UP | HOME
../../ | NoSlides

Kernel Exploits Overview

Table of Contents

1 Objectives

  1. Objective: Over the years there have been many kernel bugs. In the 1000s. This page and related articles give brief technical descriptions of a few kernel vulnerabilities. Discovered in 2017+. Or, classics. Network related items are skipped. Not exhaustive.
  2. Objective: Provide technical descriptions accessible to students of cyber security. Have a decent technical understanding of the vulnerability and the exploit.
  3. Objective: Become familiar with CVE, and the description structure of a CVE. The CVEs shown here are a tiny selection.
  4. Not-an-objective: To be able to provide fixes to such exploits.

2 Kernel Exploit Classics

2.1 Privilege Escalation Technique

  1. Privilege escalation is a technique an attacker/ intruder almost always attempts. He arrives as an ordinary/ unprivileged user, and gains super user privileges through exploiting a bug, or configuration oversight.
  2. How did he gain access even as an ordinary user? This is a separate and independent exploit – e.g., via a stolen password.
  3. A typical privilege escalation technique is through stack smashing, or ROC.
  4. Once super user access is obtained, the intruder can install backdoors, rootkits, change permissions, etc.
  5. Linux PIE/stack corruption (CVE-2017-1000253) A Local Privilege Escalation. https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt "An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system."

2.3 RootKits

  1. ./RootKits/ Separate page

2.4 RaceConditions

  1. ./RaceConditions/ Separate page

3 Sym Link Attack

  1. "Symlink attack is one of the newest and easiest way of exploitation as the attacker gets full root access to the entire server from a compromised website.
  2. https://www.serveradminz.com/blog/the-vulnerable-symlink-attackan-awesome-way-for-a-hacker-the-prevention-methods/ By admin July 2016; {pm: Quite detailed} Reference
  3. https://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-root-access-symlinks-to-root-part-i.html 2013 Reference
  4. http://groups.hcon.in/uploads/1/8/1/9/1819392/hga_bhashit_pandya_-_symlink_attack.pdf, Bhashit Pandya, Symlink Attack Tutorial, 201x, 30+ slides. {pm: Several minor errors}. Recommended Reading.

4 Viruses, Worms, Trojans

  1. Linux malware includes viruses, trojans, worms. At the level of academic discussion, these are different. But, virus is now a term that combines all these and has become slag-equivalent to malware.
  2. Malware often arrives via networking. But, it can also arrive via files being opened/ copied, and USBD insertions.
  3. Example: https://threats.kaspersky.com/ru/threat/Virus.Linux.Alaeda/ 2003? "Alaeda is a non-resident virus. It infects systems running Linux, and is written in Assembly. It infects .ELF format files in the current directory. When infecting, the virus modifies the entry point of the original file, passing control to the infection routine. It then modifies the file's .ELF header. Before infecting, the virus checks to see if the computer is vulnerable. The .TXT part of the file must also be the minimum size to infect. The virus writes its body to the .TXT section. The size of the file will not change, making it hard to tell if files are infected. Once the virus body has delivered its payload, control is returned to the program code. If a file is already infected, the virus will not re-infect the file."
  4. https://en.wikipedia.org/wiki/Linux_malware Lists malware examples. Required Reading.

5 Recent (2017+) Kernel Exploits

  1. Meltdown and Spectre are CPU vulnerabilities.
  2. Should we expect an OS kernel to fix/ work-around such bugs?!
  3. https://github.com/xairy/kernel-exploits "A bunch of proof-of-concept exploits for the Linux kernel" 2016 – current.
  4. Kali Linux has a local copy of exploit-db exploits which make it easier to search for local root exploits

5.1 Stack Clash

  1. A vulnerability in the memory management of OS was discovered in 2017, and named Stack Clash. It can be exploited to execute arbitrary code.
  2. Qualys stack-clash.txt [see refs] provided a technically detailed description.
  3. "The idea of clashing the stack with another memory region is not new: it was exploited a first time in 2005 and a second time in 2010. After the 2010 exploit, Linux introduced a protection against such exploits: the so-called stack guard-page. "
  4. To understand stack-guard page: Understand syscalls mmap2, mprotect, clone, etc.
  5. "The exploits and proofs of concept that we developed in the course of our research are all Local Privilege Escalations: an attacker who has any kind of access to an affected system can exploit the Stack Clash vulnerability and obtain full root privileges."
  6. https://www.cvedetails.com/cve/CVE-2017-1000364/ "An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010)." Reference.
  7. https://www.exploit-db.com/docs/english/17784-recursive-stack-overflows.pdf Jumping the Guard Page for Fun and Profit, Recursive Stack Overflows; 25 slides, 201x. Recommended Reading.
  8. https://blog.aquasec.com/bugs-gone-wild-container-stack-clash-and-cve-2017-1000253 Recommended Reading.

5.3 Meltdown

  1. "The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security assumptions given by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage."
  2. Reproduced above: Abstract of: Lipp, Moritz, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. "Meltdown." arXiv preprint arXiv:1801.01207 (2018). https://meltdownattack.com/meltdown.pdf, 16pp. Reference.
  3. "Practical attacks that exploit speculative execution can leak confidential information via microarchitectural side channels. The recently-demonstrated Spectre attacks leverage speculative loads which circumvent access checks to read memory-resident secrets, transmitting them to an attacker using cache timing or other covert communication channels. We introduce Spectre1.1, a new Spectre-v1 variant that leverages speculative stores to create speculative buffer overflows. Much like classic buffer overflows, speculative out-ofbounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming (ROP) gadgets that can be used to build alternative attack payloads. We also present Spectre1.2: on CPUs that do not enforce read/write protections, speculative stores can overwrite readonly data and code pointers to breach sandboxes. We highlight new risks posed by these vulnerabilities, discuss possible software mitigations, and sketch microarchitectural mechanisms that could serve as hardware defenses. We have not yet evaluated the performance impact of our proposed software and hardware mitigations. We describe the salient vulnerability features and additional hypothetical attack scenarios only to the detail necessary to guide hardware and software vendors in threat analysis and mitigations. We advise users to refer to more user-friendly vendor recommendations for mitigations against speculative buffer overflows or available patches."
  4. Reproduced above Abstract of: Kiriansky, V. and Waldspurger, C., 2018. Speculative buffer overflows: Attacks and defenses. arXiv:1807.03757. https://people.csail.mit.edu/vlk/spectre11.pdf, 12pp. Reference.

5.3.1 Ideas

  1. Out-of-Order Execution
  2. Speculative Execution
  3. Address Space Isolation
  4. Paravirtualized Environments
  5. Required: Become familiar.

5.4 Dirty COW

  1. COW == Copy-on-Write, a virtual memory technique. Pages are shared among processes, assuming read-only. When a page changes, it is unshared, and a separate page is copied.
  2. https://dirtycow.ninja/ CVE-2016-5195 is a privilege escalation vulnerability in the Linux Kernel.
  3. "The Dirty COW exploit is a race condition that allows an attacker to gain root access to any vulnerable system, and can even be exploited from within a Docker container. This vulnerability existed in the Linux kernel for nine years before it was discovered."
  4. "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings."
  5. download the dirtycow exploit from https://www.exploit-db.com/exploits/40839/
  6. more dirtycow exploits https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
  7. https://01.org/developerjourney/recipe/demonstrating-dirty-cow-exploit

5.5 CVE-2017-18202 Local DoS Vulnerability

  1. Linux kernel is designed to kill a process when memory runs "low". The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel mishandled gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.
  2. "The pricing for an exploit might be around USD $5k-$25k at the moment." [from https://vuldb.com/?id.113899] Required Reading.
  3. https://www.securityfocus.com/bid/103161 Local DoS Vulnerability. Reference.

5.6 CVE-2017-15126

  1. The security issue in this kernel vulnerability is local memory corruption due to use-after-free (CWE\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\­416) coding sloppiness. Such a bug can be exploited to execute arbitrary code.
  2. The flaw was discovered in fs/userfaultfd.c in Linux kernel related to fork() failure when dealing with event messages.
  3. The vulnerability and its fix have been published on a number of security advisories.

5.7 CVE-2017-1000253

  1. PIE load_elf_binary does not allocate sufficient space.
  2. Apllications are often built as a Position Independent Executable (PIE). The loader can allow part of that application's data segment to map over the memory area reserved for its stack resulting in corruption of the stack, with possible privilege escalation.

5.8 CVE 1999 to 2019

  1. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html Linux Kernel Vulnerability Statistics 1999 - 2018. Required Visit.
  2. 2019 Total number of vulnerabilities : 662 https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html Required Visit.

6 References

  1. Several refs are embedded in the above. Some (not all) of these appear below again.
  2. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html Linux Kernel Vulnerability Statistics 1999 - 2018. Required Visit.
  3. https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash; https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Qualys Security Advisory: The Stack Clash. Reference.
  4. https://www.cvedetails.com/cve/CVE-2017-1000364/ Stack Clash. Reference.
  5. https://forum.xda-developers.com/android/software-hacking/development-stack-clash-eop-exploit-t3631001 Reference.
  6. https://people.csail.mit.edu/vlk/spectre11.pdf Reference.
  7. https://meltdownattack.com/ Reference.
  8. https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails The bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016. Reference.
  9. Spectre Mitigations https://www.wasmjit.org/blog/spectre-mitigations-part-1.html + https://www.wasmjit.org/blog/spectre-mitigations-part-2.html

6.2 References

  1. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html Linux Kernel Vulnerability Statistics 1999 - 2018. Required Visit.
  2. https://courses.linuxchix.org/kernel-hacking-2002/08-overview-kernel-source.html LinuxChix Kernel Hacking Lessons. 2002
  3. https://kernelnewbies.org/KernelHacking Background on kernel development 2017 –
  4. https://github.com/xairy/kernel-exploits "A bunch of proof-of-concept exploits for the Linux kernel" 2016 – current.

6.3 References

  1. https://www.vulnhub.com/ Vulnerable Kernels by Design for educational purposes.
  2. Rashid Feroze, https://payatu.com/guide-linux-privilege-escalation/ 2018. Poorly written. But, … Names and links exploits.

6.4 References

  1. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html Linux Kernel Vulnerability Statistics 1999 - 2018. Required Visit.
  2. https://courses.linuxchix.org/kernel-hacking-2002/08-overview-kernel-source.html LinuxChix Kernel Hacking Lessons. 2002
  3. https://kernelnewbies.org/KernelHacking Background on kernel development 2017 –
  4. https://github.com/xairy/kernel-exploits "A bunch of proof-of-concept exploits for the Linux kernel" 2016 – current.

6.5 Related Lecture Notes

  1. ../Hardening/BuildKernel Overview of Kernel Source and How to Build a Kernel
  2. ../Hardening/Kernel Applying patches, Building the hardened Kernel, Deploying the Kernel

7 End

Copyright © 2019 www.wright.edu/~pmateti • 2019-10-12