PAWNYABLE: Linux Kernel Exploitation
A series of articles in Japanese by ptr-yudai covering various Linux kernel exploitation techniques.
A series of articles in Japanese by ptr-yudai covering various Linux kernel exploitation techniques.
PAWNYABLE!
Linux Kernel Exploitation - PAWNYABLE!
もふもふpwnワールド
🔥5👍1🤯1
The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)
Xingyu Jin published an article describing the root cause of a race condition in the garbage collection for SCM_RIGHTS.
This bug is used for Android exploitation in the wild.
Xingyu Jin published an article describing the root cause of a race condition in the garbage collection for SCM_RIGHTS.
This bug is used for Android exploitation in the wild.
👍3
CVE-2022-29582, an io_uring vulnerability
A detailed and well-written article by Awarau and David Bouman about exploiting a slab use-after-free vulnerability in the io_uring subsystem.
The exploit leverages a cross-cache attack and msg_msg spraying to overwrite a tls_context object and execute a ROP chain to gain root.
A detailed and well-written article by Awarau and David Bouman about exploiting a slab use-after-free vulnerability in the io_uring subsystem.
The exploit leverages a cross-cache attack and msg_msg spraying to overwrite a tls_context object and execute a ROP chain to gain root.
Computer security and related topics
CVE-2022-29582
This post covers an interesting vulnerability we (Jayden and David) found in the io_uring subsystem of the Linux kernel.
👍4🔥3🤯2
Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage
FizzBuzz101 published an article describing a solution of their corCTF challenge Cache of Castaways.
The PoC exploit implemented a cross cache overflow attack against cred structs in isolated slabs.
FizzBuzz101 published an article describing a solution of their corCTF challenge Cache of Castaways.
The PoC exploit implemented a cross cache overflow attack against cred structs in isolated slabs.
www.willsroot.io
Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage
Vulnerability Research on Low-Level Systems
👍4
CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel
D3v17 published an article describing the solution of their corCTF challenge CoRJail.
The PoC exploit used a single null-byte out-of-bounds write to corrupt a poll_list object in the kmalloc-4k slab cache and obtain an arbitrary free primitive.
It allowed the researcher to corrupt a user_key_payload structure and get out-of-bounds read.
Finally the researcher used the arbitrary free primitive to corrupt a pipe_buffer structure and hijack the kernel control flow to escape the container.
D3v17 published an article describing the solution of their corCTF challenge CoRJail.
The PoC exploit used a single null-byte out-of-bounds write to corrupt a poll_list object in the kmalloc-4k slab cache and obtain an arbitrary free primitive.
It allowed the researcher to corrupt a user_key_payload structure and get out-of-bounds read.
Finally the researcher used the arbitrary free primitive to corrupt a pipe_buffer structure and hijack the kernel control flow to escape the container.
[corCTF 2022] CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel
CoRJail is a kernel exploitation challenge designed for corCTF 2022. Players were asked to escape from a hardened Docker container with custom seccomp filters exploiting a Off-By-Null vulnerability in a Linux Kernel Module accessible via procfs. With this…
👍7🔥3
DirtyCred
A talk by Zhenpeng Lin about an exploitation technique for memory corruptions called DirtyCred.
The technique works by freeing an unprivileged credentials object via a memory corruption and allocating a privileged one in the same slot.
A talk by Zhenpeng Lin about an exploitation technique for memory corruptions called DirtyCred.
The technique works by freeing an unprivileged credentials object via a memory corruption and allocating a privileged one in the same slot.
Android Universal Root: Exploiting xPU Drivers
A talk about exploiting Android devices with PowerVR GPUs.
A talk about exploiting Android devices with PowerVR GPUs.
👍1
An exploit primitive in the Linux kernel inspired by DirtyPipe
A brief denoscription of an exploitation technique inspired by the DirtyPipe vulnerability.
The technique works by overwriting the flags field of a pipe_buffer object with PIPE_BUF_FLAG_CAN_MERGE via a memory corruption. This allows changing the contents of an arbitrary read-only file via the splicing trick used by DirtyPipe.
A brief denoscription of an exploitation technique inspired by the DirtyPipe vulnerability.
The technique works by overwriting the flags field of a pipe_buffer object with PIPE_BUF_FLAG_CAN_MERGE via a memory corruption. This allows changing the contents of an arbitrary read-only file via the splicing trick used by DirtyPipe.
GitHub
GitHub - veritas501/pipe-primitive: An exploit primitive in linux kernel inspired by DirtyPipe
An exploit primitive in linux kernel inspired by DirtyPipe - veritas501/pipe-primitive
👍2
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
A detailed write-up by Cedric Halbronn, Alex Plaskett, and Fidgeting Bits about exploiting a slab use-after-free bug in the netfilter subsystem.
A detailed write-up by Cedric Halbronn, Alex Plaskett, and Fidgeting Bits about exploiting a slab use-after-free bug in the netfilter subsystem.
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
👍5
Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools
Slides from a talk by Andrey Konovalov about Sanitizers — a family of Linux kernel bug detectors.
The talk covers:
🐧 Implementation of the Generic mode of KASAN
🔥 Brief overview of other Sanitizers
🗡 Tips on extending KASAN and KMSAN to find more bugs
Slides from a talk by Andrey Konovalov about Sanitizers — a family of Linux kernel bug detectors.
The talk covers:
🐧 Implementation of the Generic mode of KASAN
🔥 Brief overview of other Sanitizers
🗡 Tips on extending KASAN and KMSAN to find more bugs
Google Docs
2022, LSS Europe: Sanitizing the Linux kernel
Sanitizing the Linux kernel On KASAN and other Dynamic Bug-finding Tools Andrey Konovalov, xairy.io Linux Security Summit Europe September 16th 2022
🔥13👍5
How I started chasing speculative type confusion bugs in the kernel and ended up with 'real' ones
Jakob Koschel gave a talk (slides, video) at the Linux Plumbers Conference about the tool for discovering speculative type confusion bugs in the Linux kernel. He described how this research suddenly led to the kernel upgrading from C89 to C11.
Jakob Koschel gave a talk (slides, video) at the Linux Plumbers Conference about the tool for discovering speculative type confusion bugs in the Linux kernel. He described how this research suddenly led to the kernel upgrading from C89 to C11.
👍12🔥3
Attacking the Android kernel using the Qualcomm TrustZone
An article by Tamir Zahavi-Brunner about exploiting the Android kernel via a memory corruption in the Qualcomm's TrustZone implementation.
An article by Tamir Zahavi-Brunner about exploiting the Android kernel via a memory corruption in the Qualcomm's TrustZone implementation.
Tamir Zahavi-Brunner’s Blog
Attacking the Android kernel using the Qualcomm TrustZone
In this post I describe a somewhat unique Android kernel exploit, which utilizes the TrustZone in order to compromise the kernel.
👍9🔥2
[CVE-2022-1786] A Journey To The Dawn
A thrilling article by kylebot about exploiting a race condition that leads to a double-free in the io_uring subsystem and winning a kCTF bounty.
The exploit uses novel techniques: overwriting binfmt structures instead of modprobe_path and using fork and msleep to safely return to userspace after executing a ROP chain.
A thrilling article by kylebot about exploiting a race condition that leads to a double-free in the io_uring subsystem and winning a kCTF bounty.
The exploit uses novel techniques: overwriting binfmt structures instead of modprobe_path and using fork and msleep to safely return to userspace after executing a ROP chain.
kylebot's Blog
[CVE-2022-1786] A Journey To The Dawn
IntroductionBack in April, I found a 0-day vulnerability in the Linux kernel and exploited it on Google’s kCTF platform.I reported the bug to Linux kernel security team and helped them fix the vulnera
👍11
Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse
An article by Mathias Krause about creating a mitigation for same-type same-address use-after-free bugs affecting the file and cred structures. Mathias also provided a set of exploits that was used to test the mitigation.
An article by Mathias Krause about creating a mitigation for same-type same-address use-after-free bugs affecting the file and cred structures. Mathias also provided a set of exploits that was used to test the mitigation.
grsecurity.net
Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse
This blog covers a difficult-to-defend subclass of use-after-free vulnerabilities in the Linux kernel, grsecurity's defense for it, and why our defense required compiler plugin involvement. Included PoC exploits demonstrate the power and simplicity of this…
👍4
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain
An article by Maddie Stone covering an exploit chain for Exynos-based Samsung phones that relies on two kernel bugs.
The exploit bypasses KASLR by triggering a warning and reading the report from the kernel log. The exploit then uses a use-after-free of the file structure in the DECON driver to gain AARW by controlling addr_limit.
An article by Maddie Stone covering an exploit chain for Exynos-based Samsung phones that relies on two kernel bugs.
The exploit bypasses KASLR by triggering a warning and reading the report from the kernel log. The exploit then uses a use-after-free of the file structure in the DECON driver to gain AARW by controlling addr_limit.
Blogspot
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain
Posted by Maddie Stone, Project Zero Note : The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 re...
👍10🤔3
Exploiting CVE-2022-42703 - Bringing back the stack attack
An article by Seth Jenkins about exploiting a slab use-after-free side effect of a logical bug in the memory subsystem found by Jann Horn.
Seth used a cross-cache attack to overwrite an anon_vma structure and gain a limited arbitrary-write primitive. Seth then modified the context saved to the fixed-address cpu_entry_area region during a hardware exception. This allowed to corrupt the size passed to copy_to/from_user calls and thus get controlled stack read and write buffer overflows.
The article additionally expands on how KASLR is useless against local attackers due to side-channel vulnerabilities.
An article by Seth Jenkins about exploiting a slab use-after-free side effect of a logical bug in the memory subsystem found by Jann Horn.
Seth used a cross-cache attack to overwrite an anon_vma structure and gain a limited arbitrary-write primitive. Seth then modified the context saved to the fixed-address cpu_entry_area region during a hardware exception. This allowed to corrupt the size passed to copy_to/from_user calls and thus get controlled stack read and write buffer overflows.
The article additionally expands on how KASLR is useless against local attackers due to side-channel vulnerabilities.
Blogspot
Exploiting CVE-2022-42703 - Bringing back the stack attack
Seth Jenkins, Project Zero This blog post details an exploit for CVE-2022-42703 (P0 issue 2351 - Fixed 5 September 2022), a bug Jann Horn ...
👍16
EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
An article about using Meltdown to bypass KASLR despite enabled KPTI.
This bypass method has been known for a while.
An article about using Meltdown to bypass KASLR despite enabled KPTI.
This bypass method has been known for a while.
www.willsroot.io
EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
Vulnerability Research on Low-Level Systems
😱7🤔3👍2
Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg
Sergi Martinez published an article about exploiting CVE-2022-32250, a slab use-after-free in the netfilter subsystem. Unlike the existing public exploits for this bug, Sergi's exploit targets the kernel version 5.18.1, where both the vulnerable object and msg_msg are allocated in kmalloc-cg-* slab caches.
Sergi Martinez published an article about exploiting CVE-2022-32250, a slab use-after-free in the netfilter subsystem. Unlike the existing public exploits for this bug, Sergi's exploit targets the kernel version 5.18.1, where both the vulnerable object and msg_msg are allocated in kmalloc-cg-* slab caches.
Exodus Intelligence
Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg - Exodus Intelligence
By Sergi Martinez Overview It’s been a while since our last technical blogpost, so here’s one right on time for the Christmas holidays. We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache…
🔥8👍5
DirtyCred Remastered: how to turn an UAF into Privilege Escalation
LukeGix and Alessandro Groppo published two articles about exploiting CVE-2022-2602, another use-after-free in the io_uring subsystem.
They used inode locking for pausing a kernel thread during UAF exploitation. To escalate privileges, the researchers employed the DirtyCred file exploitation technique.
LukeGix and Alessandro Groppo published two articles about exploiting CVE-2022-2602, another use-after-free in the io_uring subsystem.
They used inode locking for pausing a kernel thread during UAF exploitation. To escalate privileges, the researchers employed the DirtyCred file exploitation technique.
LukeGix
DirtyCred Remastered
DirtyCred Remastered: how to turn an UAF into Privilege Escalation
🔥9👍3