#HITB2022SIN скачать в хорошем качестве

#HITB2022SIN

Recently my team discovered a Linux kernel vulnerability affecting the netlink subsystem. The bug can be exploited by an unprivileged user to escalate to root on systems that allow unprivileged namespace creation, such as Ubuntu. We developed an exploit targeting the latest version of Ubuntu (LTS 22.04). In the talk I will discuss the details of the bug, but mostly focus on the exploitation methods we used to achieve fairly reliable privilege escalation. The vulnerability is a fairly limited UAF that only allows the write of a uncontrolled pointer into a slab object at an uncontrolled offset. We were able to leverage this to build new more powerful exploit primitives that allow us to bypass KASLR and execute ROP gadgets in the kernel. We were able to do this by triggering the UAF once to achieve an initial leak primitive and then a second time to trigger a separate UAF. The third UAF allows a more powerful info leak to bypass KASLR and orient ourselves on the heap. Finally a fourth UAF allows us to call a function pointer that allows us to trigger a ROP gadget. === I’ve been working in the industry and interested in exploit development for over 20 years. I currently work for the Exploit Development Group (EDG) at NCC Group. In the past I also worked for BlackBerry and Symantec (previously SecurityFocus). I’ve published previous research blogs on exploiting Xen, Windows kernel, Cisco devices, Android, etc. Lately I’ve been focusing on exploiting embedded devices and the Linux kernel.