max Kellermann about Dirty Pipe — a logical bug in the memory subsystem that allows writing to read-only files. The provided proof-of-concept works starting from Linux kernel version 5.8 released in August 2020.
The exploit makes the kernel merge a page cache entry belonging to a read-only file with another entry belonging to a pipe and thus writable by the user. This allows overwriting the in-memory contents of the read-only file.
Extending the proof-of-concept provided by Max Kellermann, Blasty has published an exploit for overwriting the contents of a SUID binary and getting root privileges.
Update: Another exploit. This one overwrites /etc/password. By Arinerron.
An article by Max Kellermann about Dirty Pipe — a logical bug in the memory subsystem that allows writing to read-only files. The provided proof-of-concept works starting from Linux kernel version 5.8 released in August 2020.
The exploit makes the kernel merge a page cache entry belonging to a read-only file with another entry belonging to a pipe and thus writable by the user. This allows overwriting the in-memory contents of the read-only file.
Extending the proof-of-concept provided by Max Kellermann, Blasty has published an exploit for overwriting the contents of a SUID binary and getting root privileges.
Update: Another exploit. This one overwrites /etc/password. By Arinerron.
Exploiting CVE-2021-41073 in io_uring
Valentina Palmiotti published an excellent write-up about exploiting a type confusion in io_uring to gain root privileges.
This bug allows freeing arbitrary slab allocations from the kmalloc-32 cache.
Valentina described how she constructed these exploit primitives:
✔️ UAF in kmalloc-32
✔️ Kernel heap info-leak
✔️ Control flow hijacking
✔️ Illegal privilege escalation
The researcher also described her experience with responsible disclosure.
Valentina Palmiotti published an excellent write-up about exploiting a type confusion in io_uring to gain root privileges.
This bug allows freeing arbitrary slab allocations from the kmalloc-32 cache.
Valentina described how she constructed these exploit primitives:
✔️ UAF in kmalloc-32
✔️ Kernel heap info-leak
✔️ Control flow hijacking
✔️ Illegal privilege escalation
The researcher also described her experience with responsible disclosure.
Compilers: The Old New Security Frontier
Brad Spengler published the slides from his talk at BlueHat IL 2022.
He gave an overview of open problems in operating system security and described how compiler plugins could help.
Brad Spengler published the slides from his talk at BlueHat IL 2022.
He gave an overview of open problems in operating system security and described how compiler plugins could help.
The Discovery and Exploitation of CVE-2022-25636
Nick Gregory published an article about exploiting a heap out-of-bounds write in netfilter. The researcher managed to hijack the kernel control flow.
Nick Gregory published an article about exploiting a heap out-of-bounds write in netfilter. The researcher managed to hijack the kernel control flow.
nickgregory.me
The Discovery and Exploitation of CVE-2022-25636 · Nick Gregory
Security research, programming, and more.
Racing against the clock — hitting a tiny kernel race window
An article by Jann Horn on using hardware timers to widen race condition windows.
Jann applied his method to a race condition in the garbage collector for unix sockets, which had a race window of only 12 instructions.
The article also contains Jann's investigations on the precision of hardware timers in Intel CPUs.
An article by Jann Horn on using hardware timers to widen race condition windows.
Jann applied his method to a race condition in the garbage collector for unix sockets, which had a race window of only 12 instructions.
The article also contains Jann's investigations on the precision of hardware timers in Intel CPUs.
projectzero.google
Racing against the clock -- hitting a tiny kernel race window - Project Zero
TL;DR: How to make a tiny kernel race window really large even on kernels without CONFIG_PREEMPT:use a cache miss to widen the race window a little bit...
🔥4
CVE-2022-27666: Exploit esp6 module in Linux kernel
Xiaochen Zou aka ETenal published an article on exploiting a page_alloc-out-of-bounds in the esp6 crypto module.
The researcher:
1️⃣ performed page-level heap fengshui to gain page_alloc-to-slab overflow,
2️⃣ constructed arbitrary read/write using the msg_msg kernel object,
3️⃣ finally achieved root privileges via modprobe_path overwrite.
The article comes with excellent animated diagrams.
Xiaochen Zou aka ETenal published an article on exploiting a page_alloc-out-of-bounds in the esp6 crypto module.
The researcher:
1️⃣ performed page-level heap fengshui to gain page_alloc-to-slab overflow,
2️⃣ constructed arbitrary read/write using the msg_msg kernel object,
3️⃣ finally achieved root privileges via modprobe_path overwrite.
The article comes with excellent animated diagrams.
🔥9👍5
How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables
A detailed article by David Bouman about exploiting an integer-overflow leading to a limited stack-out-of-bounds read/write in the nf_tables module.
The exploit constructs a filter whose logic depends on the value of a kernel address that happens to be on the stack. This way, it leaks the KASLR offset by observing the side-effects.
The exploit then builds a ROP chain that leaves the softirq context where the bug is triggered, switches to the root network namespace, and gains root privileges.
A detailed article by David Bouman about exploiting an integer-overflow leading to a limited stack-out-of-bounds read/write in the nf_tables module.
The exploit constructs a filter whose logic depends on the value of a kernel address that happens to be on the stack. This way, it leaks the KASLR offset by observing the side-effects.
The exploit then builds a ROP chain that leaves the softirq context where the bug is triggered, switches to the root network namespace, and gains root privileges.
David's Blog
How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables
Analysis and exploitation of Linux kernel vulnerabilities CVE-2022-1015 and CVE-2022-1016. I talk about how I found these vulnerabilities, explain the internals of nf_tables and come up with an local privilege escalation exploitation strategy.
🔥5👍1
Writing a Linux Kernel Remote [Exploit] in 2022
An article by Samuel Page @sam4k1 about writing an exploit for a remotely-triggerable stack-buffer-overflow in TIPC (CVE-2022-0435).
Assuming the absence of KASLR and the Stack Protector, the exploit overwrites the stack with a ROP chain that hooks a syscall to hijack a root process.
An article by Samuel Page @sam4k1 about writing an exploit for a remotely-triggerable stack-buffer-overflow in TIPC (CVE-2022-0435).
Assuming the absence of KASLR and the Stack Protector, the exploit overwrites the stack with a ROP chain that hooks a syscall to hijack a root process.
👍9🔥1
Looking for Remote Code Execution bugs in the Linux kernel
I wrote an article about fuzzing the Linux kernel network stack externally with syzkaller.
The article covers:
🧰 Introduction to syzkaller
💉 Using TUN/TAP for injecting packets into the kernel
🚚 Patching TUN/TAP for collecting coverage via KCOV
👽 Adding pseudo-syscalls for network fuzzing
🗄 Describing packet structure in syzlang
🏆 Showcases of found bugs
In the article, I put a focus on the presentation: highlighted syzlang code, made interactive snippets, added side notes that are actually on the side. I also implemented a dynamic table of contents (only visible on large screens).
The described work was done a few years ago, but I consider it still relevant. The recent trend of looking for remote Linux kernel exploits is quite exciting! I hope to see even more research in this area.
I wrote an article about fuzzing the Linux kernel network stack externally with syzkaller.
The article covers:
🧰 Introduction to syzkaller
💉 Using TUN/TAP for injecting packets into the kernel
🚚 Patching TUN/TAP for collecting coverage via KCOV
👽 Adding pseudo-syscalls for network fuzzing
🗄 Describing packet structure in syzlang
🏆 Showcases of found bugs
In the article, I put a focus on the presentation: highlighted syzlang code, made interactive snippets, added side notes that are actually on the side. I also implemented a dynamic table of contents (only visible on large screens).
The described work was done a few years ago, but I consider it still relevant. The recent trend of looking for remote Linux kernel exploits is quite exciting! I hope to see even more research in this area.
Andrey Konovalov
🔍 Looking for Remote Code Execution bugs in the Linux kernel
Using syzkaller to fuzz the Linux kernel network stack externally
🔥16👍3
Learning Linux kernel exploitation — Part 2 — CVE-2022-0847
A detailed article by 0xricksanchez about the Dirty Pipe vulnerability and its exploitation. The article also recaps Dirty Cow and compares it to Dirty Pipe.
A detailed article by 0xricksanchez about the Dirty Pipe vulnerability and its exploitation. The article also recaps Dirty Cow and compares it to Dirty Pipe.
Low-level adventures
Learning Linux kernel exploitation - Part 2 - CVE-2022-0847
Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
🔥2👍1