Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel

Author: Alexander Popov, Positive Technologies CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. I discovered and fixed them in January 2021. In this article I describe how to exploit them for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP. Today I gave a talk at Zer0Con 2021 on this topic (slides). I like this exploit. The race condition can be … Continue reading Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel

Linux kernel heap quarantine versus use-after-free exploits

It’s 2020. Quarantines are everywhere – and here I’m writing about one, too. But this quarantine is of a different kind. In this article I’ll describe the Linux Kernel Heap Quarantine that I developed for mitigating kernel use-after-free exploitation. I will also summarize the discussion about the prototype of this security feature on the Linux Kernel Mailing List (LKML). Use-after-free in the Linux kernel Use-after-free … Continue reading Linux kernel heap quarantine versus use-after-free exploits

Http Parameter Contamination (more)

To continue investigating the Http Parameter Contamination (HPC) attack, I’ve done some primitive fuzzing in the environments which had not been covered in the original research of Ivan Markovic. It must be mentioned, that I have not found out anything new. On the other hand, an interesting feature of the Python interpreter was revealed; I also got a payload exploit for conducting a denial-of-service attack … Continue reading Http Parameter Contamination (more)

Fuzzing and exploitation of vulnerability CVE-2010-3856

The vulnerability “The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads\” detected by Tavis Ormandy at the end of 2010 force most users to patch their systems as soon as possible. An unprivileged user can run arbitrary code with highest privileges in the system using LD_AUDIT mode in ld.so with spoofing $ORIGIN by hard-coded link and running a SUID program via … Continue reading Fuzzing and exploitation of vulnerability CVE-2010-3856