Exploiting Dirty Pipe on Android

Two publications about exploiting Dirty Pipe on Android. Both use similar techniques without additional vulnerabilities.

1. Notes and an exploit by polygraphene.

2. Slides by Giovanni Rocca.

Tetragone: A Lesson in Security Fundamentals

An article by Pawel Wieczorkiewicz and Brad Spengler about bypassing post-exploitation detection provided by Tetragon.

The article also expands on the impossibility of preventing malicious post-exploitation activity if the prevention component works at the same privilege level as the attacked code.

Similar concerns affect LKRG. Check out the LKRG bypass article by Alexander Popov for the details.

A Kernel Hacker Meets Fuchsia OS

Alexander Popov (me) published an article about hacking the Zircon microkernel of Fuchsia OS.

Experience in Linux kernel security helped to assess Fuchsia OS from the attacker's point of view.

Summary:
🟪 Fuchsia security architecture
🟪 Exploit development experiments for the Zircon microkernel
🟪 PoC attack planting a rootkit into the microkernel

kconfig-hardened-check: new feature

kconfig-hardened-check is a tool for checking the security hardening options of the Linux kernel.

Initially, it supported checking compile-time Kconfig options that are relevant for security.

And now this tool can also check the kernel cmdline options, aka boot parameters.

Fuzzing USB with Raw Gadget

Slides and video from a talk by Andrey Konovalov on fuzzing USB drivers.

The talk covers:

🤖 Raw Gadget — a new interface for emulating USB devices
🪶 Fuzzing in a VM via virtual USB controllers
🔌 Reproducing found bugs via Raspberry Pi Zero

Linux kernel heap feng shui in 2022

An article by Michael S and Vitaly Nikolenko describing the kernel changes that affected exploitation techniques for slab-related vulnerabilities over the last few years.

Two eBPF exploits

Exploits for two bugs in the eBPF code, CVE-2021-4204 and CVE-2022-23222, by tr3e with brief write-ups in Chinese.

Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)

An article by Valentin Obst and Martin Claus covering the Dirty Pipe vulnerability. The article also suggests a few approaches to investigating Linux kernel bugs.

Yet another bug into Netfilter

An article by Arthur Mongodin about exploiting an out-of-bounds access in the netfilter subsystem to achieve an info-leak. The article also suggests a potential approach to gain privilege escalation.

io_uring - new code, new bugs, and a new exploit technique

Lam Jun Rong published an article that covers analyzing and exploiting CVE-2021-41073, an invalid-free vulnerability in the io_uring subsystem.

This vulnerability has previously been exploited by Valentina Palmiotti, but that exploit relied on eBPF. The new exploit targets Ubuntu 21.10, where eBPF is not available to unprivileged users.

The Android kernel mitigations obstacle race

A great article by Man Yue Mo about exploiting a race condition that leads to a use-after-free vulnerability in the Qualcomm GPU driver for Samsung Galaxy Z Flip3.

The researcher widened the race window to hit the bug reliably, and then bypassed kCFI, automatic variable initialization, and Samsung RKP in the exploit.

TripleCross

A Linux eBPF rootkit providing a backdoor with command and control (C2) capabilities, library injection, execution hijacking, persistence, and hiding.

[CVE-2022-34918] A crack in the Linux firewall

An article by Arthur Mongodin about exploiting a slab-buffer-overflow in the netfilter subsystem.

The exploit uses the unlinking technique from Lam Jun Rong's io_uring exploit.

Corrupting memory without memory corruption

An article by Man Yue Mo about exploiting CVE-2022-20186, an integer overflow in the Arm Mali GPU driver.

The bug allows mapping arbitrary physical pages to the GPU memory with both read and write access. The exploit gets arbitrary kernel code execution on Pixel 6, disables SELinux, and gains root.

PAWNYABLE: Linux Kernel Exploitation

A series of articles in Japanese by ptr-yudai covering various Linux kernel exploitation techniques.

The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)

Xingyu Jin published an article describing the root cause of a race condition in the garbage collection for SCM_RIGHTS.

This bug is used for Android exploitation in the wild.

CVE-2022-29582, an io_uring vulnerability

A detailed and well-written article by Awarau and David Bouman about exploiting a slab use-after-free vulnerability in the io_uring subsystem.

The exploit leverages a cross-cache attack and msg_msg spraying to overwrite a tls_context object and execute a ROP chain to gain root.

Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage

FizzBuzz101 published an article describing a solution of their corCTF challenge Cache of Castaways.

The PoC exploit implemented a cross cache overflow attack against cred structs in isolated slabs.

CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel

D3v17 published an article describing the solution of their corCTF challenge CoRJail.

The PoC exploit used a single null-byte out-of-bounds write to corrupt a poll_list object in the kmalloc-4k slab cache and obtain an arbitrary free primitive.

It allowed the researcher to corrupt a user_key_payload structure and get out-of-bounds read.

Finally the researcher used the arbitrary free primitive to corrupt a pipe_buffer structure and hijack the kernel control flow to escape the container.

DirtyCred

A talk by Zhenpeng Lin about an exploitation technique for memory corruptions called DirtyCred.

The technique works by freeing an unprivileged credentials object via a memory corruption and allocating a privileged one in the same slot.

Android Universal Root: Exploiting xPU Drivers

A talk about exploiting Android devices with PowerVR GPUs.