Difference between revisions of "Exploit Methods/Kernel location"
Jump to navigation
Jump to search
(Created page with "= Details = Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escal...") |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
= Details = | = Details = | ||
Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See [Bug Classes/Kernel pointer leak|Kernel pointer leaks] for more information. | Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]] for more information. | ||
= Examples = | = Examples = | ||
Line 9: | Line 9: | ||
= Mitigations = | = Mitigations = | ||
* hide symbols and kernel pointers (see [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]]) | * hide symbols and kernel pointers (see [[Bug Classes/Kernel pointer leak|Kernel pointer leaks]]) | ||
* | * [https://git.kernel.org/linus/8ab3820fd5b2896d66da7bb2a906bc382e63e7bc kernel ASLR] | ||
* runtime randomization of kernel functions | * runtime randomization of kernel functions | ||
* executable-but-not-readable memory | * executable-but-not-readable memory | ||
* per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT) | * per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT) |
Latest revision as of 22:55, 4 November 2015
Details
Finding the kernel location can be an important first step for exploitation. Without it, for example, it's harder to make kernel function calls for privilege escalation. Besides the kernel itself, lots of other locations may be valuable to an attacker. See Kernel pointer leaks for more information.
Examples
- See Kernel pointer leaks examples
- /proc/kallsyms, /proc/modules
- ksymhunter
Mitigations
- hide symbols and kernel pointers (see Kernel pointer leaks)
- kernel ASLR
- runtime randomization of kernel functions
- executable-but-not-readable memory
- per-build structure layout randomization (e.g. GRKERNSEC_RANDSTRUCT)