About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CVE-2020-7460: FreeBSD Kernel Privilege Escalation - 251

m00nbsd - ZDIPosted 5 Years Ago
  • The Linux BSD Kernel has a classic time of check vs. time of use(TOCTOU) vulnerability. The size of a buffer (in userland) is checked prior to heap allocation in the kernel space. However, this size can be alter from the point of allocation AND the check.
  • The TOCTOU bug, described above, creating a linear heap based buffer overflow in the kernel.
  • Although the race condition has been found, we need to know when race has been won. But how? Hopefully, something deterministic instead of guessing.
  • The copyin syscall is used for transferring userland memory into kernel memory. To prevent a kernel panic when a bad userland pointer is passed in, the function can gracefully handle memory errors.
  • Because we can control the amount of memory being copied, we can force an unmapped section of memory to be just after these bytes (that we are sending to the kernel). If the copyin access fails, we know that the race condition occurred because the page no belongs to the kernel space. (not sure about this explanation but am trying...)
  • The kernel buffer that is overflowed is a mbuf. Mbufs, when freed, call upon a field called ext_free. Having access to a function pointer to overwrite is very useful to the purposes of exploitation.
  • Actually freeing the mbufs takes quite a bit of freeing and playing around though! Just keep doing actions that free mbufs and hope it is the right one.
  • With the ability to jump anywhere, what is next? It is not as simple as a ROP chain, as the data we control is very limited. This actually took some creativity to come to!
  • First, the current register context is saved in order to restore the kernel execution later.
  • Secondly, set the userland page tables to be executable. From the context of the kernel, the userland is NOT executable.
  • Thirdly, turn off Supervisor Mode Execution Protection (SMEP) and other kernel protections. This protection disallows userland to access certain pages.
  • Finally, jump back to the userland shellcode in order to escalate the privileges. What does the shellcode do? The shellcode patches the threads UID to be 0. Now, a call to setuid will make us root!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed