Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Linux kernel uses a pseudo-filesystem called proc which allows for interfacing with OS. The storage format on the OS is normally /proc/<pid>/. The different sub-directories share information about the running process, such as registers, memory mappings and other things.

The vulnerability exists in the /proc//syscall location. This location outputs the register state of a given process. When loading in the registers from the userspace process, they are placed into an array of size __u64 per item.

However, this is where the bug comes in. On 32-bit systems, the array in the print function are effected to be 32 bit per item. In the printf, the llx format specifier is used, which stands for long long numeric value outputted in hex.

The difference between the ACTUAL size of the elements and the EXPECTED size causes 24 bytes of kernel memory to be leaked from the stack. Using this, an attacker could break KASLR or other randomization primitives.

Considering this bug could be seen by simply viewing the procfs, this probably was not hard to find! In fact, a careful observer on a 32-bit system may have encountered this bug and not realized what was going on. When testing, be observant of odd behavior; rabbit holes are your friend :)