Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Aug 2021 13:54:28 +0300
From: Alexander Popov <>
To: Adam Zabrocki <>, Solar Designer <>,
Subject: Re: Attacking LKRG v0.9.1

On 03.07.2021 02:42, Alexander Popov wrote:
> Hello!
> In April I published the article "Four Bytes of Power: Exploiting CVE-2021-26708
> in the Linux kernel" [1], where I explained how to exploit it for local
> privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP.
> Then I improved my PoC exploit to bypass the LKRG protection. I've already
> disclosed the details of my experiments to Adam Zabrocki and Solar Designer. And
> in this public email, I'll shortly describe the LKRG weaknesses that must be fixed.
> I see two functions in LKRG that are critical for its security functionality:
>   1. p_cmp_creds()
>   2. p_check_integrity()
> Patching the code of these functions makes LKRG helpless; it can't detect
> illegal elevation of privileges and kernel code modification.
> Moreover, lkrg.hide is set to 0 by default, which allows attackers to find these
> LKRG functions easily using kallsyms_lookup_name().
> On one hand, hiding the LKRG module can make the attacks against the LKRG code
> harder. On other hand, hiding the LKRG module might make system administration
> harder as well. Hidden LKRG looks like a typical kernel rootkit :)
> Maybe the public discussion in this mailing list will help to find a compromise
> and remove my attack vectors. I will tell all the details about my experiments
> with LKRG at the ZeroNights conference in August [2].
> [1]:
> [2]:


I've published the detailed article about my attack:

Best regards,

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.