new linux exploit is absolutely insane
Vložit
- čas přidán 27. 04. 2024
- The new privilege escalation against the Linux is absolutely wild. In this video we talk about what a privesc is, how they typically work, and why the techniques used in this one are so wild
Writeup: pwning.tech/nftables/
PoC: github.com/Notselwyn/CVE-2024...
Author: / notselwyn
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
📰 NEWSLETTER 📰 Sign up for our newsletter at mailchi.mp/lowlevel/the-low-down
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord - Věda a technologie
Thanks for watching guys! ( come learn C at lowlevel.academy 🥺)
hi
Ha! I always knew Linux was unsafe!
That's why I'm still using Windows 98 and I only connect to the internet with my 56k modem...
@@Alfred-Neuman LUV that toilet-flushing sound.
I DO hope you are being Facetious and Sarcastic.
No, @@drpoundsign, Windows 98 is the newest version of Windows, safe and secure
OK but I need to debloat my android phones can I use this to root and debloat ?
Back in the good old days if you forgot your root password you could get back in just by running /usr/bin/ping (which was always setuid root) with a long option. Now you have to do all this extra compiling. Linux is just not as user friendly as it used to be.
Can one run a live version of your os from a stick and change it that way? I think its intended that way too?
@@icicleditor you missed the joke)
ofc he can
Apologies, haha, im learning linux stuff as of early this year so ive got rudimentary knowledge without any of the in-jokes, haha
If its not too encrypted.@@icicleditor
@@icicleditor yeah as long as the drive isn't encrypted anyone can just boot up live cd and overwrite the root password
It was discovered in January, 2024. And has been patched already. All the rolling distributions would have the patch already installed. Ubuntu has already issued the patch back in Jan.
Thanks!
Thanks! That definitely should have been part of the video
I got really worried because i run linux; thanks
Thanks for informing us!
@@sunilpaul6891 A professional researched bug like this is always patched before it becomes public like this, assume its fixed unless it's mentioned it's not
The most shocking part of this video was that 2016 was 8 years ago.
I missed the 2016 mentioned , where is it in the video ?
@@edwardmacnab354 2:02
@@edwardmacnab354 2:02
sad reacts only
@@edwardmacnab354 2:02, you didn't miss much!
What I like about Linux is that when a vulnerability like this is found, the community comes together and fixes it asap.
In contrast to Microsoft, who hides security bug reports while working feverishly to replace the functionality of the discovered back door by writing a patch which closes the discovered back door with a new back door. Only then does Microsoft admit that the security issue even exists.
the sun never sets on the global open source community
yes! unlike Windows or other communities where they don't fix vulnerabilities asap. (???)
linux community has no way to hide vulnerability fix, since fix goes open source. unlike with close source you can make a fix, and hackers will not know what was fixed and they can't exploit vulnerability on unpatched systems.
i am not defending close source, I am just saying there is pros and cons everywhere
So how long was the vulnerability sold and exploited before it leaked? *That's the real question.*
If you're wondering which kernel versions are vulnerable, here's what I found: The exploit affects kernel versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>.
i’m on 6.8.0 so that means i’m safe? right?
@@BlaineworldYeah, you're fine. It's patched since 6.7.
I'm surprised he didn't include this in the video
o7!
should i be worried? how bad is this? what if im on 5.15
me, a plucky wizards apprentice resetting user passwords and setting up accounts, watching a CZcams video about dark sorcerers unraveling death itself and warping space and time
I love this analogy XD
Simply about money and or destruction of property by people who have no morals, and could care less about who it affects or lives that can be lost
@@Dirtyharry70585 there's so many more reasons to want to make exploits than just death and destruction. What about the pure beauty in the exploit itself?
