A brand new approach to use a fancy use-after-free (UAF) vulnerability within the Linux kernel efficiently bypasses fashionable safety mitigations to achieve root privileges.
The strategy targets CVE-2024-50264, a difficult-to-exploit race situation bug within the AF_VSOCK subsystem that was acknowledged with a Pwnie Award for its complexity. The vulnerability, launched in Linux v4.8, presents important challenges for exploitation.
In response to Alexander Popov, an unprivileged consumer can set off the bug, however it comes with extreme limitations, together with an unstable race situation, a particularly quick time window for reminiscence corruption, and a number of methods for the kernel to crash throughout the try.
The unique exploit technique was extremely advanced, involving large-scale reminiscence sprays and superior strategies like SLUBStick and Soiled Pagetable.
Linux Kernel Use-After-Free Vulnerability
Looking for an easier path, the researcher devised a brand new method centered on the msg_msg kernel object. The core of the brand new methodology is a method that permits for the corruption of an msg_msg object with out inflicting the kernel to hold.
Sometimes, a UAF write on this object would fail as a result of a pointer discipline, m_list.prev, could be non-zero, inflicting a system hold when the kernel tries to accumulate a spinlock.
The researcher’s answer entails a intelligent manipulation of the message queue:
The message queue is crammed virtually to capability, leaving only some bytes of free house.
The exploit then makes an attempt to ship the goal msg_msg objects. As a result of the queue is full, the kernel allocates the objects however blocks the msgsnd() system name, forcing it to attend for house.
Whereas the system name is blocked, the UAF is triggered, corrupting fields inside the ready msg_msg object.
Lastly, house is freed within the message queue, permitting the blocked system name to renew. The kernel then proceeds so as to add the corrupted msg_msg object to its queue, conveniently fixing the corrupted record pointers within the course of and avoiding a crash.
This method successfully creates a dependable exploit primitive from a UAF write, even underneath troublesome circumstances, while not having a previous kernel info leak.
Bypassing Kernel Defenses
To efficiently execute the assault, a number of different hurdles needed to be overcome.
The researcher used a cross-cache assault to interchange the freed virtio_vsock_sock object with the msg_msg object, navigating round kernel hardening options like CONFIG_RANDOM_KMALLOC_CACHES. The UAF write additionally occurred too rapidly for this assault to work reliably.
To unravel this, a method was used to decelerate the accountable kernel employee by overwhelming it with notifications from timerfd and epoll cases, widening the race window considerably, Alexander stated.
This msg_msg corruption was used to attain an out-of-bounds learn, leaking kernel reminiscence that included the deal with of the method’s credentials (struct cred).
With this info, a second UAF was carried out towards a pipe_buffer object to achieve arbitrary deal with learn and write capabilities.
This allowed the attacker to immediately modify the method credentials and escalate privileges to root, finishing the data-only assault.
The whole exploit improvement course of was refined utilizing kernel-hack-drill, a customized testing atmosphere for experimenting with kernel exploit primitives in a managed method.
Discover this Story Fascinating! Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates.
