Exploit Engineering – Attacking the Linux Kernel

A talk (slides) by Alex Plaskett and Cedric Halbronn about approaches to finding, triaging, and exploiting Linux kernel bugs.

During the talk, the speakers announced libslub — a GDB extension for examining SLUB object addresses and metadata.

Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution

A talk by Guillaume Teissier and Quentin Minster about remotely exploiting two slab corruption bugs in the KSMBD module.

The exploit achieves remote code execution but requires having valid SMB authentication credentials to trigger the bugs.

Rooting with root cause: finding a variant of a Project Zero bug

Yet another article by Man Yue Mo about exploiting the Arm Mali GPU driver.

Man Yue Mo used a race condition bug to make GPU access freed memory and gained root from the untrusted_app context on Pixel 6.

CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver

An article about exploiting a logical bug in the fault handler implementation of udmabuf mappings.

The exploit shared by Eloi Sanfelix gains root on Ubuntu. Triggering the bug requires the user to be in the kvm group.

Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability

An article by Vu Thi Lan about exploiting a slab use-after-free bug in the netfilter subsystem.

The shared exploit gains root on Ubuntu.

UNCONTAINED: Uncovering Container Confusion in the Linux Kernel

A paper (overview) by Jakob Koschel, Pietro Borrello, et al. about finding type confusion bugs in container_of invocations.

Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel

An article by Nicolas Wu about the Dirty Pagetable exploitation technique.

Dirty Pagetable enables using a slab bug to overwrite userspace Page Table Entries and gain arbitrary read/write access to physical memory.

To demonstrate the technique, Nicolas Wu and Ye Zhang wrote a few exploits, including one for CVE-2023-21400, a racy slab double-free in the io_uring subsystem. The exploit gains root on Pixel 7.

No CVE for this bug which has never been in the official kernel

Javier P Rufo published an article about exploiting a slab use-after-free bug in the ptrace subsystem via a cross-cache attack.

A new method for container escape using file-based DirtyCred

An article by Choo Yi Kai about escaping a Docker container by overwriting /proc/sys/kernel/modprobe via the DirtyCred exploitation technique.

The article also describes a way to delay the page fault handler via FALLOC_FL_PUNCH_HOLE for winning a race condition, similar to the commonly-used userfaultfd and FUSE–based techniques.

StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability

An article by Ruihan Li about exploiting StackRot — a locking bug in the virtual memory management subsystem that leads to a UAF-by-RCU vulnerability.

The author also shared an exploit that acquires root privileges in the Google kCTF challenge.

GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux

An article by Sagi Tzadik and Shir Tamari about finding and exploiting two logical bugs in the OverlayFS implementation on Ubuntu kernels.

Bad io_uring: A New Era of Rooting for Android

Slides from a talk by Zhenpeng Lin about exploiting an invalid-free bug in the io_uring subsystem on Android.

The shared exploit gains root on Pixel 6 and Samsung Galaxy S22

Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features

Slides from a talk by Yong Wang about adapting the Kernel Space Mirroring Attack to the Arm Mali GPU MMU.

Linux Kernel Exploit (CVE-2022–32250) with mqueue

An article about exploiting a slab use-after-free bug in the netfilter subsystem.

The shared exploit escalates privileges to root on the Ubuntu kernel.

CVE-2023-3389 - LinkedPoll

Querijn Voet published an article about exploiting a race condition causing a use-after-free in the io_uring subsystem.

Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023

An article by Tanguy Dubroca about exploiting a stack out-of-bounds bug in the netfilter subsystem (yet again).

The shared exploit gains root privileges on Ubuntu.

CVE-2023-4273: a vulnerability in the Linux exFAT driver

An article by Maxim Suhanov about bypassing the kernel lockdown by exploiting a stack buffer-overflow in the exFAT driver.

Rustproofing Linux

Four-part article describing the vulnerability classes that may exist in the Linux kernel modules written in Rust language.

▪️Part 1 is about leaking kernel addresses

▪️Part 2 describes race conditions

▪️Part 3 discusses integer overflows

▪️Part 4 goes through shared memory bugs

Tickling and unleashing ksmbd

Two articles about fuzzing and remotely exploiting ksmbd — the Linux kernel SMB module — by notselwyn.

The first article describes how the author used syzkaller and KCOV for coverage-guided fuzzing of ksmbd.

The second article demonstrates how to exploit two of the found bugs: a null-pointer-dereference that leads to a DoS and an out-of-bounds read that leads to an info-leak.

Analyzing a Modern In-the-wild Android Exploit

An article by Seth Jenkins about analyzing the kernel privilege escalation stage of an Android exploit detected in the wild.

The analyzed stage used a locking bug in the ALSA subsystem and a poorly designed interface feature of the Mali GPU driver to achieve an arbitrary read/write primitive from the system_server context.

kernel-hardening-checker

My open source tool for checking the security hardening options of the Linux kernel got a new name: kernel-hardening-checker.

Now it supports checking:

1️⃣ Kconfig options (compile-time)
2️⃣ Kernel cmdline arguments (boot-time)
3️⃣ Sysctl parameters (runtime)