Explore exploit engineering techniques for attacking the Linux kernel in this OffensiveCon23 conference talk by Alex Plaskett and Cedric Halbronn. Delve into Linux Privilege Escalation (LPE) attack surface mapping, focusing on unprivileged user namespaces, network namespaces, and mount namespaces. Learn about targeted functionality fuzzing, manual crash triaging, and Syzbot testcase triage automation. Examine vulnerability exploitation strategies, including replacement objects, set field abuse, and object spraying techniques. Gain insights into the SLUB allocator's enhanced understanding, exploring lockless freelist vs. regular freelist concepts. Discover practical skills such as priming kmalloc-96 main slab free lists, executing gdb commands for objects, and manually building kernels. The talk also covers disclosure timelines, TargetMob architecture, and mining and testing pipelines for kernel exploitation.
Overview
Syllabus
Intro
LPE Attack Surface Mapping
Unprivileged User Namespaces
Network Namespace
Mount Namespace
Targeted Functionality Fuzzing
Manual Triaging Crashes
Syzbot Testcase Triage Automation
Interesting Fact About This Non-Reproducible Bug
Vulnerability
Replacement Objects
Exploits Steps
Abusing Set's Fields
Spraying Large Objects
Spraying Small Objects
What Pointer To Free?
Interesting Fact On Key Replacement
Enhanced Understanding of the SLUB Allocator
Lockless Freelist Vs Regular Freelist
Priming kmalloc-96 Main Slab Free List
Execute a gdb command for each object
Tagging chunks
Tracking Full Slabs?
Freed Expression Chunk Replacement by Key
Freed Chunk Reallocation
Manually Building Kernels
Disclosure Timeline
TargetMob Vocabulary
TargetMob Architecture
Mining Pipeline
Mining - Project Extraction
Testing Pipeline
Testing - Profilers (Userland / Kernel)
Testing - Kernel Profiler Output
Conclusion
Code Release
Taught by
OffensiveCon
