Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SerenityOS is a free and open source operating system created by Andreas Kling. It is designed to be a Unix-like operating system that draws inspiration from the graphical user interface of the 1990s. This was found during a CTF in 2019.

SerenityOS attempts to validate the location of syscalls, if a pointer is passed in. If the memory is not properly mapped, then an EFAULT status code should be returned.

The issue is that this validation allows for too mucg. Instead of validating if the memory just exists in the user process, it also accepts valid pointers into kernel space! So, this is essentially an arbitrary read/write built into the syscalls.

Additionally, dmsg (kernel debug messages) will just output the kernel stack addresses. So, at this point, we have a kernel address stack leak and an arbitrary read/write primitive into the kernel. This looks good enough to me!

In order to exploit this, the author forks into two processes. In the child process, the program goes to sleep. With the parent process, the author reads until they find the stack addresses they are looking for (from dmesg). Once it finds the right address, it uses the arbitrary write primitive in order to overwrite the return address of the child process.

The child process return pointer is then sent back to the userspace program (which you should not be able to do). With the ring0 process, we have access to all kernel-level functions. To solve the challenge, the author loads a block device and reads from it.

In order to fix this, the address validation is now only done for userspace pointers and not the kernel ones. Additionally, a check was implemented that only allows userspace writes by checking an expected program mask.

For the dmesg leak, SerenityOS made a few changes. First, running dmesg now requires a root account. Furthermore, the author is attempting to find all memory addresses leaks in dmesg and leaking these. However, there is value in having addresses available for the users for debugging. So, if root, you can probably leak kernel space memory still.