Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SerenityOS is a free and open source operating system created by Andreas Kling. It is designed to be a Unix-like operating system that draws inspiration from the graphical user interface of the 1990s.

This was vulnerability was found as part of a CTF challenge! This is an issue with ptrace (the second for the CTF).

The vulnerability lies in the fact that the eflags register has a bunch of metadata associated with the process. By have arbitrary access to this via ptrace, it is possible to escalate the privileges of a process I/O (ring) level. This can be exploited using ptrace and sigreturn.

With the ability to act at ring 0, you can add kernel drivers directly to do whatever you want. In the CTF, this was done in order to read a flag from the harddrive directly.

The solution to this is to provide a mask for the allowed values in the eflags register. Additionally, a sanity check is added to multiple locations, including the general syscall handler, to ensure that a running process is does not have the IOPL (I/O privilege) set. Defense in depth is always a helpful.

An analysis by the main author of SerenityOS can be found here. For those who are curious, the validation for this takes place Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed