SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
A detailed write-up by Cedric Halbronn, Alex Plaskett, and Fidgeting Bits about exploiting a slab use-after-free bug in the netfilter subsystem.
A detailed write-up by Cedric Halbronn, Alex Plaskett, and Fidgeting Bits about exploiting a slab use-after-free bug in the netfilter subsystem.
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
👍5
Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools
Slides from a talk by Andrey Konovalov about Sanitizers — a family of Linux kernel bug detectors.
The talk covers:
🐧 Implementation of the Generic mode of KASAN
🔥 Brief overview of other Sanitizers
🗡 Tips on extending KASAN and KMSAN to find more bugs
Slides from a talk by Andrey Konovalov about Sanitizers — a family of Linux kernel bug detectors.
The talk covers:
🐧 Implementation of the Generic mode of KASAN
🔥 Brief overview of other Sanitizers
🗡 Tips on extending KASAN and KMSAN to find more bugs
Google Docs
2022, LSS Europe: Sanitizing the Linux kernel
Sanitizing the Linux kernel On KASAN and other Dynamic Bug-finding Tools Andrey Konovalov, xairy.io Linux Security Summit Europe September 16th 2022
🔥13👍5
How I started chasing speculative type confusion bugs in the kernel and ended up with 'real' ones
Jakob Koschel gave a talk (slides, video) at the Linux Plumbers Conference about the tool for discovering speculative type confusion bugs in the Linux kernel. He described how this research suddenly led to the kernel upgrading from C89 to C11.
Jakob Koschel gave a talk (slides, video) at the Linux Plumbers Conference about the tool for discovering speculative type confusion bugs in the Linux kernel. He described how this research suddenly led to the kernel upgrading from C89 to C11.
👍12🔥3
Attacking the Android kernel using the Qualcomm TrustZone
An article by Tamir Zahavi-Brunner about exploiting the Android kernel via a memory corruption in the Qualcomm's TrustZone implementation.
An article by Tamir Zahavi-Brunner about exploiting the Android kernel via a memory corruption in the Qualcomm's TrustZone implementation.
Tamir Zahavi-Brunner’s Blog
Attacking the Android kernel using the Qualcomm TrustZone
In this post I describe a somewhat unique Android kernel exploit, which utilizes the TrustZone in order to compromise the kernel.
👍9🔥2
[CVE-2022-1786] A Journey To The Dawn
A thrilling article by kylebot about exploiting a race condition that leads to a double-free in the io_uring subsystem and winning a kCTF bounty.
The exploit uses novel techniques: overwriting binfmt structures instead of modprobe_path and using fork and msleep to safely return to userspace after executing a ROP chain.
A thrilling article by kylebot about exploiting a race condition that leads to a double-free in the io_uring subsystem and winning a kCTF bounty.
The exploit uses novel techniques: overwriting binfmt structures instead of modprobe_path and using fork and msleep to safely return to userspace after executing a ROP chain.
kylebot's Blog
[CVE-2022-1786] A Journey To The Dawn
IntroductionBack in April, I found a 0-day vulnerability in the Linux kernel and exploited it on Google’s kCTF platform.I reported the bug to Linux kernel security team and helped them fix the vulnera
👍11
Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse
An article by Mathias Krause about creating a mitigation for same-type same-address use-after-free bugs affecting the file and cred structures. Mathias also provided a set of exploits that was used to test the mitigation.
An article by Mathias Krause about creating a mitigation for same-type same-address use-after-free bugs affecting the file and cred structures. Mathias also provided a set of exploits that was used to test the mitigation.
grsecurity.net
Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse
This blog covers a difficult-to-defend subclass of use-after-free vulnerabilities in the Linux kernel, grsecurity's defense for it, and why our defense required compiler plugin involvement. Included PoC exploits demonstrate the power and simplicity of this…
👍4
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain
An article by Maddie Stone covering an exploit chain for Exynos-based Samsung phones that relies on two kernel bugs.
The exploit bypasses KASLR by triggering a warning and reading the report from the kernel log. The exploit then uses a use-after-free of the file structure in the DECON driver to gain AARW by controlling addr_limit.
An article by Maddie Stone covering an exploit chain for Exynos-based Samsung phones that relies on two kernel bugs.
The exploit bypasses KASLR by triggering a warning and reading the report from the kernel log. The exploit then uses a use-after-free of the file structure in the DECON driver to gain AARW by controlling addr_limit.
Blogspot
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain
Posted by Maddie Stone, Project Zero Note : The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 re...
👍10🤔3
Exploiting CVE-2022-42703 - Bringing back the stack attack
An article by Seth Jenkins about exploiting a slab use-after-free side effect of a logical bug in the memory subsystem found by Jann Horn.
Seth used a cross-cache attack to overwrite an anon_vma structure and gain a limited arbitrary-write primitive. Seth then modified the context saved to the fixed-address cpu_entry_area region during a hardware exception. This allowed to corrupt the size passed to copy_to/from_user calls and thus get controlled stack read and write buffer overflows.
The article additionally expands on how KASLR is useless against local attackers due to side-channel vulnerabilities.
An article by Seth Jenkins about exploiting a slab use-after-free side effect of a logical bug in the memory subsystem found by Jann Horn.
Seth used a cross-cache attack to overwrite an anon_vma structure and gain a limited arbitrary-write primitive. Seth then modified the context saved to the fixed-address cpu_entry_area region during a hardware exception. This allowed to corrupt the size passed to copy_to/from_user calls and thus get controlled stack read and write buffer overflows.
The article additionally expands on how KASLR is useless against local attackers due to side-channel vulnerabilities.
Blogspot
Exploiting CVE-2022-42703 - Bringing back the stack attack
Seth Jenkins, Project Zero This blog post details an exploit for CVE-2022-42703 (P0 issue 2351 - Fixed 5 September 2022), a bug Jann Horn ...
👍16
EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
An article about using Meltdown to bypass KASLR despite enabled KPTI.
This bypass method has been known for a while.
An article about using Meltdown to bypass KASLR despite enabled KPTI.
This bypass method has been known for a while.
www.willsroot.io
EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
Vulnerability Research on Low-Level Systems
😱7🤔3👍2
Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg
Sergi Martinez published an article about exploiting CVE-2022-32250, a slab use-after-free in the netfilter subsystem. Unlike the existing public exploits for this bug, Sergi's exploit targets the kernel version 5.18.1, where both the vulnerable object and msg_msg are allocated in kmalloc-cg-* slab caches.
Sergi Martinez published an article about exploiting CVE-2022-32250, a slab use-after-free in the netfilter subsystem. Unlike the existing public exploits for this bug, Sergi's exploit targets the kernel version 5.18.1, where both the vulnerable object and msg_msg are allocated in kmalloc-cg-* slab caches.
Exodus Intelligence
Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg - Exodus Intelligence
By Sergi Martinez Overview It’s been a while since our last technical blogpost, so here’s one right on time for the Christmas holidays. We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache…
🔥8👍5
DirtyCred Remastered: how to turn an UAF into Privilege Escalation
LukeGix and Alessandro Groppo published two articles about exploiting CVE-2022-2602, another use-after-free in the io_uring subsystem.
They used inode locking for pausing a kernel thread during UAF exploitation. To escalate privileges, the researchers employed the DirtyCred file exploitation technique.
LukeGix and Alessandro Groppo published two articles about exploiting CVE-2022-2602, another use-after-free in the io_uring subsystem.
They used inode locking for pausing a kernel thread during UAF exploitation. To escalate privileges, the researchers employed the DirtyCred file exploitation technique.
LukeGix
DirtyCred Remastered
DirtyCred Remastered: how to turn an UAF into Privilege Escalation
🔥9👍3
Exploiting null-dereferences in the Linux kernel
Seth Jenkins published an article about turning a refcount incrementing side-effect of a null-deref kernel bug into a slab double-free.
Seth Jenkins published an article about turning a refcount incrementing side-effect of a null-deref kernel bug into a slab double-free.
projectzero.google
Exploiting null-dereferences in the Linux kernel - Project Zero
Posted by Seth Jenkins, Project Zero For a fair amount of time, null-deref bugs were a highly exploitable kernel bug class. Back when the kernel was able t...
👍9🔥4
Pwning the all Google phone with a non-Google bug
An article by Man Yue Mo about getting root from the untrusted app domain on Pixel 6 via a slab use-after-free in the Arm Mali GPU driver.
The researcher also points out a patch gap in Android and provides a list of bugs that were exploitable for months after becoming public.
An article by Man Yue Mo about getting root from the untrusted app domain on Pixel 6 via a slab use-after-free in the Arm Mali GPU driver.
The researcher also points out a patch gap in Android and provides a list of bugs that were exploitable for months after becoming public.
