Two eBPF exploits

Exploits for two bugs in the eBPF code, CVE-2021-4204 and CVE-2022-23222, by tr3e with brief write-ups in Chinese.

Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)

An article by Valentin Obst and Martin Claus covering the Dirty Pipe vulnerability. The article also suggests a few approaches to investigating Linux kernel bugs.

Yet another bug into Netfilter

An article by Arthur Mongodin about exploiting an out-of-bounds access in the netfilter subsystem to achieve an info-leak. The article also suggests a potential approach to gain privilege escalation.

io_uring - new code, new bugs, and a new exploit technique

Lam Jun Rong published an article that covers analyzing and exploiting CVE-2021-41073, an invalid-free vulnerability in the io_uring subsystem.

This vulnerability has previously been exploited by Valentina Palmiotti, but that exploit relied on eBPF. The new exploit targets Ubuntu 21.10, where eBPF is not available to unprivileged users.

The Android kernel mitigations obstacle race

A great article by Man Yue Mo about exploiting a race condition that leads to a use-after-free vulnerability in the Qualcomm GPU driver for Samsung Galaxy Z Flip3.

The researcher widened the race window to hit the bug reliably, and then bypassed kCFI, automatic variable initialization, and Samsung RKP in the exploit.

TripleCross

A Linux eBPF rootkit providing a backdoor with command and control (C2) capabilities, library injection, execution hijacking, persistence, and hiding.

[CVE-2022-34918] A crack in the Linux firewall

An article by Arthur Mongodin about exploiting a slab-buffer-overflow in the netfilter subsystem.

The exploit uses the unlinking technique from Lam Jun Rong's io_uring exploit.

Corrupting memory without memory corruption

An article by Man Yue Mo about exploiting CVE-2022-20186, an integer overflow in the Arm Mali GPU driver.

The bug allows mapping arbitrary physical pages to the GPU memory with both read and write access. The exploit gets arbitrary kernel code execution on Pixel 6, disables SELinux, and gains root.

PAWNYABLE: Linux Kernel Exploitation

A series of articles in Japanese by ptr-yudai covering various Linux kernel exploitation techniques.

The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)

Xingyu Jin published an article describing the root cause of a race condition in the garbage collection for SCM_RIGHTS.

This bug is used for Android exploitation in the wild.

CVE-2022-29582, an io_uring vulnerability

A detailed and well-written article by Awarau and David Bouman about exploiting a slab use-after-free vulnerability in the io_uring subsystem.

The exploit leverages a cross-cache attack and msg_msg spraying to overwrite a tls_context object and execute a ROP chain to gain root.

Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage

FizzBuzz101 published an article describing a solution of their corCTF challenge Cache of Castaways.

The PoC exploit implemented a cross cache overflow attack against cred structs in isolated slabs.

CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel

D3v17 published an article describing the solution of their corCTF challenge CoRJail.

The PoC exploit used a single null-byte out-of-bounds write to corrupt a poll_list object in the kmalloc-4k slab cache and obtain an arbitrary free primitive.

It allowed the researcher to corrupt a user_key_payload structure and get out-of-bounds read.

Finally the researcher used the arbitrary free primitive to corrupt a pipe_buffer structure and hijack the kernel control flow to escape the container.

DirtyCred

A talk by Zhenpeng Lin about an exploitation technique for memory corruptions called DirtyCred.

The technique works by freeing an unprivileged credentials object via a memory corruption and allocating a privileged one in the same slot.

Android Universal Root: Exploiting xPU Drivers

A talk about exploiting Android devices with PowerVR GPUs.

E'rybody Gettin' TIPC: Demystifying Remote Linux Kernel Exploitation

A talk by Sam Page about attempts to exploit CVE-2022-0435, a remotely-triggerable stack overflow in the TIPC protocol.

An exploit primitive in the Linux kernel inspired by DirtyPipe

A brief denoscription of an exploitation technique inspired by the DirtyPipe vulnerability.

The technique works by overwriting the flags field of a pipe_buffer object with PIPE_BUF_FLAG_CAN_MERGE via a memory corruption. This allows changing the contents of an arbitrary read-only file via the splicing trick used by DirtyPipe.

SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

A detailed write-up by Cedric Halbronn, Alex Plaskett, and Fidgeting Bits about exploiting a slab use-after-free bug in the netfilter subsystem.

Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools

Slides from a talk by Andrey Konovalov about Sanitizers — a family of Linux kernel bug detectors.

The talk covers:

🐧 Implementation of the Generic mode of KASAN
🔥 Brief overview of other Sanitizers
🗡 Tips on extending KASAN and KMSAN to find more bugs

How I started chasing speculative type confusion bugs in the kernel and ended up with 'real' ones

Jakob Koschel gave a talk (slides, video) at the Linux Plumbers Conference about the tool for discovering speculative type confusion bugs in the Linux kernel. He described how this research suddenly led to the kernel upgrading from C89 to C11.

Attacking the Android kernel using the Qualcomm TrustZone

An article by Tamir Zahavi-Brunner about exploiting the Android kernel via a memory corruption in the Qualcomm's TrustZone implementation.