Exploit Methods/Userspace data usage

From Linux Kernel Security Subsystem
(Difference between revisions)
Jump to: navigation, search
(Created page with "= Details = Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In...")
 
(Examples)
Line 5: Line 5:
 
* [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure]
 
* [https://github.com/geekben/towelroot/blob/master/towelroot.c cred structure]
 
* [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack]
 
* [http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ fake kernel stack]
 +
* [http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=176155dac13f528e0a58c14dc322623219365d91 Bad casts]
  
 
= Mitigations =
 
= Mitigations =

Revision as of 21:40, 17 November 2015

Details

Sometimes an attacker won't be able to control the instruction pointer directly, but they will be able to redirect the dereference a structure or other pointer. In these cases, it is easiest to aim at malicious structures that have been built in userspace to perform the exploitation.

Examples

Mitigations

  • hardware segmentation: SMAP (x86), PAN (arm, arm64), Domains (arm)
  • emulate memory segmentation via separate page tables (e.g. PAX_UDEREF)
Personal tools
Namespaces

Variants
Actions
Navigation
Tools