A new method for container escape using file-based DirtyCred
An article by Choo Yi Kai about escaping a Docker container by overwriting /proc/sys/kernel/modprobe via the DirtyCred exploitation technique.
The article also describes a way to delay the page fault handler via FALLOC_FL_PUNCH_HOLE for winning a race condition, similar to the commonly-used userfaultfd and FUSE–based techniques.
An article by Choo Yi Kai about escaping a Docker container by overwriting /proc/sys/kernel/modprobe via the DirtyCred exploitation technique.
The article also describes a way to delay the page fault handler via FALLOC_FL_PUNCH_HOLE for winning a race condition, similar to the commonly-used userfaultfd and FUSE–based techniques.
STAR Labs
A new method for container escape using file-based DirtyCred
Recently, I was trying out various exploitation techniques against a Linux kernel vulnerability, CVE-2022-3910. After successfully writing an exploit which made use of DirtyCred to gain local privilege escalation, my mentor Billy asked me if it was possible…
👍7
StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability
An article by Ruihan Li about exploiting StackRot — a locking bug in the virtual memory management subsystem that leads to a UAF-by-RCU vulnerability.
The author also shared an exploit that acquires root privileges in the Google kCTF challenge.
An article by Ruihan Li about exploiting StackRot — a locking bug in the virtual memory management subsystem that leads to a UAF-by-RCU vulnerability.
The author also shared an exploit that acquires root privileges in the Google kCTF challenge.
GitHub
GitHub - lrh2000/StackRot: CVE-2023-3269: Linux kernel privilege escalation vulnerability
CVE-2023-3269: Linux kernel privilege escalation vulnerability - lrh2000/StackRot
👏4👍2🔥2
GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux
An article by Sagi Tzadik and Shir Tamari about finding and exploiting two logical bugs in the OverlayFS implementation on Ubuntu kernels.
An article by Sagi Tzadik and Shir Tamari about finding and exploiting two logical bugs in the OverlayFS implementation on Ubuntu kernels.
wiz.io
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
Wiz Research discovers CVE-2023-2640 & CVE-2023-32629, 2 privilege escalation vulnerabilities in Ubuntu's OverlayFS module impacting 40% of cloud workloads.
👍4
Bad io_uring: A New Era of Rooting for Android
Slides from a talk by Zhenpeng Lin about exploiting an invalid-free bug in the io_uring subsystem on Android.
The shared exploit gains root on Pixel 6 and Samsung Galaxy S22
Slides from a talk by Zhenpeng Lin about exploiting an invalid-free bug in the io_uring subsystem on Android.
The shared exploit gains root on Pixel 6 and Samsung Galaxy S22
👍5😱4
Linux Kernel Exploit (CVE-2022–32250) with mqueue
An article about exploiting a slab use-after-free bug in the netfilter subsystem.
The shared exploit escalates privileges to root on the Ubuntu kernel.
An article about exploiting a slab use-after-free bug in the netfilter subsystem.
The shared exploit escalates privileges to root on the Ubuntu kernel.
Medium
Linux Kernel Exploit (CVE-2022–32250) with mqueue
Background
👍4
CVE-2023-3389 - LinkedPoll
Querijn Voet published an article about exploiting a race condition causing a use-after-free in the io_uring subsystem.
Querijn Voet published an article about exploiting a race condition causing a use-after-free in the io_uring subsystem.
X (formerly Twitter)
Qyn (@qynln) on X
CTF player @WreckTheLine
👍5🔥1
Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023
An article by Tanguy Dubroca about exploiting a stack out-of-bounds bug in the netfilter subsystem (yet again).
The shared exploit gains root privileges on Ubuntu.
An article by Tanguy Dubroca about exploiting a stack out-of-bounds bug in the netfilter subsystem (yet again).
The shared exploit gains root privileges on Ubuntu.
Synacktiv
Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023
👍6👏3
CVE-2023-4273: a vulnerability in the Linux exFAT driver
An article by Maxim Suhanov about bypassing the kernel lockdown by exploiting a stack buffer-overflow in the exFAT driver.
An article by Maxim Suhanov about bypassing the kernel lockdown by exploiting a stack buffer-overflow in the exFAT driver.
My DFIR Blog
CVE-2023-4273: a vulnerability in the Linux exFAT driver
According to the exFAT file system specification, the maximum length of a file name is 255 characters (UTF-16LE): The FileName field shall contain a Unicode string, which is a portion of the file n…
👍6
Rustproofing Linux
Four-part article describing the vulnerability classes that may exist in the Linux kernel modules written in Rust language.
▪️Part 1 is about leaking kernel addresses
▪️Part 2 describes race conditions
▪️Part 3 discusses integer overflows
▪️Part 4 goes through shared memory bugs
Four-part article describing the vulnerability classes that may exist in the Linux kernel modules written in Rust language.
▪️Part 1 is about leaking kernel addresses
▪️Part 2 describes race conditions
▪️Part 3 discusses integer overflows
▪️Part 4 goes through shared memory bugs
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
👍21
Tickling and unleashing ksmbd
Two articles about fuzzing and remotely exploiting ksmbd — the Linux kernel SMB module — by notselwyn.
The first article describes how the author used syzkaller and KCOV for coverage-guided fuzzing of ksmbd.
The second article demonstrates how to exploit two of the found bugs: a null-pointer-dereference that leads to a DoS and an out-of-bounds read that leads to an info-leak.
Two articles about fuzzing and remotely exploiting ksmbd — the Linux kernel SMB module — by notselwyn.
The first article describes how the author used syzkaller and KCOV for coverage-guided fuzzing of ksmbd.
The second article demonstrates how to exploit two of the found bugs: a null-pointer-dereference that leads to a DoS and an out-of-bounds read that leads to an info-leak.
Pwning Tech
Tickling ksmbd: fuzzing SMB in the Linux kernel
Following the adventure of manually discovering network-based vulnerabilities in the Linux kernel, I'm adding ksmbd-fuzzing functionality to the already extensive kernel-fuzzing tool that is Syzkaller.
👍5
Analyzing a Modern In-the-wild Android Exploit
An article by Seth Jenkins about analyzing the kernel privilege escalation stage of an Android exploit detected in the wild.
The analyzed stage used a locking bug in the ALSA subsystem and a poorly designed interface feature of the Mali GPU driver to achieve an arbitrary read/write primitive from the system_server context.
An article by Seth Jenkins about analyzing the kernel privilege escalation stage of an Android exploit detected in the wild.
The analyzed stage used a locking bug in the ALSA subsystem and a poorly designed interface feature of the Mali GPU driver to achieve an arbitrary read/write primitive from the system_server context.
projectzero.google
Analyzing a Modern In-the-wild Android Exploit - Project Zero
By Seth Jenkins, Project ZeroIntroductionIn December 2022, Google’s Threat Analysis Group (TAG) discovered an in-the-wild exploit chain targeting Samsu...
👍5
kernel-hardening-checker
My open source tool for checking the security hardening options of the Linux kernel got a new name: kernel-hardening-checker.
Now it supports checking:
1️⃣ Kconfig options (compile-time)
2️⃣ Kernel cmdline arguments (boot-time)
3️⃣ Sysctl parameters (runtime)
My open source tool for checking the security hardening options of the Linux kernel got a new name: kernel-hardening-checker.
Now it supports checking:
1️⃣ Kconfig options (compile-time)
2️⃣ Kernel cmdline arguments (boot-time)
3️⃣ Sysctl parameters (runtime)
GitHub
GitHub - a13xp0p0v/kernel-hardening-checker: A tool for checking the security hardening options of the Linux kernel
A tool for checking the security hardening options of the Linux kernel - a13xp0p0v/kernel-hardening-checker
👍16👏3🤔1
Escaping the Google kCTF Container with a Data-Only Exploit
An article by h0mbre about exploiting a use-after-free on struct file in the io_uring subsystem.
The exploit uses a cross-cache attack to reclaim the freed struct file with a pipe buffer, fakes two different file structs to gain arbitrary address read and write, gets root privileges, and escapes the kernelCTF container.
An article by h0mbre about exploiting a use-after-free on struct file in the io_uring subsystem.
The exploit uses a cross-cache attack to reclaim the freed struct file with a pipe buffer, fakes two different file structs to gain arbitrary address read and write, gets root privileges, and escapes the kernelCTF container.
The Human Machine Interface
Escaping the Google kCTF Container with a Data-Only Exploit
Introduction I’ve been doing some Linux kernel exploit development/study and vulnerability research off and on since last Fall and a few months ago I had some downtime on vacation to sit and challenge myself to write my first data-only exploit for a real…
👍13
Enable MTE on Pixel 8
Instructions for enabling Memory Tagging Extension for the kernel on Pixel 8 by Kees Cook.
The instructions describe how to enable kernel MTE in the reporting mode. Enabling MTE as a mitigation for kernel memory corruptions requires additionally passing
MTE as a kernel mitigation is still an experimental feature and requires improvements as previously pointed out by Mark Brand.
Instructions for enabling Memory Tagging Extension for the kernel on Pixel 8 by Kees Cook.
The instructions describe how to enable kernel MTE in the reporting mode. Enabling MTE as a mitigation for kernel memory corruptions requires additionally passing
kasan.fault=panic to the kernel command-line as pointed out by Andrey Konovalov.MTE as a kernel mitigation is still an experimental feature and requires improvements as previously pointed out by Mark Brand.
👍2🤔1
Exploring Linux's New Random Kmalloc Caches
An article by sam4k about the new CONFIG_RANDOM_KMALLOC_CACHES mitigation.
The article gives an overview of the currently used slab exploitation techniques, provides a deep analysis of the CONFIG_RANDOM_KMALLOC_CACHES implementation, and reasons about how the new mitigation affects the existing techniques.
An article by sam4k about the new CONFIG_RANDOM_KMALLOC_CACHES mitigation.
The article gives an overview of the currently used slab exploitation techniques, provides a deep analysis of the CONFIG_RANDOM_KMALLOC_CACHES implementation, and reasons about how the new mitigation affects the existing techniques.
sam4k
Exploring Linux's New Random Kmalloc Caches
Let's explore the modern kernel heap exploitation meta and how the new RANDOM_KMALLOC_CACHES tries to address it.
👍9🔥2
One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability
Slides by Dongok Kim, SeungHyun Lee, and Insu Yun about exploiting a slab use-after-free in the netfilter subsystem.
The researchers managed to exploit all instances of Google's kernelCTF with the same bug, including the instance with advanced custom mitigations.
This research is also available in text form.
Slides by Dongok Kim, SeungHyun Lee, and Insu Yun about exploiting a slab use-after-free in the netfilter subsystem.
The researchers managed to exploit all instances of Google's kernelCTF with the same bug, including the instance with advanced custom mitigations.
This research is also available in text form.
Hacking Lab
One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability | Hacking Lab
Desktops, servers, cloud computing services, mobile devices, and IoT devices. Linux is the most popular open-source kernel and is used in various IT platforms. Because of the ubiquitous presence of Linux and the characteristic of the kernel which governs…
🔥17👍1
Conquering the memory through io_uring - Analysis of CVE-2023-2598
An article by Yordan Stoychev about exploiting a logical bug in the io_uring subsystem. The bug leads to the out-of-bounds read/write access to the physical memory.
In the shared exploit, the author leaked and corrupted a sock structure to bypass KASLR and spawn a root shell via call_usermodehelper.
An article by Yordan Stoychev about exploiting a logical bug in the io_uring subsystem. The bug leads to the out-of-bounds read/write access to the physical memory.
In the shared exploit, the author leaked and corrupted a sock structure to bypass KASLR and spawn a root shell via call_usermodehelper.
a place of anatomical precision
Conquering the memory through io_uring - Analysis of CVE-2023-2598
A logic bug in io_uring leading to Local Privilege Escalation
👍12
Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt
Slides by Jean-Baptiste Cayrou about analyzing an inode locking issue in the shiftfs filesystem in Ubuntu.
The presenter focuses on how they turned the locking issue into a race condition, widened the race window, and caused a slab use-after-free. The researcher also outlines the further exploitation strategy for getting the root privileges.
Slides by Jean-Baptiste Cayrou about analyzing an inode locking issue in the shiftfs filesystem in Ubuntu.
The presenter focuses on how they turned the locking issue into a race condition, widened the race window, and caused a slab use-after-free. The researcher also outlines the further exploitation strategy for getting the root privileges.
👍6🔥2
RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections
A paper by Kyle Zeng et al. about techniques for saving controlled data on the kernel stack for exploiting control flow hijacking primitives.
The paper also gives an overview of the previously existing approaches for using controlled data with control flow hijacking primitives and the mitigations that affect them.
The authors also developed a semi-automated framework for turning control flow hijacking crashers into privilege escalation exploits based on their techniques.
A paper by Kyle Zeng et al. about techniques for saving controlled data on the kernel stack for exploiting control flow hijacking primitives.
The paper also gives an overview of the previously existing approaches for using controlled data with control flow hijacking primitives and the mitigations that affect them.
The authors also developed a semi-automated framework for turning control flow hijacking crashers into privilege escalation exploits based on their techniques.
👏8👍3🤔1
Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup
ptr-yudai published a write-up about exploiting a slab use-after-free on the file structure provided in a CTF challenge.
The researcher used a cross-cache attack and the Dirty Pagetable technique to execute a shellcode in the kernel space, which allowed to gain root privileges and escape from nsjail.
ptr-yudai published a write-up about exploiting a slab use-after-free on the file structure provided in a CTF challenge.
The researcher used a cross-cache attack and the Dirty Pagetable technique to execute a shellcode in the kernel space, which allowed to gain root privileges and escape from nsjail.
🔥14