Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sagitz read about a Linux kernel privilege escalation labeled CVE-2023-0386. The vulnerability exploited an OverlayFS where SUID files from a nosuid mount could be copied to outside directories. By doing this, escalating to root is trivial.

To mitigate this problem, a check was made to verify that the owner of the modified file is present in the current user namespace. This solves the SUID exploit since SUIDs must be owned by root to be effective.

Where this is one bug, there are may be several variants of this issue. The people thought "Is there any other way to elevate privileges?" There are also file capabilities; these are a way to grant root-like capabilities to a file without needing it to be owned by root.

By using file capabilities, the same exploit method can be used instead of SUID binaries. The exploit only worked on one of the authors systems, but why? They decided to reverse their search: are there any places where file capabilities are copied without conversion?

By using this approach, they found a variant of this issue in another place. The vulnerability is so easy to exploit it can be done with a bash script. For more on these bugs, read here.

The mindset of going from old CVE to new bug to another new bug was awesome to see. Really good commentary of how hackers find vulnerabilities and how to use other research to propel yourself.