About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Serenity OS Privilege Escalation via a Race Condition- 344

HXP CTF TeamPosted 5 Years Ago
  • SerenityOS is a free and open source operating system created by Andreas Kling. It is designed to be a Unix-like operating system that draws inspiration from the graphical user interface of the 1990s.
  • There is a race condition between setting up a new process and changing the UID on a SETUID binary. By using a well-timed call to the Ptrace API, it is possible to overwrite part of the executable being spawned, prior to the UID check occurring.
  • In order to make the race more winnable, there was an action that happened after executing a call to execve but prior to the UID check being made. So, but running this action (unveil) a bunch of times, the race becomes more winnable.
  • With the ability to write code via Ptrace to this memory, you just write code into the process! However, it needs to be small, as the API only writes a small amount of bytes at a time. So, the author wrote shellcode that would run setuid(0) to escalate privileges to root. Then, pop a shell by running execve("/bin/sh") with parameters passed in by argv.
  • During the actual analysis of the bug, the author of the OS claims that the issue is because the program is loaded THEN the process ID is changed in order to be a setuid program.
  • In order to patch this, the setuid of the program state is set prior to the program being loaded. At this point (of the setuid being set for the program), the original credentials are committed, making it impossible to use the ptrace API. Additionally, the loader is loaded at a random address in memory in order to force a memory leak to take place now.
  • It is cool to see OS issues in a less mature operating system. The issues in modern day Linux are complex and harder to understand from someone not deeply involved in the space. With this issue, it makes sense and did not take an expert to follow. A similar issue once existed in Linux with loading kernel modules!
  • After the fact, several videos were released for this too.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed