Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Aug 2021 13:36:01 +0100
From: IT Offshore <developer@...offshore.co.uk>
To: lkrg-users@...ts.openwall.com
Subject: Re: Re: Attacking LKRG v0.9.1

To help mitigate this attack in the meantime set:

     kernel.kptr_restrict = 2

(this is the default in linux-hardened)

[~/build]$ sudo grep -w "_text" /proc/kallsyms
0000000000000000 T _text

Stuart.

On 26/08/2021 11:54, Alexander Popov wrote:
> On 03.07.2021 02:42, Alexander Popov wrote:
>> Hello!
>>
>> In April I published the article "Four Bytes of Power: Exploiting CVE-2021-26708
>> in the Linux kernel" [1], where I explained how to exploit it for local
>> privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP.
>>
>> Then I improved my PoC exploit to bypass the LKRG protection. I've already
>> disclosed the details of my experiments to Adam Zabrocki and Solar Designer. And
>> in this public email, I'll shortly describe the LKRG weaknesses that must be fixed.
>>
>> I see two functions in LKRG that are critical for its security functionality:
>>    1. p_cmp_creds()
>>    2. p_check_integrity()
>> Patching the code of these functions makes LKRG helpless; it can't detect
>> illegal elevation of privileges and kernel code modification.
>>
>> Moreover, lkrg.hide is set to 0 by default, which allows attackers to find these
>> LKRG functions easily using kallsyms_lookup_name().
>>
>> On one hand, hiding the LKRG module can make the attacks against the LKRG code
>> harder. On other hand, hiding the LKRG module might make system administration
>> harder as well. Hidden LKRG looks like a typical kernel rootkit :)
>>
>> Maybe the public discussion in this mailing list will help to find a compromise
>> and remove my attack vectors. I will tell all the details about my experiments
>> with LKRG at the ZeroNights conference in August [2].
>>
>> [1]: https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
>> [2]:
>> https://zeronights.ru/en/reports-en/improving-the-exploit-for-cve-2021-26708-in-the-linux-kernel-to-bypass-lkrg/
> Hello!
>
> I've published the detailed article about my attack:
> https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
>
> Best regards,
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.