HITB-Invoice-Logo

regisTRATION NOW OPEN

NORMAL: USD999

Register

STUDENTS: USD250

Settlers of Netlink: Exploiting a Limited UAF on Ubuntu 22.04 to Achieve LPE

Date

August 25, 2022

Time

14:00

Track

Main Track

Recently my team discovered a Linux kernel vulnerability affecting the netlink subsystem.

The bug can be exploited by an unprivileged user to escalate to root on systems that allow unprivileged namespace creation, such as Ubuntu. We developed an exploit targeting the latest version of Ubuntu (LTS 22.04).

In the talk I will discuss the details of the bug, but mostly focus on the exploitation methods we used to achieve fairly reliable privilege escalation. The vulnerability is a fairly limited UAF that only allows the write of a uncontrolled pointer into a slab object at an uncontrolled offset. We were able to leverage this to build new more powerful exploit primitives that allow us to bypass KASLR and execute ROP gadgets in the kernel. We were able to do this by triggering the UAF once to achieve an initial leak primitive and then a second time to trigger a separate UAF. The third UAF allows a more powerful info leak to bypass KASLR and orient ourselves on the heap. Finally a fourth UAF allows us to call a function pointer that allows us to trigger a ROP gadget.

Speakers

Exploit Development

NCC Group

I’ve been working in the industry and interested in exploit development for over 20 years. I currently work for the Exploit Development Group (EDG) at NCC Group. In the past I also worked for BlackBerry and Symantec (previously SecurityFocus). I’ve published previous research blogs on exploiting Xen, Windows kernel, Cisco devices, Android, etc. Lately I’ve been focusing on exploiting embedded devices and the Linux kernel.

Other Talks in This Track

LOCATION

Main Track

DATE

August 25

TIME

09:00

LOCATION

Main Track

DATE

August 25

TIME

15:00

LOCATION

Main Track

DATE

August 25

TIME

16:30