Мануал/Книга [POC 2024] How I use a novel approach to exploit a limited OOB on Ubuntu at Pwn2Own Vancouver 2024

[weaver]

Description

The network scheduling (net/sched) subsystem in the Linux kernel manages the queuing and scheduling of network packets. To provide more flexibility, it supports a variety of scheduling algorithms and fine-tuning options, consequently increasing its complexity. In preparation for Pwn2Own Vancouver 2024, we decided to delve into this subsystem, anticipating that its complexity might conceal potential vulnerabilities.

After thoroughly reviewing all algorithms, we uncovered an out-of-bounds (OOB) write vulnerability in the TAPRIO algorithm caused by incorrect type usage. However, further analysis revealed significant limitations that makes exploitation daunting. For instance, the data and the location of the write are range-bounded, and the OOB write occurs in the vmalloc memory space, rendering existing attack methods ineffective. To overcome these limitations, we innovated a new exploit approach and successfully compromised the latest version of Ubuntu. We are also confident that this method is reusable for vulnerabilities with similar primitives.

In this talk, we will briefly introduce the net/sched subsystem architecture and the root cause of the vulnerability. Then, we will primarily focus on the exploitation. Initially, we will analyze the primitive provided by the vulnerability. Subsequently, we will detail how to leverage this restricted primitive to inject BPF bytecode, even when eBPF is disabled by default, to achieve arbitrary writing of kernel data. Additionally, we will explain how we performed "Heap Feng Shui" in the vmalloc space and utilize the Linux signal mechanism to increase the success rate of the exploit. Finally, we will share some intriguing anecdotes from our first participation in Pwn2Own, making the competition thrilling and challenging.

Слайды: https://powerofcommunity.net/poc202...d OOB on Ubuntu at Pwn2Own Vancouver 2024.pdf

 

[shrekushka]

It’s actually partially singlethreaded (in netlink land) + partially multithreaded (for the page fault stalling) lol.