Exploring Novel File System Objects for Data-Only Attacks on Linux Systems
The study explores data-only attacks on Linux systems, identifying critical file system objects for exploitation without requiring Kernel Address Space Layout Randomization. It presents novel exploit strategies and evaluates them against real-world vulnerabilities.
Read original article
The paper titled "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems" by Jinmeng Zhou and colleagues delves into the realm of non-control data attacks on OS kernel exploits. The study focuses on identifying critical non-control objects within the file subsystem of Linux kernels and assessing their exploitability. By utilizing a custom analysis and testing framework, the researchers categorize these objects into types suitable for various exploit strategies, including a novel approach to bypass defenses. The identified objects offer the advantage of being exploitable without the need for Kernel Address Space Layout Randomization (KASLR), simplifying and enhancing the reliability of exploits. The research evaluates the exploitability of these file system objects using 18 real-world Common Vulnerabilities and Exposures (CVEs) and develops 10 end-to-end exploits against the kernel with state-of-the-art mitigations enabled. This work is submitted for presentation at the 31st ACM Conference on Computer and Communications Security (CCS) in 2024.
Related
The Dirty Pipe Vulnerability
The Dirty Pipe Vulnerability (CVE-2022-0847) in Linux kernel versions since 5.8 allowed unauthorized data overwriting in read-only files, fixed in versions 5.16.11, 5.15.25, and 5.10.102. Discovered through CRC errors in log files, it revealed systematic corruption linked to ZIP file headers due to a kernel bug in Linux 5.10. The bug's origin was pinpointed by replicating data transfer issues between processes using C programs, exposing the faulty commit. Changes in the pipe buffer code impacted data transfer efficiency, emphasizing the intricate nature of kernel development and software component interactions.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
The good, the bad, and the weird (2018)
Trail of Bits delves into "weird machines" in software exploitation, complex code snippets evading security measures. Techniques like Hoare triples and dynamic_casts aid in identifying and preventing exploitation, crucial in evolving security landscapes.
Userland Rootkits Are Lame
Userland rootkits like Symbiote pose a threat on Linux systems by injecting libraries to hide information. Countermeasures include using statically linked binaries for immunity, examining memory layouts, and comparing file lists.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.
0 commentsRelated
The Dirty Pipe Vulnerability
The Dirty Pipe Vulnerability (CVE-2022-0847) in Linux kernel versions since 5.8 allowed unauthorized data overwriting in read-only files, fixed in versions 5.16.11, 5.15.25, and 5.10.102. Discovered through CRC errors in log files, it revealed systematic corruption linked to ZIP file headers due to a kernel bug in Linux 5.10. The bug's origin was pinpointed by replicating data transfer issues between processes using C programs, exposing the faulty commit. Changes in the pipe buffer code impacted data transfer efficiency, emphasizing the intricate nature of kernel development and software component interactions.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
The good, the bad, and the weird (2018)
Trail of Bits delves into "weird machines" in software exploitation, complex code snippets evading security measures. Techniques like Hoare triples and dynamic_casts aid in identifying and preventing exploitation, crucial in evolving security landscapes.
Userland Rootkits Are Lame
Userland rootkits like Symbiote pose a threat on Linux systems by injecting libraries to hide information. Countermeasures include using statically linked binaries for immunity, examining memory layouts, and comparing file lists.
RegreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
A vulnerability in OpenSSH's server on glibc-based Linux systems (CVE-2024-6387) allows remote code execution. Exploiting this flaw requires precise timing. The advisory discusses exploitation details, success rates, and contacting developers for related issues.