Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+eGCHa47pnvi376PCQJE-zMaVR_y6WLTK4CyE-yKT87jDZKuA@mail.gmail.com>
Date: Tue, 18 Jan 2022 21:26:43 +0800
From: tr3e wang <tr3e.wang@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability

Hi all,

This post is the exploit overview of CVE-2021-4202.

We successfully exploited this vulnerability to obtain full root
privileges on default installations of Ubuntu 20.04.

*Exploit overview*

1. We create a lot of BPF ringbufs, and choose one of them as victim.
   The BPF_FUNC_ringbuf_reserve allow us to have a pointer A to the
   beginning of the victim ringbuf's data field.

2. We do a pointer subtraction to point back to the victim ringbuf's
   mask field and overwrite it to 0x80000fff through
BPF_FUNC_ringbuf_submit.
   This allows us to do a limited out-of-bounds read/write. If lucky,
   we can read/write all the fields of the ringbuf behind the victim.

3. With the full control over all fields of the ringbuf behind the
   victim, we can manipulate the ringbuf to achieve a restricted
   address read/write with side effects in the vmalloc space.

4. We spawn many child processes, and use restricted address read to
   find the address of task_struct and cred in the vmalloc space.
   After zeroing out the uid/gid/... , full root privileges obtained.

Full exploit code will be published on github in the near future.

Regards,
tr3e

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.