From Collision To Exploitation:Unleashing Use-After-Free Vulnerabilities in Linux Kernel

Introduction

This paper was published in CCS 2015. With the introduction of the various mitigation deployed in the user space, especially sandbox, the vulnerability in the linux kernel has become a target of the attacker. However, the memory space in the kernel is hard to predict since the kernel space are used by various tasks. In this paper, the author introduces a much stabler way to put desired vulnerable target into kernel memory space by exploiting a use-after-free in linux kernel.
Continue reading “From Collision To Exploitation:Unleashing Use-After-Free Vulnerabilities in Linux Kernel”

Linux Kernel Exploitation Part 2: Buddy Allocator and SLUB Allocator

Introduction

I will continue to talk about the exploitation of CVE-2017-7308. In this post, I will discuss the implementation details of buddy allocator and SLUB allocator in Linux-4.10.6. I will show how to put the victim object (struct packet_sock in this post) next adjacent to the vulnerable buffer (packet rv_ring buffer in previous post).
In [3], a general abstraction of Linux Kernel memory management is given as following picture. From the picture, we can find that two types of allocators (slab allocator and buddy allocator) are provided for Linux kernel functions. For both allocators, I will give some debugging info to give a straight view on how those objects are allocated and shaped in memory combined with some explanation on the source code.
Continue reading “Linux Kernel Exploitation Part 2: Buddy Allocator and SLUB Allocator”

Linux Kernel Exploitation Part 1: Setting Up Debugging Environment

Introduction

These days I think there is still necessity to write a tutorial series on Linux Kernel exploitation and hope to summarize the kernel exploitation techniques as following:
(1) Kernel Debugging
(2) Return-oriented-Programming in Kernel
(3) Kernel Mitigation: KASLR, SMEP, SMAP
(4) Kernel Space Memory Allocator: SLAB Allocator
In this post, I will introduce how to debug a Linux Kernel via CVE-2017-7308 [1], including setting up debugging environment, root cause analysis and exploit primitive analysis.
Continue reading “Linux Kernel Exploitation Part 1: Setting Up Debugging Environment”

Analysis on CVE-2017-3000

Introduction

In this post, I will introduce CVE-2017-3000, a CVE assigned to us last year. We analyse the weak implementation of the PRNG in Flash Player, which is used for constant blinding in its JIT compiler. We find two methods circumventing the constant blinding. Furthermore, we give a detailed exploitation plan on how to insert desired value into JIT code even if constant blinding is in place as demonstrated on the cover page. In this post, I will give details on the design of the PRNG and full exploit based on CVE-2015-5122.
Continue reading “Analysis on CVE-2017-3000”

Analysis on CVE-2015-5119

Introduction

In this post, I will give a full COOP-like exploit based on CVE-2015-5119 as demonstrated on cover page. This post will contain two parts. The first part is about how to achieve arbitrary read/write primitive in 64-bit Flash. This part is based on [1][2] with some extra my own explanations. The second part is about how to achieve a COOP-like exploit with virtual function gadgets. I will discuss the dispatcher gadget, argument loading gadget and invoking gadget used in the exploit and pop up the calculator in the end. So I will skip the analysis of root cause of the vulnerability and focus on exploit development.
Continue reading “Analysis on CVE-2015-5119”

Analysis on CVE-2016-9079

Introduction

This is a use-after-use vulnerability in the firefox before 50.2 [1]. In this post, the exploit is a routine browser exploitation process. Since exploit [1] is a working exploit on windows platform, I rewrite the exploit to make it work on Linux platform and test some ideas on vtable reuse attacks. I use a chain of multiple virtual function gadgets to change memory protection and open a listening port or popping up calculator. The final exploit can be found on my github repo[3].
Continue reading “Analysis on CVE-2016-9079”