Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023

An article by Tanguy Dubroca about exploiting a stack out-of-bounds bug in the netfilter subsystem (yet again).

The shared exploit gains root privileges on Ubuntu.

CVE-2023-4273: a vulnerability in the Linux exFAT driver

An article by Maxim Suhanov about bypassing the kernel lockdown by exploiting a stack buffer-overflow in the exFAT driver.

Rustproofing Linux

Four-part article describing the vulnerability classes that may exist in the Linux kernel modules written in Rust language.

▪️Part 1 is about leaking kernel addresses

▪️Part 2 describes race conditions

▪️Part 3 discusses integer overflows

▪️Part 4 goes through shared memory bugs

Tickling and unleashing ksmbd

Two articles about fuzzing and remotely exploiting ksmbd — the Linux kernel SMB module — by notselwyn.

The first article describes how the author used syzkaller and KCOV for coverage-guided fuzzing of ksmbd.

The second article demonstrates how to exploit two of the found bugs: a null-pointer-dereference that leads to a DoS and an out-of-bounds read that leads to an info-leak.

Analyzing a Modern In-the-wild Android Exploit

An article by Seth Jenkins about analyzing the kernel privilege escalation stage of an Android exploit detected in the wild.

The analyzed stage used a locking bug in the ALSA subsystem and a poorly designed interface feature of the Mali GPU driver to achieve an arbitrary read/write primitive from the system_server context.

kernel-hardening-checker

My open source tool for checking the security hardening options of the Linux kernel got a new name: kernel-hardening-checker.

Now it supports checking:

1️⃣ Kconfig options (compile-time)
2️⃣ Kernel cmdline arguments (boot-time)
3️⃣ Sysctl parameters (runtime)

Escaping the Google kCTF Container with a Data-Only Exploit

An article by h0mbre about exploiting a use-after-free on struct file in the io_uring subsystem.

The exploit uses a cross-cache attack to reclaim the freed struct file with a pipe buffer, fakes two different file structs to gain arbitrary address read and write, gets root privileges, and escapes the kernelCTF container.

Enable MTE on Pixel 8

Instructions for enabling Memory Tagging Extension for the kernel on Pixel 8 by Kees Cook.

The instructions describe how to enable kernel MTE in the reporting mode. Enabling MTE as a mitigation for kernel memory corruptions requires additionally passing kasan.fault=panic to the kernel command-line as pointed out by Andrey Konovalov.

MTE as a kernel mitigation is still an experimental feature and requires improvements as previously pointed out by Mark Brand.

Exploring Linux's New Random Kmalloc Caches

An article by sam4k about the new CONFIG_RANDOM_KMALLOC_CACHES mitigation.

The article gives an overview of the currently used slab exploitation techniques, provides a deep analysis of the CONFIG_RANDOM_KMALLOC_CACHES implementation, and reasons about how the new mitigation affects the existing techniques.

One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability

Slides by Dongok Kim, SeungHyun Lee, and Insu Yun about exploiting a slab use-after-free in the netfilter subsystem.

The researchers managed to exploit all instances of Google's kernelCTF with the same bug, including the instance with advanced custom mitigations.

This research is also available in text form.

Conquering the memory through io_uring - Analysis of CVE-2023-2598

An article by Yordan Stoychev about exploiting a logical bug in the io_uring subsystem. The bug leads to the out-of-bounds read/write access to the physical memory.

In the shared exploit, the author leaked and corrupted a sock structure to bypass KASLR and spawn a root shell via call_usermodehelper.

Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt

Slides by Jean-Baptiste Cayrou about analyzing an inode locking issue in the shiftfs filesystem in Ubuntu.

The presenter focuses on how they turned the locking issue into a race condition, widened the race window, and caused a slab use-after-free. The researcher also outlines the further exploitation strategy for getting the root privileges.

RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections

A paper by Kyle Zeng et al. about techniques for saving controlled data on the kernel stack for exploiting control flow hijacking primitives.

The paper also gives an overview of the previously existing approaches for using controlled data with control flow hijacking primitives and the mitigations that affect them.

The authors also developed a semi-automated framework for turning control flow hijacking crashers into privilege escalation exploits based on their techniques.

Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup

ptr-yudai published a write-up about exploiting a slab use-after-free on the file structure provided in a CTF challenge.

The researcher used a cross-cache attack and the Dirty Pagetable technique to execute a shellcode in the kernel space, which allowed to gain root privileges and escape from nsjail.

Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability (CVE-2023-6546)

An article by Nassim Asrir about exploiting a race condition that leads to a kmalloc-1k use-after-free in the n_gsm TTY line discipline module.

In the exploit, the researcher overwrote the freed object, gained an arbitrary function call with a controlled argument primitive, and escalated privileges by spawning a userspace process via run_cmd.

The exploit bypasses KASLR by leaking the kernel address from world-readable /sys/kernel/notes. This is a separate vulnerability that still affects up-to-date kernels that enable CONFIG_XEN_PV.

To bypass SMAP, the author used a novel technique of filling the kernfs_pr_cont_buf global variable with controlled data from userspace. The data is supplied as the path to a cgroup filter created via iptables, whose use requires unprivileged user namespaces.

The repository with the exploit also contains a set of noscripts for automatically extracting symbol offsets for Ubuntu, CentOS, and RHEL kernels.

KernelGPT: Enhanced Kernel Fuzzing via Large Language Models

A paper by Chenyuan Yang et. al about using the GPT4 LLM neural network for automatically generating syzkaller denoscriptions.

CodeQL query to find interesting objects for slab exploitation

A CodeQL noscript by Jordy Zomer for finding slab allocations of particular size or type.

Eduardo Vela also made a dynamic dashboard based on this noscript.

Linux is a CNA

Greg Kroah-Hartman announced that the Linux kernel project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux.

In his post, Greg referenced the patch documenting the process of CVE allocation and the mailing list where the announcement are published.

SyzRetrospector: A Large-Scale Retrospective Study of Syzbot

Joseph Bursey, Ardalan Amiri Sani, and Zhiyun Qian published an article analyzing how changes in the Linux kernel and syzkaller influence the ability of syzbot to find bugs.

In the paper, the researchers share the key results of their analysis and offer suggestions on how to improve the syzbot effectiveness.

Mali GPU Kernel LPE

An article by simo about expoiting a kernel pointer leak and an out-of-bounds write bug in the Mali GPU driver.

The shared exploit leverages the pipe_buffer structure to gain arbitrary read/write to disable SELinux and gain root privileges on Pixel 7 and 8 Pro phones.

In the article, the researcher also pointed out the non-transparent and confusing handling of reported vulnerabilities by Google.

Gaining kernel code execution on an MTE-enabled Pixel 8

An article by Man Yue Mo about exploiting a race condition in the JIT memory regions handling code in the Mali GPU driver.

The shared exploit disables SELinux and gains root privileges from the untrusted_app context on Pixel 8.

In the article, the author also pointed out that MTE (Memory Tagging Extension) does not prevent the exploitation of this bug, as invalid memory accesses happen through the GPU coprocessor.