Privilege escalation exploit for CVE-2023-0386 in OverlayFS
A privilege escalation exploit by xkaneiki for a logical bug in OverlayFS. Exploitation requires unprivileged user namespaces enabled.
Following the exploit, Ryan Simon et al. published an article describing the exploitation process.
A privilege escalation exploit by xkaneiki for a logical bug in OverlayFS. Exploitation requires unprivileged user namespaces enabled.
Following the exploit, Ryan Simon et al. published an article describing the exploitation process.
GitHub
GitHub - xkaneiki/CVE-2023-0386: CVE-2023-0386在ubuntu22.04上的提权
CVE-2023-0386在ubuntu22.04上的提权. Contribute to xkaneiki/CVE-2023-0386 development by creating an account on GitHub.
👍8
Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel
A talk (slides) by Moshe Kol about exploiting a slab use-after-free bug in the Android Binder IPC.
The exploit achieves kernel arbitrary read/write primitives from the unstrusted_app context and obtains root privileges on Pixel 6.
Moshe also published an article about their exploit.
A talk (slides) by Moshe Kol about exploiting a slab use-after-free bug in the Android Binder IPC.
The exploit achieves kernel arbitrary read/write primitives from the unstrusted_app context and obtains root privileges on Pixel 6.
Moshe also published an article about their exploit.
YouTube
OffensiveCon23 - Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel
https://www.offensivecon.org/speakers/2023/moshe-kol.html
👍8🔥5
Exploit Engineering – Attacking the Linux Kernel
A talk (slides) by Alex Plaskett and Cedric Halbronn about approaches to finding, triaging, and exploiting Linux kernel bugs.
During the talk, the speakers announced libslub — a GDB extension for examining SLUB object addresses and metadata.
A talk (slides) by Alex Plaskett and Cedric Halbronn about approaches to finding, triaging, and exploiting Linux kernel bugs.
During the talk, the speakers announced libslub — a GDB extension for examining SLUB object addresses and metadata.
YouTube
OffensiveCon23 - Alex Plaskett & Cedric Halbronn - Exploit Engineering – Attacking the Linux Kernel
https://www.offensivecon.org/speakers/2023/alex-plaskett-and-cedric-halbronn.html
👍11🔥3
Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution
A talk by Guillaume Teissier and Quentin Minster about remotely exploiting two slab corruption bugs in the KSMBD module.
The exploit achieves remote code execution but requires having valid SMB authentication credentials to trigger the bugs.
A talk by Guillaume Teissier and Quentin Minster about remotely exploiting two slab corruption bugs in the KSMBD module.
The exploit achieves remote code execution but requires having valid SMB authentication credentials to trigger the bugs.
YouTube
OffensiveCon23 - Guillaume Teissier and Quentin Minster
Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution
https://www.offensivecon.org/speakers/2023/guillaume-teissier-and-quentin-minster.html
https://www.offensivecon.org/speakers/2023/guillaume-teissier-and-quentin-minster.html
🔥2🤔1
Rooting with root cause: finding a variant of a Project Zero bug
Yet another article by Man Yue Mo about exploiting the Arm Mali GPU driver.
Man Yue Mo used a race condition bug to make GPU access freed memory and gained root from the untrusted_app context on Pixel 6.
Yet another article by Man Yue Mo about exploiting the Arm Mali GPU driver.
Man Yue Mo used a race condition bug to make GPU access freed memory and gained root from the untrusted_app context on Pixel 6.
The GitHub Blog
Rooting with root cause: finding a variant of a Project Zero bug
In this blog, I’ll look at CVE-2022-46395, a variant of CVE-2022-36449 (Project Zero issue 2327), and use it to gain arbitrary kernel code execution and root privileges from the untrusted app domain on an Android phone that uses the Arm Mali GPU. I’ll also…
👍4
CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver
An article about exploiting a logical bug in the fault handler implementation of udmabuf mappings.
The exploit shared by Eloi Sanfelix gains root on Ubuntu. Triggering the bug requires the user to be in the kvm group.
An article about exploiting a logical bug in the fault handler implementation of udmabuf mappings.
The exploit shared by Eloi Sanfelix gains root on Ubuntu. Triggering the bug requires the user to be in the kvm group.
labs.bluefrostsecurity.de
CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver | Bluefrostsecurity
🔥5👍1🤔1🎉1
Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability
An article by Vu Thi Lan about exploiting a slab use-after-free bug in the netfilter subsystem.
The shared exploit gains root on Ubuntu.
An article by Vu Thi Lan about exploiting a slab use-after-free bug in the netfilter subsystem.
The shared exploit gains root on Ubuntu.
STAR Labs
Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability
Background The discovery and analysis of vulnerabilities is a critical aspect of cybersecurity research. Today, we will dive into CVE-2023-1829, a vulnerability in the cls_tcindex network traffic classifier found by Valis. We will explore the process of exploiting…
🔥10👍2
UNCONTAINED: Uncovering Container Confusion in the Linux Kernel
A paper (overview) by Jakob Koschel, Pietro Borrello, et al. about finding type confusion bugs in container_of invocations.
A paper (overview) by Jakob Koschel, Pietro Borrello, et al. about finding type confusion bugs in container_of invocations.
🔥14👍3🎉1
Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel
An article by Nicolas Wu about the Dirty Pagetable exploitation technique.
Dirty Pagetable enables using a slab bug to overwrite userspace Page Table Entries and gain arbitrary read/write access to physical memory.
To demonstrate the technique, Nicolas Wu and Ye Zhang wrote a few exploits, including one for CVE-2023-21400, a racy slab double-free in the io_uring subsystem. The exploit gains root on Pixel 7.
An article by Nicolas Wu about the Dirty Pagetable exploitation technique.
Dirty Pagetable enables using a slab bug to overwrite userspace Page Table Entries and gain arbitrary read/write access to physical memory.
To demonstrate the technique, Nicolas Wu and Ye Zhang wrote a few exploits, including one for CVE-2023-21400, a racy slab double-free in the io_uring subsystem. The exploit gains root on Pixel 7.
👍14🔥4
No CVE for this bug which has never been in the official kernel
Javier P Rufo published an article about exploiting a slab use-after-free bug in the ptrace subsystem via a cross-cache attack.
Javier P Rufo published an article about exploiting a slab use-after-free bug in the ptrace subsystem via a cross-cache attack.
👏6👍1
A new method for container escape using file-based DirtyCred
An article by Choo Yi Kai about escaping a Docker container by overwriting /proc/sys/kernel/modprobe via the DirtyCred exploitation technique.
The article also describes a way to delay the page fault handler via FALLOC_FL_PUNCH_HOLE for winning a race condition, similar to the commonly-used userfaultfd and FUSE–based techniques.
An article by Choo Yi Kai about escaping a Docker container by overwriting /proc/sys/kernel/modprobe via the DirtyCred exploitation technique.
The article also describes a way to delay the page fault handler via FALLOC_FL_PUNCH_HOLE for winning a race condition, similar to the commonly-used userfaultfd and FUSE–based techniques.
STAR Labs
A new method for container escape using file-based DirtyCred
Recently, I was trying out various exploitation techniques against a Linux kernel vulnerability, CVE-2022-3910. After successfully writing an exploit which made use of DirtyCred to gain local privilege escalation, my mentor Billy asked me if it was possible…
👍7
StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability
An article by Ruihan Li about exploiting StackRot — a locking bug in the virtual memory management subsystem that leads to a UAF-by-RCU vulnerability.
The author also shared an exploit that acquires root privileges in the Google kCTF challenge.
An article by Ruihan Li about exploiting StackRot — a locking bug in the virtual memory management subsystem that leads to a UAF-by-RCU vulnerability.
The author also shared an exploit that acquires root privileges in the Google kCTF challenge.
GitHub
GitHub - lrh2000/StackRot: CVE-2023-3269: Linux kernel privilege escalation vulnerability
CVE-2023-3269: Linux kernel privilege escalation vulnerability - lrh2000/StackRot
👏4👍2🔥2
GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux
An article by Sagi Tzadik and Shir Tamari about finding and exploiting two logical bugs in the OverlayFS implementation on Ubuntu kernels.
An article by Sagi Tzadik and Shir Tamari about finding and exploiting two logical bugs in the OverlayFS implementation on Ubuntu kernels.
wiz.io
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
Wiz Research discovers CVE-2023-2640 & CVE-2023-32629, 2 privilege escalation vulnerabilities in Ubuntu's OverlayFS module impacting 40% of cloud workloads.
👍4
Bad io_uring: A New Era of Rooting for Android
Slides from a talk by Zhenpeng Lin about exploiting an invalid-free bug in the io_uring subsystem on Android.
The shared exploit gains root on Pixel 6 and Samsung Galaxy S22
Slides from a talk by Zhenpeng Lin about exploiting an invalid-free bug in the io_uring subsystem on Android.
The shared exploit gains root on Pixel 6 and Samsung Galaxy S22
👍5😱4
Linux Kernel Exploit (CVE-2022–32250) with mqueue
An article about exploiting a slab use-after-free bug in the netfilter subsystem.
The shared exploit escalates privileges to root on the Ubuntu kernel.
An article about exploiting a slab use-after-free bug in the netfilter subsystem.
The shared exploit escalates privileges to root on the Ubuntu kernel.
Medium
Linux Kernel Exploit (CVE-2022–32250) with mqueue
Background
👍4
CVE-2023-3389 - LinkedPoll
Querijn Voet published an article about exploiting a race condition causing a use-after-free in the io_uring subsystem.
Querijn Voet published an article about exploiting a race condition causing a use-after-free in the io_uring subsystem.
X (formerly Twitter)
Qyn (@qynln) on X
CTF player @WreckTheLine
👍5🔥1
Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023
An article by Tanguy Dubroca about exploiting a stack out-of-bounds bug in the netfilter subsystem (yet again).
The shared exploit gains root privileges on Ubuntu.
An article by Tanguy Dubroca about exploiting a stack out-of-bounds bug in the netfilter subsystem (yet again).
The shared exploit gains root privileges on Ubuntu.
Synacktiv
Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023
👍6👏3
CVE-2023-4273: a vulnerability in the Linux exFAT driver
An article by Maxim Suhanov about bypassing the kernel lockdown by exploiting a stack buffer-overflow in the exFAT driver.
An article by Maxim Suhanov about bypassing the kernel lockdown by exploiting a stack buffer-overflow in the exFAT driver.
My DFIR Blog
CVE-2023-4273: a vulnerability in the Linux exFAT driver
According to the exFAT file system specification, the maximum length of a file name is 255 characters (UTF-16LE): The FileName field shall contain a Unicode string, which is a portion of the file n…
👍6
Rustproofing Linux
Four-part article describing the vulnerability classes that may exist in the Linux kernel modules written in Rust language.
▪️Part 1 is about leaking kernel addresses
▪️Part 2 describes race conditions
▪️Part 3 discusses integer overflows
▪️Part 4 goes through shared memory bugs
Four-part article describing the vulnerability classes that may exist in the Linux kernel modules written in Rust language.
▪️Part 1 is about leaking kernel addresses
▪️Part 2 describes race conditions
▪️Part 3 discusses integer overflows
▪️Part 4 goes through shared memory bugs
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
👍21