Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 1 Jun 2022 14:55:13 +0200
From: Solar Designer <solar@...nwall.com>
To: tr3e wang <tr3e.wang@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability

Hi,

In context of the recent discussions on linux-distros list policies and
their enforcement, I looked at some of the previously handled issues,
and identified that the below wasn't properly handled/enforced.

tr3e, since you had shared actual exploit code with linux-distros, you
were supposed to post the _code_ to oss-security within 7 days after
your initial public disclosure of the vulnerability.  However, you only
posted "the exploit overview" and promised that "Full exploit code will
be published on github in the near future."  Apparently, the latter
never happened, and it wouldn't have satisfied the requirement anyway.

Please post the same exploit code you had shared with linux-distros to
this thread on oss-security ASAP.  Thank you!

Alexander

On Tue, Jan 18, 2022 at 09:26:43PM +0800, tr3e wang wrote:
> Hi all,
> 
> This post is the exploit overview of CVE-2021-4202.
> 
> We successfully exploited this vulnerability to obtain full root
> privileges on default installations of Ubuntu 20.04.
> 
> *Exploit overview*
> 
> 1. We create a lot of BPF ringbufs, and choose one of them as victim.
>    The BPF_FUNC_ringbuf_reserve allow us to have a pointer A to the
>    beginning of the victim ringbuf's data field.
> 
> 2. We do a pointer subtraction to point back to the victim ringbuf's
>    mask field and overwrite it to 0x80000fff through
> BPF_FUNC_ringbuf_submit.
>    This allows us to do a limited out-of-bounds read/write. If lucky,
>    we can read/write all the fields of the ringbuf behind the victim.
> 
> 3. With the full control over all fields of the ringbuf behind the
>    victim, we can manipulate the ringbuf to achieve a restricted
>    address read/write with side effects in the vmalloc space.
> 
> 4. We spawn many child processes, and use restricted address read to
>    find the address of task_struct and cred in the vmalloc space.
>    After zeroing out the uid/gid/... , full root privileges obtained.
> 
> Full exploit code will be published on github in the near future.
> 
> Regards,
> tr3e

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.