About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SerenityOS Kernel Hacking Adventures- 408

ABigPicklePosted 5 Years Ago
  • SerenityOS is a Unix based hobby OS led by Andreas King. Because of it being an OS and relatively new, people love to look for bugs in it!
  • The vulnerability is a bad bounds check on a variable length array (VLA). The size provided from userspace (to the kernel) does not have a sanity check. The memory being written to & from has a check to ensure that the memory is in user space though.
  • VLAs allow us to dynamically change the size of our stack frame by altering the esp directly. This is done by taking our value and subtracting it from esp (sub esp, VALUE). The VLA acts funny when the change is larger than the stack itself!
  • By setting the size to a very larger value, we can put the esp to an arbitrary location in memory. This is awesome because the next usage of the stack will use the esp from this extremely weird allocation. Because we control the values being written, we can overwrite arbitrary data on the stack for a nice arbitrary write primitive!
  • There is one issue though: our original size being used will cause a crash to happen and end the process, removing the ability for this primitive to be used; this is a common wildcopy problem. So, we pass in very large size for our buffer but our buffer is not actually that big. This causes the syscall to gracefully exit because the buffer hits unmapped memory. This is a good thing because the exit from a userspace issue does not cause a kernel panic.
  • By using this primitive, we can overwrite the stack of other threads within the kernel! The easiest, and most reliable, is overwriting the kernel stack pointer for another thread when calling sleep. This allows us to always know what will be overwritten and consistently win the race. Once we overwrite the ESP of the stack frame, a ROP chain can be trivially created to become root.
  • I had personally never thought of exploiting VLAs like this before. It requires a very specific circumstance to do but is deadly when done properly.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed