When I first saw the release notes for the new Android Ice Cream Sandwich (ICS) platform, I was excited to see that Google mentioned that “Android 4.0 now provides address space layout randomization”:
My challenge for this year’s NYU Poly CSAW CTF finals was a Linux kernel exploitation challenge disguised as a crypto challenge. The challenge and solution are described below.
I’m releasing a couple tools I use internally for Linux kernel exploit development: ksymhunter and kstructhunter. They’re probably only useful for like ten people on the planet, but oh well, enjoy!
Last month at SummerCon, Dan Rosenberg and I talked about our stackjacking technique for exploiting kernel vulnerabilities on grsecurity/PaX-hardened Linux kernels, in a presentation titled “Stackjacking and Other Kernel Nonsense.”
It’s been about six months since I reported a vulnerability in the Android mobile platform that allowed the unprompted installation of arbitrary applications with arbitrary permissions on a victim’s device. While the vulnerability has long been fixed on Android handsets around the world, I’ve yet to write up any technical details about it, and it’s unlikely you’ve heard of it unless you were present at our ShmooCon presentation earlier this year. So without further ado, let’s dive into “When Angry Birds attack: Android edition.”
This April at Hackito Ergo Sum in Paris and Immunity’s Infiltrate in Miami, Dan Rosenberg and I presented on a technique to exploit grsecurity/PaX-hardened Linux kernels. Read on for a brief overview of our presentation and a link to the full slides and PoC code.
In this post, I’ll introduce an exploitation technique for kernel stack overflows in the Linux kernel. Keep in mind this does not refer to buffer overflows on the kernel stack (whose exploitability is well understood), but rather the improper expansion of the kernel stack causing it to overlap with critical structures which may be subsequently corrupted. This is a vulnerability class in the Linux kernel that I do not believe have been exploited publicly in the past, but is relevant due to a recent vulnerability in the Econet packet family.
The finals for NYU Poly’s CSAW CTF was this past weekend in New York City. I thought I would post the kernel exploitation challenge I developed for the final round. Feel free to try your hand at solving it!
A vulnerability in the pktcdvd driver in the Linux kernel allows for the disclosure of 4 bytes of kernel memory. In this post, I’ll describe the tad bit of magic that’s necessary to exploit the vulnerability on both 32-bit and 64-bit hosts to disclosure an arbitrary amount of kernel memory.
