{"id":689,"date":"2020-03-21T02:27:30","date_gmt":"2020-03-21T01:27:30","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=689"},"modified":"2020-03-21T02:27:30","modified_gmt":"2020-03-21T01:27:30","slug":"linux-kernel-xfrm-uaf","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=689","title":{"rendered":"Linux kernel XFRM UAF"},"content":{"rendered":"\n<p>On 28th of February, I&#8217;ve sent a short summary to lkrg-users mailing list (<a href=\"https:\/\/www.openwall.com\/lists\/lkrg-users\/2020\/02\/28\/1\">https:\/\/www.openwall.com\/lists\/lkrg-users\/2020\/02\/28\/1<\/a>) regarding recent Linux kernel XFRM UAF exploit dropped by Vitaly Nikolenko. I believe it is worth reading and I&#8217;ve decided to reference it on my blog as well:<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Hey,<\/p>\n\n\n\n<p>Vitaly Nikolenko published an exploit for Linux kernel XFRM use-after-free. His  tweet with more details can be found here:<\/p>\n\n\n\n<figure class=\"wp-block-embed-twitter wp-block-embed is-type-rich is-provider-twitter\"><div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\"><blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">centos 8 \/ rhel 8 \/ ubuntu 14.04, 16.04, 18.04 poc is uploaded <a href=\"https:\/\/t.co\/b3IJoxMaHI\">https:\/\/t.co\/b3IJoxMaHI<\/a>. The tech report is public too <a href=\"https:\/\/t.co\/UHsMYScN9Y\">https:\/\/t.co\/UHsMYScN9Y<\/a> <a href=\"https:\/\/t.co\/uDpjEm0ycX\">pic.twitter.com\/uDpjEm0ycX<\/a><\/p>&mdash; Vitaly Nikolenko (@vnik5287) <a href=\"https:\/\/twitter.com\/vnik5287\/status\/1233183655649918976?ref_src=twsrc%5Etfw\">February 28, 2020<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/div>\n<\/div><\/figure>\n\n\n\n<p>Detailed description of the bug can be found here:<\/p>\n\n\n\n<p><a href=\"https:\/\/duasynt.com\/pub\/vnik\/01-0311-2018.pdf\">https:\/\/duasynt.com\/pub\/vnik\/01-0311-2018.pdf<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>I&#8217;ve tested his exploit under the latest version of LKRG (from the repo) and it correctly detects and kills it:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[Fri Feb 28 10:04:24 2020] [p_lkrg] Loading LKRG\u2026\n[Fri Feb 28 10:04:24 2020] Freezing user space processes \u2026 (elapsed 0.008 seconds) done.\n[Fri Feb 28 10:04:24 2020] OOM killer disabled.\n[Fri Feb 28 10:04:24 2020] [p_lkrg] Verifying 21 potential UMH paths for whitelisting\u2026\n[Fri Feb 28 10:04:24 2020] [p_lkrg] 6 UMH paths were whitelisted\u2026\n[Fri Feb 28 10:04:25 2020] [p_lkrg] [kretprobe] register_kretprobe() for  failed! [err=-22]\n[Fri Feb 28 10:04:25 2020] [p_lkrg] ERROR: Can't hook ovl_create_or_link function :(\n[Fri Feb 28 10:04:25 2020] [p_lkrg] LKRG initialized successfully!\n[Fri Feb 28 10:04:25 2020] OOM killer enabled.\n[Fri Feb 28 10:04:25 2020] Restarting tasks \u2026 done.\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] New modification: type[JUMP_LABEL_JMP]!\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] Updating kernel core .text section hash!\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] New modification: type[JUMP_LABEL_JMP]!\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] Updating kernel core .text section hash!\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] New modification: type[JUMP_LABEL_JMP]!\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] Updating kernel core .text section hash!\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] New modification: type[JUMP_LABEL_JMP]!\n[Fri Feb 28 10:04:42 2020] [p_lkrg] [JUMP_LABEL] Updating kernel core .text section hash!\n[Fri Feb 28 10:06:49 2020] [p_lkrg]  process[67342 | lucky0] has different user_namespace!\n[Fri Feb 28 10:06:49 2020] [p_lkrg]  process[67342 | lucky0] has different user_namespace!\n[Fri Feb 28 10:06:49 2020] [p_lkrg]  Trying to kill process[lucky0 | 67342]!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  Trying to kill process[lucky0 | 81090]!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  Trying to kill process[lucky0 | 81090]!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  Trying to kill process[lucky0 | 81090]!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  process[81090 | lucky0] has different user_namespace!\n[Fri Feb 28 10:08:32 2020] [p_lkrg]  Trying to kill process[lucky0 | 81090]!<\/pre>\n\n\n\n<p>Latest LKRG detects user_namespace corruption, which in a way proofs that our namespace escape logic works. When I&#8217;ve made the same test, but reverting LKRG code base to the commit just before namespace corruption detection, LKRG is still detecting it via standard method:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[Fri Feb 28 10:34:28 2020] [p_lkrg]  process[17599 | lucky0] has different SUID! 1000 vs 0<br> [Fri Feb 28 10:34:28 2020] [p_lkrg]  process[17599 | lucky0] has different GID! 1000 vs 0<br> [Fri Feb 28 10:34:28 2020] [p_lkrg]  process[17599 | lucky0] has different SUID! 1000 vs 0<br> [Fri Feb 28 10:34:28 2020] [p_lkrg]  process[17599 | lucky0] has different GID! 1000 vs 0<br> [Fri Feb 28 10:34:28 2020] [p_lkrg]  Trying to kill process[lucky0 | 17599]!<br> \u2026<br> [Fri Feb 28 10:35:02 2020] [p_lkrg]  process[22293 | lucky0] has different SUID! 1000 vs 0<br> [Fri Feb 28 10:35:02 2020] [p_lkrg]  process[22293 | lucky0] has different GID! 1000 vs 0<br> [Fri Feb 28 10:35:02 2020] [p_lkrg]  process[22293 | lucky0] has different SUID! 1000 vs 0<br> [Fri Feb 28 10:35:02 2020] [p_lkrg]  process[22293 | lucky0] has different GID! 1000 vs 0<br> [Fri Feb 28 10:35:02 2020] [p_lkrg]  Trying to kill process[lucky0 | 22293]!<\/pre>\n\n\n\n<p>This is an interesting case. Vitaly published just a compiled binary of his  exploit (not a source code). This means that adopting his exploit to play cat-and-mouse game with LKRG is not an easy task. It is possible to reverse-engineer it and modify the exploit binary, however it&#8217;s more work.<\/p>\n\n\n\n<p> Thanks,<\/p>\n\n\n\n<p>Adam<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On 28th of February, I&#8217;ve sent a short summary to lkrg-users mailing list (https:\/\/www.openwall.com\/lists\/lkrg-users\/2020\/02\/28\/1) regarding recent Linux kernel XFRM UAF exploit dropped by Vitaly Nikolenko. I believe it is worth reading and I&#8217;ve decided to reference it on my blog as well:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5,6,7],"tags":[],"class_list":["post-689","post","type-post","status-publish","format-standard","hentry","category-exploiting","category-ideas","category-lkrg"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=689"}],"version-history":[{"count":7,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/689\/revisions"}],"predecessor-version":[{"id":696,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/689\/revisions\/696"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}