The GitHub Blog
Pwning the all Google phone with a non-Google bug
It turns out that the first “all Google” phone includes a non-Google bug. Learn about the details of CVE-2022-38181, a vulnerability in the Arm Mali GPU. Join me on my journey through reporting the vulnerability to the Android security team, and the exploit…
👍12
The code that wasn't there: Reading memory on an Android device by accident
An article by Man Yue Mo about exploiting a missing cache flush in the Qualcomm Adreno GPU driver.
The author showed how to use the bug to leak kernel memory and bypass KASLR on Android.
An article by Man Yue Mo about exploiting a missing cache flush in the Qualcomm Adreno GPU driver.
The author showed how to use the bug to leak kernel memory and bypass KASLR on Android.
The GitHub Blog
The code that wasn't there: Reading memory on an Android device by accident
CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU, can be used to leak large amounts of information to a malicious Android application. Learn more about how the vulnerability can be used to leak information in both the user space and kernel space…
🔥4😱4👍3
Rooting the FiiO M6
Jack Maginnes published two articles about finding and exploiting a stack buffer-overflow in the old Android-based FiiO M6 MP3 player.
Jack Maginnes published two articles about finding and exploiting a stack buffer-overflow in the old Android-based FiiO M6 MP3 player.
Stigward’s Security Journal
Rooting the FiiO M6 - Part 1 - Using the “World’s Worst Fuzzer” To Find A Kernel Bug
Overview: A few months ago, I was cleaning off my hardware workbench when I came across my FiiO M6, an Android-based “portable high-resolution lossless music player”. I originally purchased the device to aid in my language learning studies and dabble in the…
👍6
Pwning Pixel 6 with a leftover patch
An article by Man Yue Mo about exploiting a logical bug in the Arm Mali GPU driver on Pixel 6.
Man Yue Mo used the bug to make GPU access freed memory and gained root from the untrusted_app context.
An article by Man Yue Mo about exploiting a logical bug in the Arm Mali GPU driver on Pixel 6.
Man Yue Mo used the bug to make GPU access freed memory and gained root from the untrusted_app context.
The GitHub Blog
Pwning Pixel 6 with a leftover patch
In this post, I’ll look at a security-related change in version r40p0 of the Arm Mali driver that was AWOL in the January update of the Pixel bulletin, where other patches from r40p0 was applied, and how these two lines of changes can be exploited to gain…
👍8
Privilege escalation exploit for CVE-2023-0386 in OverlayFS
A privilege escalation exploit by xkaneiki for a logical bug in OverlayFS. Exploitation requires unprivileged user namespaces enabled.
Following the exploit, Ryan Simon et al. published an article describing the exploitation process.
A privilege escalation exploit by xkaneiki for a logical bug in OverlayFS. Exploitation requires unprivileged user namespaces enabled.
Following the exploit, Ryan Simon et al. published an article describing the exploitation process.
GitHub
GitHub - xkaneiki/CVE-2023-0386: CVE-2023-0386在ubuntu22.04上的提权
CVE-2023-0386在ubuntu22.04上的提权. Contribute to xkaneiki/CVE-2023-0386 development by creating an account on GitHub.
👍8
Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel
A talk (slides) by Moshe Kol about exploiting a slab use-after-free bug in the Android Binder IPC.
The exploit achieves kernel arbitrary read/write primitives from the unstrusted_app context and obtains root privileges on Pixel 6.
Moshe also published an article about their exploit.
A talk (slides) by Moshe Kol about exploiting a slab use-after-free bug in the Android Binder IPC.
The exploit achieves kernel arbitrary read/write primitives from the unstrusted_app context and obtains root privileges on Pixel 6.
Moshe also published an article about their exploit.
YouTube
OffensiveCon23 - Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel
https://www.offensivecon.org/speakers/2023/moshe-kol.html
👍8🔥5
Exploit Engineering – Attacking the Linux Kernel
A talk (slides) by Alex Plaskett and Cedric Halbronn about approaches to finding, triaging, and exploiting Linux kernel bugs.
During the talk, the speakers announced libslub — a GDB extension for examining SLUB object addresses and metadata.
A talk (slides) by Alex Plaskett and Cedric Halbronn about approaches to finding, triaging, and exploiting Linux kernel bugs.
During the talk, the speakers announced libslub — a GDB extension for examining SLUB object addresses and metadata.
YouTube
OffensiveCon23 - Alex Plaskett & Cedric Halbronn - Exploit Engineering – Attacking the Linux Kernel
https://www.offensivecon.org/speakers/2023/alex-plaskett-and-cedric-halbronn.html
👍11🔥3