Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu
An article by Oriol Castejón about exploiting a logical bug in the io_uring subsystem that leads to freed pages being writable through a userspace mapping.
The proposed exploitation approach reclaims the freed pages with a slab filled with file structures for /etc/passwd and modifies them from userspace via the mapping to add a new /etc/passwd entry.
In addition, Yordan Stoychev published an exploit for this bug that uses a different technique.
An article by Oriol Castejón about exploiting a logical bug in the io_uring subsystem that leads to freed pages being writable through a userspace mapping.
The proposed exploitation approach reclaims the freed pages with a slab filled with file structures for /etc/passwd and modifies them from userspace via the mapping to add a new /etc/passwd entry.
In addition, Yordan Stoychev published an exploit for this bug that uses a different technique.
Exodus Intelligence
Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu - Exodus Intelligence
By Oriol Castejón Overview This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months…
👍14🔥2
Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller
An article by Alon Zahavi about externally fuzzing the NVMe-over-TCP packet parsing paths with syzkaller.
The article:
— Introduces syzkaller and syzlang;
— Shows added syzlang denoscriptions for NVMe-over-TCP fuzzing, including a new pseudo-syscall;
— Explains how remote KCOV was used to collect coverage from the NVMe packet parsing code executed in a background kernel thread;
— Lists found bugs.
An article by Alon Zahavi about externally fuzzing the NVMe-over-TCP packet parsing paths with syzkaller.
The article:
— Introduces syzkaller and syzlang;
— Shows added syzlang denoscriptions for NVMe-over-TCP fuzzing, including a new pseudo-syscall;
— Explains how remote KCOV was used to collect coverage from the NVMe packet parsing code executed in a background kernel thread;
— Lists found bugs.
Cyberark
Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller
Following research conducted by a colleague of mine [1] at CyberArk Labs, I better understood NVMe-oF/TCP. This kernel subsystem exposes INET socket(s), which can be a fruitful attack surface for...
👍13🔥2
Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config
Vegard Nossum posted a PoC backdoor for the Linux kernel that doesn't require changing the kernel source code or any release tarballs.
Vegard Nossum posted a PoC backdoor for the Linux kernel that doesn't require changing the kernel source code or any release tarballs.
👍4
64 bytes and a ROP chain – A journey through nftables
A two-part article by Davide Ornaghi about finding, analyzing, and exploiting a stack buffer-overflow in the netfilter subsystem from the softirq context.
Davide also gave a talk (slides) about this work at HITB Amsterdam last year.
A two-part article by Davide Ornaghi about finding, analyzing, and exploiting a stack buffer-overflow in the netfilter subsystem from the softirq context.
Davide also gave a talk (slides) about this work at HITB Amsterdam last year.
Betrusted
64 bytes and a ROP chain - A journey through nftables - Part 1
Dive into the process of vulnerability research in the Linux kernel: focus on CVE-2023-0179 and Local Privilege Escalation (LPE).
🔥8
To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux' Wireless Stacks through VirtIO Devices
A paper by Sönke Huster et al. about externally fuzzing the Linux kernel's Wi-Fi and Bluetooth stacks.
The implemented VirtFuzz fuzzer injects Wi-Fi and Bluetooth frames into the kernel through QEMU via a custom VirtIO-based device. The fuzzer also collects coverage via KCOV-based annotations and exposes it to the host via QEMU's shared memory device to guide the fuzzing process.
A paper by Sönke Huster et al. about externally fuzzing the Linux kernel's Wi-Fi and Bluetooth stacks.
The implemented VirtFuzz fuzzer injects Wi-Fi and Bluetooth frames into the kernel through QEMU via a custom VirtIO-based device. The fuzzer also collects coverage via KCOV-based annotations and exposes it to the host via QEMU's shared memory device to guide the fuzzing process.
👍11🔥3
A Bug Hunter's Reflections on Fuzzing
Alexander Popov (me) shared the video and slides of the HITBxPHDays talk, where he describes what is special in fuzzing for vulnerability discovery and how to adapt the syzkaller kernel fuzzer for security research.
Alexander Popov (me) shared the video and slides of the HITBxPHDays talk, where he describes what is special in fuzzing for vulnerability discovery and how to adapt the syzkaller kernel fuzzer for security research.
YouTube
A bug hunter's reflections on fuzzing
Fuzzing is an incredibly effective and popular technique for testing software. But not all the bugs that it finds are interesting for bug hunters. Fuzzing for vulnerability discovery is special, and in this talk, Alexander will share his reflections on that…
🔥28
Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938
An article by Zi Fan Tan, Gulshan Singh, and Eugene Rodionov about exploiting a vulnerability in the Android Binder device driver that leads to a slab use-after-free.
Zi and Eugene also gave a talk (slides) about this work at OffensiveCon last month. There, they also shared the details about finding this vulnerability with a custom Linux Kernel Library–based fuzzer.
An article by Zi Fan Tan, Gulshan Singh, and Eugene Rodionov about exploiting a vulnerability in the Android Binder device driver that leads to a slab use-after-free.
Zi and Eugene also gave a talk (slides) about this work at OffensiveCon last month. There, they also shared the details about finding this vulnerability with a custom Linux Kernel Library–based fuzzer.
🔥13👎1
Driving forward in Android drivers
An article by Seth Jenkins about exploiting a race condition in the MediaTek mtk_jpeg driver that leads to a variety of memory corruption side-effects.
The described data-only exploit leverages the bug to get a use-after-free on a dmabuf file structure and then gets an arbitrary read/write primitive to disable SELinux and gain root on Asus ROG 6D.
In the exploit, Seth deliberately avoided using the cross-cache techniques, as these might soon get mitigated by SLAB_VIRTUAL.
The article also covers:
— Approaches to discovering device drivers accessible to unprivileged users on Android;
— Using the MediaTek GED (GPU Extension Device) driver to gain extremely powerful slab memory control primitives.
An article by Seth Jenkins about exploiting a race condition in the MediaTek mtk_jpeg driver that leads to a variety of memory corruption side-effects.
The described data-only exploit leverages the bug to get a use-after-free on a dmabuf file structure and then gets an arbitrary read/write primitive to disable SELinux and gain root on Asus ROG 6D.
In the exploit, Seth deliberately avoided using the cross-cache techniques, as these might soon get mitigated by SLAB_VIRTUAL.
The article also covers:
— Approaches to discovering device drivers accessible to unprivileged users on Android;
— Using the MediaTek GED (GPU Extension Device) driver to gain extremely powerful slab memory control primitives.
👍14👎1🔥1
ZDI-24-821: A Remote UAF in The Kernel's net/tipc
An article by Sam Page describing a slab use-after-free in the TIPC networking stack that can be triggered by both local and remote attackers.
An article by Sam Page describing a slab use-after-free in the TIPC networking stack that can be triggered by both local and remote attackers.
sam4k
ZDI-24-821: A Remote UAF in The Kernel's net/tipc
In this post I discuss a vulnerability which allows a local, or remote attacker, to trigger a use-after-free in the TIPC networking stack on affected installations of the Linux kernel.
👍7🔥3👎1
Linux Kernel: Vulnerability in the eBPF verifier register limit tracking
An exploitable vunerability in eBPF announced by JJ. Requires the CAP_BPF capability to trigger. Found with buzzer.
An exploitable vunerability in eBPF announced by JJ. Requires the CAP_BPF capability to trigger. Found with buzzer.
GitHub
Linux Kernel: Vulnerability in the eBPF verifier register limit tracking
### Summary
A bug in the verifier’s register limit tracking was found by using https://github.com/google/buzzer that allows an attacker to trick the eBPF verifier into thinking a register has a va...
A bug in the verifier’s register limit tracking was found by using https://github.com/google/buzzer that allows an attacker to trick the eBPF verifier into thinking a register has a va...
Virtual Escape; Real Reward: Introducing Google’s kvmCTF
Google started a vulnerability reward program for the Kernel-based Virtual Machine (KVM) hypervisor focused on zero-day bugs.
Google started a vulnerability reward program for the Kernel-based Virtual Machine (KVM) hypervisor focused on zero-day bugs.
Google Online Security Blog
Virtual Escape; Real Reward: Introducing Google’s kvmCTF
Marios Pomonis, Software Engineer Google is committed to enhancing the security of open-source technologies, especially those that make up t...
👍15🔥7👎1
SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel
A paper by Lukas Maar, Stefan Gast, et al. about exploiting slab memory corruptions via a cross-allocator slab-to-page attack targeting user page tables.
The paper covers:
— Using a timing side-channel to make sure that all objects in a slab are under the exploit's control to increase the success chance of executing a cross-cache or a cross-allocator attack;
— Converting limited slab memory corruptions to a stronger slab use-after-free write primitive;
— Using a single-shot slab use-after-free write to gain control over user page tables and thus obtain physical memory arbitrary read/write.
A paper by Lukas Maar, Stefan Gast, et al. about exploiting slab memory corruptions via a cross-allocator slab-to-page attack targeting user page tables.
The paper covers:
— Using a timing side-channel to make sure that all objects in a slab are under the exploit's control to increase the success chance of executing a cross-cache or a cross-allocator attack;
— Converting limited slab memory corruptions to a stronger slab use-after-free write primitive;
— Using a single-shot slab use-after-free write to gain control over user page tables and thus obtain physical memory arbitrary read/write.
🔥24
Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap
A talk and an article by Robert Herrera and Alex Plaskett about remotely exploiting a bug in the Wi-Fi driver of the Sonos One smart speaker.
A talk and an article by Robert Herrera and Alex Plaskett about remotely exploiting a bug in the Wi-Fi driver of the Sonos One smart speaker.
👍11
PageJack: A Powerful Exploit Technique With Page-Level UAF
A talk, a summary article, and a related paper by Zhiyun Qian et al. about overwriting slab objects containing a
The authors also shared a set of exploits that uses the described technique.
A talk, a summary article, and a related paper by Zhiyun Qian et al. about overwriting slab objects containing a
struct page * field to achieve arbitrary read/write in physical memory.The authors also shared a set of exploits that uses the described technique.
🔥15👍2
CVE-2022-22265: Samsung NPU driver
An article by Javier P Rufo about exploiting a slab double-free in the Samsung's NPU driver via the Dirty Pagetable technique.
An article by Javier P Rufo about exploiting a slab double-free in the Samsung's NPU driver via the Dirty Pagetable technique.
🔥14
Ongoing slab hardening efforts
Recently, there have been multiple efforts to make the exploitation of slab memory corruptions harder.
1️⃣ RANDOM_KMALLOC_CACHES by Ruigi Gong; merged in v6.6; enabled in Ubuntu 24.04; LWN article
This feature creates 16 instances of each normal kmalloc cache and makes kmalloc randomly pick one of them based on the code location of the kmalloc call.
2️⃣ SLAB_BUCKETS by Kees Cook; merged in v6.11; LWN article
It allows putting specific dynamically-sized allocations into separate caches called buckets. This requires annotating allocation sites. This feature is intended to be used for user-controllable allocations. So far, only msg_msg and v/memdup_user allocations are annotated.
3️⃣ SLAB_PER_SITE by Kees Cook; under discussion; LWN article
This patchset creates a set of buckets for each kmalloc call site without manual annotations.
4️⃣ SLAB_VIRTUAL by Jann Horn and Matteo Rizzo; under discussion; documentation
It mitigates cross-cache attacks by making the slab allocator use a unique virtual memory address range for each cache for allocating slabs.
Recently, there have been multiple efforts to make the exploitation of slab memory corruptions harder.
1️⃣ RANDOM_KMALLOC_CACHES by Ruigi Gong; merged in v6.6; enabled in Ubuntu 24.04; LWN article
This feature creates 16 instances of each normal kmalloc cache and makes kmalloc randomly pick one of them based on the code location of the kmalloc call.
2️⃣ SLAB_BUCKETS by Kees Cook; merged in v6.11; LWN article
It allows putting specific dynamically-sized allocations into separate caches called buckets. This requires annotating allocation sites. This feature is intended to be used for user-controllable allocations. So far, only msg_msg and v/memdup_user allocations are annotated.
3️⃣ SLAB_PER_SITE by Kees Cook; under discussion; LWN article
This patchset creates a set of buckets for each kmalloc call site without manual annotations.
4️⃣ SLAB_VIRTUAL by Jann Horn and Matteo Rizzo; under discussion; documentation
It mitigates cross-cache attacks by making the slab allocator use a unique virtual memory address range for each cache for allocating slabs.
👍16🔥1🎉1
GPUAF: Using a general GPU exploit tech to attack Pixel 8
A talk by Pan Zhenpeng and Jheng Bing Jhong about leveraging an integer overflow bug in the Mali GPU driver to gain use-after-free access to physical pages, fake GPU page tables, and escalate privileges on Pixel 8.
A talk by Pan Zhenpeng and Jheng Bing Jhong about leveraging an integer overflow bug in the Mali GPU driver to gain use-after-free access to physical pages, fake GPU page tables, and escalate privileges on Pixel 8.
🔥10👍2