Data-Oriented Programming (DOP) is a well-known exploit technique, especially in academia, but not used in practice. This is because DOP is a technique that is possible only when various primitives can be utilized. In particular, kernel exploitation (i.e., privilege escalation) with DOP requires three primitives–i.e., information leakage (IL), arbitrary address read (AAR), and arbitrary address write (AAW). For example, using an information leakage primitive, the attacker leaks the kernel heap address. Then, using arbitrary address read primitive, the attacker leaks the structure task_struct and struct cred. Lastly, using arbitrary address write primitive, the attacker overwrites zero to cred’s uid.
Due to its complexity, DOP is a hard technique to utilize but has strength from the attacker’s perspective. Return-oriented programming (ROP) is usually used, but the exploit payload has to be rewritten if the kernel code is changed even slightly, which frequently happens due to updates and patches. This is because ROP uses the function address, but the function address is easily changed. However, DOP uses a data address so that the changed kernel code does not affect the exploit. In other words, the exploit code, which uses DOP technique, can be facilitated regardless of kernel code changes (except for the object used in DOP payload being changed).
In this presentation, we will introduce one heap buffer overflow vulnerability. Then, using this vulnerability, we will show how we transform single heap overflow into privilege escalation using DOP.