Android Security Bulletin — April 2021

A use-after-free in the block subsystem; what looks like a side-channel info-leak in ICMP; and a couple of bugs in Qualcomm components, including a bug in sockev netlink driver.

https://source.android.com/security/bulletin/2021-04-01#kernel-components
https://source.android.com/security/bulletin/2021-04-01#qualcomm-components

BleedingTooth: Exploiting Bluetooth RCE in the Linux kernel

BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.

https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup

Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel

I've published the article about exploiting CVE-2021-26708 for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP.

https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html

PoC exploit demo video: https://www.youtube.com/watch?v=EC8PFOYOUgU

Rust in the Linux kernel

An RFC patch series that adds Rust support to the kernel has been posted. It aims to provide wrappers for the core kernel APIs and allow implementing kernel modules in safe Rust.

The series includes a work-in-progress Rust implementation of the Android binder driver.

See the cover letter for the high-level design outline and the blog post for a deeper explanation of the implementation of an example module.

Cover letter: https://lore.kernel.org/lkml/20210414184604.23473-1-ojeda@kernel.org/
Blog post: https://security.googleblog.com/2021/04/rust-in-linux-kernel.html

Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits

A research about introducing vulnerabilities into the kernel while pretending to fix bugs. The researchers succeeded.

This research was done last year, but subsequent (seemingly unrelated) work by the same authors is now causing a lot of drama in the Linux kernel community.

Paper: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Drama: https://twitter.com/gregkh/status/1384785747874656257

A foray into Linux kernel exploitation on Android

An article describing an attempt to exploit the pvrsrvkm driver on an Alcatel 1S 2019.

https://mcyoloswagham.github.io/linux/

Android Security Bulletin — May 2021

A bug in TTY reported by Jann Horn a while ago and a bunch of bugs in Qualcomm drivers as usual.

https://source.android.com/security/bulletin/2021-05-01#kernel-components
https://bugs.chromium.org/p/project-zero/issues/detail?id=2125&can=1&q=linux%20kernel&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids&sort=-id
https://source.android.com/security/bulletin/2021-05-01#qualcomm-components

CVE-2021-32606: CAN ISOTP local privilege escalation

Exploiting a race condition in ISOTP CAN sockets.

https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md

Fuzzing the Linux kernel

The talk I gave about Linux kernel fuzzing at PHDays 2021. Roughly the same content as the Linux Foundation Mentorship talk, but organized differently.

Slides: https://docs.google.com/presentation/d/19JaXHFMT-R2le6x-vPKw5D1Cxlw2aLtxHEIDwWBNXCQ/edit?usp=sharing
Video: https://standoff365.com/phdays10/schedule/tech/fuzzing-the-linux-kernel/

Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux Kernel

I've published the video of my talk for Zer0Con 2021: https://m.youtube.com/watch?v=EMcjHfceX44

And I gave this talk in Russian for live audience at PHDays 2021. Video: https://standoff365.com/phdays10/schedule/tech/4-bytes-of-power-exploiting-cve-2021-26708-in-the-linux-kernel

A Nerve-Racking Bug Collision in Samsung's NPU Driver

An exploit write-up by Gyorgy Miru for another bug in the Samsung NPU driver. Unlike the vmalloc-based exploits published by P0 and others, this one relies on a race condition leading to a slab-out-of-bounds write.

https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/

CVE-2021–20226: a reference counting bug which leads to local privilege escalation in io_uring

An article describing a bug in the io_uring subsystem. Improper handling of files_struct references leading to a use-after-free.

https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a

An EPYC escape: Case-study of a KVM breakout by Felix Wilhelm

KVM guest-to-host breakout via access to the host MSRs.

https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html?m=1

Linux Kernel Heap Out-Of-Bounds Write in xt_compat_target_from_user()

Very old vulnerability, it can be exploited for LPE. Kernels starting from v2.6.19 are affected.

https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528

KMSAN, a look under the hood

A talk about the internals of KernelMemorySanitizer — a tool that finds uses of uninitialized memory and information leaks. By Alexander Potapenko.

Recording: https://www.youtube.com/watch?v=LNs2U-3m3yg
Slides: https://github.com/ramosian-glider/talks-and-presentations/blob/master/2021/KernelMemorySanitizer_a_look_under_the_hood.pdf

Exploitation of a double free vulnerability in Ubuntu shiftfs driver

A very detailed article by Vincent Dehors. The author describes his exploit for Pwn2Own Vancouver, where he got LPE on Ubuntu Groovy 20.10.

https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html

CVE-2021-22555: Turning \x00\x00 into 10000$ by Andy Nguyen

CVE-2021-22555 is a 15 years old heap out-of-bounds write vulnerability in Linux Netfilter that is powerful enough to bypass all modern security mitigations and achieve kernel code execution. It was used to break the kubernetes pod isolation of the kCTF cluster and won 10000$.

https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html

Amazingly, Andy independently reinvented the msgsnd() exploitation technique, that I created in January for my CVE-2021-26708 exploit:
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html

Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)

Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.

By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

Report: https://www.openwall.com/lists/oss-security/2021/07/20/1

Kernel Pwning with eBPF: a Love Story by Valentina Palmiotti

The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.

https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story

[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver by Gyorgy Miru

A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.

https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/

Variant analysis of the 'Sequoia' bug

Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.

https://pwning.systems/posts/sequoia-variant-analysis/