Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Feb 2019 04:02:48 +0400
From: Ilya Matveychikov <>
Subject: Re: LKRG 6.0 Exploit Detection bypass

One more ED bypass:
 - (5) LKRG ED bypass by disabling kprobes (patching the kernel)

> On Feb 20, 2019, at 9:43 AM, Ilya Matveychikov <> wrote:
> Hello,
> I’d like to show few more exploit detection bypass techniques:
> By this commit we have the list of following:
> - (1) LKRG ED bypass using UMH and chmod + chwon, the very first bypass
> - (2) LKRG ED bypass by owerwriting inode->i_{uid,gid,mode} using simple_setattr()
> - (3) LKRG ED bypass by owerwriting inode->i_{uid,gid,mode} directly
> - (4) LKRG ED bypass by unlocking "UMH lock down" with LD_PRELOAD
> - LKRG "poor man's CFI" bypass
> (1) and (2) were introduced few months before.
> (3) is the improvement of (2) which uses DKOM technique to manipulate inode
> directly without being detected by simple_setattr() hook.
> (4) is the bypass of "UMH locking by using whitelist of programs" which basically
> allows one to use LD_PRELOAD to inject his payload to /sbin/modprobe or similar.
> Since the use of (3) and (4) is locked by pCFI (poor man's Control Flow Integrity)
> mitigation introduced in LKRG 6.0 I had to add the “rich man’s CFI bypass” which
> wraps calls to all of the listed bypasses with 2 macros which are actually fakes
> the call stack for the time of exploitation so LKRG could not see this.
> Ilya

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.