0 0
No CVE for this which has never been in the official kernel - The Cyber Shafarat - Membership only site

The Cyber Shafarat – Membership only site

, , ,

No CVE for this which has never been in the official kernel

In this blog post, Javier P Rufo will demonstrate how he developed an exploit for this(message: “[RFC PATCH] ptrace: add PTRACE_GETFD request”) bug which was never present in the official kernel. The purpose of the exploit is to achieve LPE in Linux kernel version 5.10.77. In this blog post, I will demonstrate how I developed…

Treadstone 71
1 minute
Read Time:1 Minute, 49 Second


In this blog post, Javier P Rufo will demonstrate how he developed an exploit for this(message: “[RFC PATCH] ptrace: add PTRACE_GETFD request”) bug which was never present in the official kernel. The purpose of the exploit is to achieve LPE in Linux kernel version 5.10.77.

In this blog post, I will demonstrate how I developed an exploit for this bug which was never present in the official kernel. The purpose of the exploit is to achieve local privilege escalation in Linux kernel version 5.10.77.

ptrace is a system call that allows you to take control of another process. This article introduces the PTRACE_GETFD command to the Linux kernel, which enables retrieving the file descriptor specified by the victim process for tracing purposes.

The bug
1 static int ptrace_getfd(struct task_struct *child, unsigned long fd)
2 {
3 struct files_struct *files;
4 struct file *file;
5 int ret = 0;
6
7 files = get_files_struct(child);
8 if (!files)
9 return -ENOENT;
10
11 spin_lock(&files->file_lock);
12 file = fcheck_files(files, fd);
13 if (!file)
14 ret = -EBADF;
15 else
16 get_file(file); // increment f_count
17 spin_unlock(&files->file_lock);
18 put_files_struct(files);
19
20 if (ret)
21 goto out;
22
23 ret = get_unused_fd_flags(0);
24 if (ret >= 0)
25 fd_install(ret, file); // install the reference in file table
26
27 fput(file); // decrement f_count
28 out:
29 return ret;
30 }
In line 16, the get_file function increments the f_count (file reference count), which is expected behavior. However, in line 27, the fput function is erroneously decrementing the f_count again, which should not happen. As a result, there is an extra reference installed in the file table, and the f_count remains the same. This leads to two references with f_count = 1. If we close one file descriptor (fd) associated with one of these references, we would have a Use-After-Free (UAF) vulnerability on the other file descriptor reference.

https://soez.github.io/posts/no-cve-for-this.-It-has-never-been-in-the-official-kernel/

https://anonfiles.com/HbS2n007z2/exp_c

About Post Author

Treadstone 71

@Treadstone71LLC Cognitive Warfare Training, Intelligence and Counterintelligence Tradecraft, Influence Operations, Cyber Operations, OSINT,OPSEC, Darknet, Deepweb, Clandestine Cyber HUMINT, customized training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, Disinformation detection, Analysis as a Service
info@treadstone71.com
https://www.treadstone71.com/
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Trending

Copyright 2024

Discover more from The Cyber Shafarat - Membership only site

Subscribe now to keep reading and get access to the full archive.

Continue reading