Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect())
Jann HornPosted 4 Years Ago- In the Linux programming, sockets are how network connections are made and data is sent. Finding vulnerabilities in the network stack can be catastrophic, since this can be triggered via remote access with no user interaction.
- When
sock_getsockopthandles the optionSO_PEERCREDthere is no lock when copying the data to userspace. Why is this bad? Because of the missing lock the object could be deleted then sent back to the user with a use after free vulnerability. - This race can be triggered by calls that trigger the updating of
sk->sk_peer_cred. This is because the creds are replaced, then freed. If the other process/thread is accessing the structure, then a use after free vulnerability could potentially occur. - The proof of concept reads the peer credentials of a listening socket over and over again in one thread. Then, in the other thread, they destroy peer credentials object. If this is ran with ASAN, then a use after free vulnerability crash occurs.
- This vulnerability could be used for an informational disclosure only for privilege escalation; no useful writes could occur. Overall, this is a straight forward missing lock on access of a variable that leads to a real bad bug.
