Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do We Want to Arbitrary Free? … Continue reading SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Tag: Linux kernel
Some Musings on Common (eBPF) Linux Tracing Bugs
Having been in the game of auditing kprobe-based tracers for the past couple of years, and in light of this upcoming DEF CON on eBPF tracer race conditions (which you should go watch) being given by a friend of mine from the NYU(-Poly) (OSIR)IS(IS) lab, I figured I would wax poetic on some of the … Continue reading Some Musings on Common (eBPF) Linux Tracing Bugs
eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
tl;dr eBPF (extended Berkeley Packet Filter) is slowly taking over as a programmatic way for (generally privileged) users to invoke Linux kernel APIs and performantly execute semi-arbitrary code without having to load it from a custom kernel module. eBPF is a general means to load memory safe restricted code that reduces the risk of crashes, … Continue reading eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
Whitepaper – A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator
by Dan Rosenberg In this paper, we will systematically evaluate the implementation of the Linux kernel SLOB allocator to assess exploitability. We will present new techniques for attacking the SLOB allocator, whose exploitation has not been publicly described. These techniques will apply to exploitation scenarios that become progressively more constrained, starting with an arbitrary length, … Continue reading Whitepaper – A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator