About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Linux CLOCK_THREAD_CPUTIME_ID LPE- 950

noamr - SSDPosted 3 Years Ago
  • A CLOCK_THREAD_CPUTIME_ID timer is used for measuring the amount of CPU time consumed by a thread. A timer will be armed once timer_settime is called. After the set amount of time, a signal is sent to the thread, indicating that time is up.
  • The Linux kernel implements this feature by tiking a k_itimer structure into a doubly-linked list of all the timers. The elements in the list are constantly checked to see if it's time to expire, firing the signal. When calling execve, the kernel will free all of the timers associated with a process, except the global structure of posix_cputimers.
  • Practically, this means that if the timer is already armed before execve the kernel will free the timer while still maintaining the reference in the doubly linked list. This creates a dangling pointer situation. Later, when the timer is set to go off, it will trigger a use after free situation on the object, then free it, creating a double free.
  • The author includes a full exploit in their code. From reading the code, it appears that they are spraying objects to go into the place of the timer to trigger a free on the target object. By doing a page spray (lower level than a heap allocator) with sockets. By freeing this, they are able to get a two leaks.
  • After knowing this information, they leak a msg_msg object with the same strategy as before but only with msgq objects. Finally, they use this to get a KASLR leak.
  • Once they know where everything is located, they trigger the bug again but keep a reference to the timer object with a separate allocation - use after free. They write to the timer with a separate and improper allocation to get an arbitrary write primitive. They use this to overwrite the modprobe path to allow for the loading of arbitrary kernel modules. Code execution gained!
  • Overall, a good description of the bug but nothing on the POC. The POC does have good comments though, which makes it possible to read.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed