Vulnerability

CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 1/4)

Tue 02 October 2018

The first article covers an in-depth CVE/bug analysis, designs an attack scenario and starts implementing a PoC in ring-0 with SystemTap. The core concept section focuses on file/socket related data structures, netlink and refcounters.

Read more
Vulnerability

CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 2/4)

Tue 02 October 2018

In the second article, a ring-3 PoC is built by removing each SystemTap script line one-by-one. It explains how to find and tailor syscalls to force the kernel into particular code paths as well as unconditionally win the race condition. The core concept section focuses on the scheduler subsystem (task states and wait queues).

Read more
Vulnerability

CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 3/4)

Tue 02 October 2018

The third article covers use-after-free exploitation. Starting from the PoC, it will explain what is needed to exploit UAF in ring-0, how to do a reallocation and gain an arbitrary call primitive. The core concept section focuses on the memory management subsystem (SLAB allocator).

Read more
Vulnerability

CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 4/4)

Tue 02 October 2018

In the last article, the arbitrary call primitive is used to gain arbitrary code execution in ring-0 while bypassing SMEP. It covers an extensive study of page fault exception trace, how to find gadgets in kernel image, designing a ROP-chain to finally call the payload. In the end, it shows how to repair the kernel and gain root privileges. The core concept section focuses on the thread_info structure, virtual memory layout and netlink's hash tables.

Read more