Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel

Author: Alexander Popov, Positive Technologies CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. I discovered and fixed them in January 2021. In this article I describe how to exploit them for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP. Today I gave a talk at Zer0Con 2021 on this topic (slides). I like this exploit. The race condition can be … Continue reading Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel

Linux kernel heap quarantine versus use-after-free exploits

It’s 2020. Quarantines are everywhere – and here I’m writing about one, too. But this quarantine is of a different kind. In this article I’ll describe the Linux Kernel Heap Quarantine that I developed for mitigating kernel use-after-free exploitation. I will also summarize the discussion about the prototype of this security feature on the Linux Kernel Mailing List (LKML). Use-after-free in the Linux kernel Use-after-free … Continue reading Linux kernel heap quarantine versus use-after-free exploits

Case study: Searching for a vulnerability pattern in the Linux kernel

This short article describes the investigation of one funny Linux kernel vulnerability and my experience with Semmle QL and Coccinelle, which I used to search for similar bugs. The kernel bug Several days ago my custom syzkaller instance got an interesting crash. It had a stable reproducer and I started the investigation. Here I will take the opportunity to say that syzkaller is an awesome … Continue reading Case study: Searching for a vulnerability pattern in the Linux kernel

New bypass and protection techniques for ASLR on Linux

By Ilya Smith (@blackzert), Positive Technologies researcher 0. Abstract The Linux kernel is used on systems of all kinds throughout the world: servers, user workstations, mobile platforms (Android), and smart devices. Over the life of Linux, many new protection mechanisms have been added both to the kernel itself and to user applications. These mechanisms include address space layout randomization (ASLR) and stack canaries, which complicate … Continue reading New bypass and protection techniques for ASLR on Linux

Blocking double-free in Linux kernel

On the 7-th of August the Positive Technologies expert Alexander Popov gave a talk at SHA2017. SHA stands for Still Hacking Anyway, it is a big outdoor hacker camp in Netherlands. The slides and recording of Alexander\’s talk are available. This short article describes some new aspects of Alexander\’s talk, which haven\’t been covered in our blog.The general method of exploiting a double-free error is based … Continue reading Blocking double-free in Linux kernel

Writing Linux Security Module

Linux Security Modules (LSM) is a framework allowing Linux to support various security models. LSM has been a part of the kernel starting with Linux v. 2.6. Currently, the official kernel hosts such security modules as SELinux, AppArmor, Tomoyo, and Smack. The modules run simultaneously with the native Linux security model Discretionary Access Control (DAC). LSM checks are triggered by the actions allowed by DAC. … Continue reading Writing Linux Security Module

Introduction to XCCDF

XCCDF (The Extensible Configuration Checklist Description Format) is a specification language based on XML for description of security configuration checklists and other similar documents. XCCDF is one of the languages of Security Content Automation Protocol (SCAP) and an important instrument for specialists engaged in automation of information security processes. This language, for instance, is used to describe configuration requirements for the USA federal agencies’ and … Continue reading Introduction to XCCDF

PCI DSS and Red Hat Enterprise Linux (Part #7)

Requirement 8: Assign a unique ID to each person with computer access Summary Most requirements presented in this chapter concern Linux password policy, which was described in details by CIS. 8.3 To verify that two-factor authentication is implemented for all remote network access, observe an employee (for example, an administrator) connecting remotely to the network. The basic example of two-factor authentication for remote access is … Continue reading PCI DSS and Red Hat Enterprise Linux (Part #7)

PCI DSS and Red Hat Enterprise Linux (Part #6)

Requirement 7. Limit access to system components and cardholder data to only those individuals whose job requires such access 7.2.1 Examine system settings and vendor documentation to confirm that access control systems are in place on all system components The previous item was about data access control, and this one concerns user access isolation। Let us consider all widespread mechanisms of user privilege restriction. In … Continue reading PCI DSS and Red Hat Enterprise Linux (Part #6)

PCI DSS and Red Hat Enterprise Linux (Part #5)

Requirement 7. Limit access to system components and cardholder data to only those individuals whose job requires such access Summary The both requirements given in this section are rather complex; many sub-systems are involved in configuration of OS in compliance with these requirements. CIS RHEL analogs of the requirement 7.2.1 are contained in items 8.1, 8.2, 8.5, 8.8, 9.2, 9.8, 9.11, SN.7, and SN.11, but … Continue reading PCI DSS and Red Hat Enterprise Linux (Part #5)