my name is my passport, then only i can be i as good as i... especialy in tron trades of wireless energetic multi androidic communication, were the cyberwar algorithm makes attack due ineffecientcy by having a password different then own name.... entering string linguistic and design of solid state reality... and so on and so forth.... = no pwd, then it is my own PersonalComputer communication fassett!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I just read this entire write up yesterday, and I was blown away with the thoroughness and complexity of the research. And, it was only found because the author found a bug while trying to do some work. Most people just find another way, this guy found a wild exploit. Very impressive. Cheers to notselwyn
We’re making it out of the userspace with this one boys
Hi, this was a slightly unleveled video: It was basic in the beginning with you explaining what the kernel does and about syscalls, and then you explained the whole exploit in less time than that, which was too advanced. I know what the kernel is and that by interfacing with the kernel you are asking the kernel to do stuff. I also understand double-freeing and use after free, but socket buffer freelist/all those page descriptors/modprobe was explained in less than 2 minutes
If you spent maybe 2 mins explaining the kernel and syscall basics part and 4-5 mins on the actual exploit, it would have more sense
Thanks!
Nah, this deserves an hour at least.
i agree, i got very lost when he was explaining the actual exploit haha
Maybe he did it by intention, it's quite new after all. However he linked the full article in the description (77 min read) that goes into full detail
its mostly just data structure manipulation
Yeah, I got that same feeling. I will ask chatgpt now about that stuff
Time to finally root the Oculus Quest 2
it has already been done anyways
@@hyperkiko Why not do it again?
@@incogninto1124sure
@@incogninto1124 i will actually try it on my quest 3, i checked the kernel for the quest 3 and it isnt patched on it
looking for a poc right now
It was fixed almost immediately. That is a strong advantage of Open Source in contrast to big corp coverups
If it was Windows, it would have been fixed before it was disclosed.
@@GoogleDoesEvil it would be fixed after it was disclosed after several years
@@kooostia16 it would then take 30 years for corporations to implement the fix
A disadvantage is that a whole bunch of companies "just ship" open source solutions based off of Linux and barely provide any security updates, which are critically important. This is one of the reasons I don't like IoT, because it's extremely susceptible to issues like this.
@@GoogleDoesEvil it would have been fixed ? by windows ? , tell me you don't know the history of windows by not telling me --lol
Running in kernel is worse than running as root.
If by that you mean “you sure as hell better know what you are doing”, then yeap…
from my understanding they're not really running or changing that much code inside the kernel, that might be pretty complicated, but they're letting the kernel execute their binary as root by changing a path, that's still not running inside the kernel
Everything should run in kernel
This comment was posted by TempleOS Gang
@@dahahaka well, depends. Running inside the kernel could cause a kernel panic and crash the whole system, running as root just causes a segfault
@@rusi6219 niche and I love it
Really enjoyed this kind of video from you! Admittedly, some of the exploit explanation went over my head and I'll need to do some further research on my end. You might have yourself a little niche here of in-depth explanations of vulnerabilities in an ELI5 manner if you want it. I'd love to see more videos like this with other well-known or new vulnerabilities.
I'm learning that the safest way to store your secure data is on a piece of paper
Yep, no better method than writing your password on a sticky note and "hiding" it under your keyboard... lol
Only second to your brain, but sometimes the files can get corrupted up there or with package loss before reaching your fingers.
And all it takes, is a pencil to make a copy of everything you wrote.
@@Sypaka assuming the location of the written information is known. Sure it isn't going to stop your kids from finding it, or Boeing, but it works against the hackers online
@@Sypakaor a photo but you keep forgetting the whole part of physically being there
Welp, time to upgrade my kernel.
you think? Might be why distros push out updates..
Tell me about it. I'm still on Fedora 37 with kernel 5.15 LTS, which I haven't updated in about 6 months because the updates stopped lmao. I might have to jump to the newest Fedora 40 beta.Luckily 99% of my apps are flatpaked, installed with the --user flag, and I have dconf commands to apply all my GNOME settings. So I would barely have to re-setup anything and will have all my apps and userdata once I upgrade.
What's the big deal? As I understand, malicious code running in userland could take advantage of the exploit to run arbitrary code as root? But why would you run malicious code on your computer??? My personal policy is that I don't run anything that I'm not getting from a trusted source. You have javascript on web pages but that runs in its own sandbox in the browser (on Windows as well), and if you have AdBlock installed then that blocks a lot of crud right there. The Internet is more centralized nowadays so most people spend their time on a few websites run by giant corporations. Presumably your personal network is protected with a wifi password and firewall. I mean, if you're a network admin and people can come in and run any kind of code on your network's computers, then maybe that's where it would be warranted to be a bit concerned about such a privilege escalation vulnerability.
In olden days everything ran as root in Windows 3.1 (or the Windows analogue of "root"), but you would not become infected if you did not click on malicious .exe files (also best to avoid Internet Explorer and ActiveX).
I think that if there is malicious code, which might be inclined to _attempt_ a privlege escalation exploit, running on your machine, then you're already in a bad place. In my opinion, it's not good to have malicious code running, even if it is not escalated up to root...
Bugs never went away, but recently, it feels like bugs just did 20 years in prison, and they've been released on parole.
Great that you used one of the Tuxlets in your video, that I made with my son years ago. 👍
I am looking at the proprietary Linux devices at home and at work and just... curiously tapping my chin.
This ought to be interesting (:
The poor guy that was tasked to educate me about Linux wasn't allowed to use an updated Linux for education... he had to stick to one (old) version of RedHat, because that's what the book used...
It took me 1 Google, 3 potential exploits and 15 minutes to become root of that educational Linux server. (Okay, I was familiar with Linux before they tried to educate me).
I just made an extra root account, which was allowed to login via ssh. Could have locked out everyone else... but I was just making a point about using outdated software for education.
Netfilter is quite a problem if it can elevate privileges. But at the same time kinda predictable... I'm happy that it's been found, so next iteration will be safer. Worst is how easy it can be used.
Excellent whitehat hacking.
Relatively new here - background is in mechanical engineering but I would really like to learn embedded software development ( for myself and for my job). Really enjoy these types of videos. I will say I always write some of the acronyms from these videos down on stickies to look up later, given my lack of knowledge of the inner workings of computers. TIL what a TLB is. Anyways, looking forward to any and all videos 👍🏼
translate look-aside buffer. i learned it in early ee/cs course on cpu's
Analogy, you know how you can have a reference book which has a chapter list at the front, then every chapter has a section list at the start. That's how these work. Another common trick is to say:
* Chapter 1 - Pages 100-199
* Chapter 2 - Pages 200-299
etc...
Sure there may be some blank pages, but the hardware can be designed to be really really fast.
I love how you keep it short all the time, I don't want to watch through 40 minutes of detailed explanation. This is the perfect overview - thank you very much
Really hope one day I could comprehend all this shenanigans lol .. great vid!
the amount of grinding through kernel code and memory dumps that must have been put to develop this exploit is beyond my comprehension... now if i add to this that merely obtaining a kernel memory dump is way more complicated than in case of a user space results in me getting a headache just thinking about it ;-]
Yeah all Linux distributions probably has this patched, but think about all the routers and phones and devices like smart TVs and everything that are connected to the internet and are probably still outdated, like your router if you have an ISP that doesn't allow you to switch it. A lot of these run on Linux and are likely using an outdated version of the kernel.
And to think, one can now hack it to put there own updated software that the manufacture locks you out of so you can't update.
@@techwolflupindoTheir?
This works a bit like a digital Rube Goldberg machine.
Hmmm, what I hear is: NEW android rooting method (possibly)
if someone implements this functionality into a su/sudo, someone else might be able to port it on android and we'll have a new way of rooting some of the older phones that either didn't have a way to be rooted or didn't have a big enough user base for someone to find a way to root them. ofc this is only possible if the same exploit is available in the android kernel.
This channel is so awesome and educational. Look forward to spending more time with it.
Right after i installed debian...
XD good luck for next 10 years...
@@vaisakhkm783 eh, if I'm not trying yo completely kill the joke it's more like 3 months. Debian does apply security patches pretty effectively.
To kill the joke completely, in reality, the bug is probably patched in latest and LTS kernels by now, it's just up to the distributions at this point, and Debian uses a patched version of the LTS kernel
rm -rf
install gentoo
So? Just update the kernel like you would on any other distro
@@Excalibur13 rm -rf --no-preserve-root
you should definitely do more detailed exploit writeup videos! :)
He acknowledges himself that this is sth beyond his knowledge so better not try it...
Thanks for sharing your enthusiasm on this exploit. Next time, please try digging into it.
I dont understand almost any of these but still catches my genuine interest, congrats bro!!
Thank you for the quality content don't hesitate to go super go level and in depth I love it
Please do not cut away your breath stops / pauses. This is not TikTok. For listeners which are either not native English speakers or have profound Linux kernel knowledge or have other "deficiencies" with processing difficult technical information in pressure fueling style it is important to have short stops where the brain can process what it's been hearing. If you cut away these stops, some listeners will leave your video prematurely and unsatisfied. Thank you.
I'm an elderly British native English speaker with some Linux knowledge but he speaks too quickly with too few pauses. It overwhelms my mind while trying keep up. Still great technical content though.
You can set the video to run at a slower speed by clicking/tapping the gear icon.
That's your preference. Others have a different one. I have to speed up most videos in order to be able to follow them. It's not an option; I have ADHD and can't follow videos that are too slow.
You can slow down some videos sometimes.
What you call "too fast", I call "good editing".
@@malmac I'm listening at 1.5x and it's still still a bit slow.
Are you autistic?
Can you talk about the backdoor in liblzma/xz that lets you avoid SSH?
He just did! The man is really quick
Thank you for having a correct title, seen some people saying stuff like "linux got wrecked". I appreciate your title game more for being truthful.
Congrats on doing an excellent job explaining it. Thanks!
okay the GH says this blows right through defaults on debian-core systems... does this work on more serious SELinux like RHEL or Gentoo?
You should do a video on the most impactful or crazy bugs of all time, or perhaps per decade/computing era
Nice one
dude i'm high on shrooms rn this is insane.
Highly based
;p
asa e frate
So, this information only makes my situation way more puzzling to me. My respect for you guys is beyond comprehensive. I just wish I could cling onto the information and actually put it into play to fix my situation.
Hey @LowLevelLearning, how do you decide what to learn?
as someone who spent his teenage years in the 80’s aligning floppy disks who also had an engineering background - I always found that disks would run far more concentrically if you lowered the disk clamp slowly to give the cone a chance to clamp the disk correctly
How was this bug discovered?
manual source code audit. absolutely insane
@@LowLevelLearningwoah crazyyy
@@LowLevelLearning That's pretty hardcore lol
That's amazing that someone would just...read the source code like that.
@@LowLevelLearning That is nuts
I love how the author made such a cool graphic instead of just writing about it. It's clearly a lot of steps.
I had this question over "immutable" os utilizing overlayfs, and escaping containers and chroot in this low level way.
I wonder if segregating the kernel dynamic memory meta data from the allocate-able memory would make this harder? Use the freed block to hold their own meta data is nice, but is it an unnecessary risk?
Should have pointed out that so long as people were doing their updates, this was patched back in January. FUD, for clickbait!
Exploit explanation starts at 3:47
this video finished too soon!! Very simple explanation, this dude might be a great teacher.
This video was fascinating to listen to as a Linux fan but if I am honest, I have no idea what he is talking about. This is on another level way over my head.
“Dirty Cow” sounds like it would be a drink in Wisconsin lmao
Subscribed 😊🎉 great content
Sweet 'sploit, scary 'sploit. It must have been there for a long time and I wonder what other well resourced adversaries were sitting on it in a zeroday portfolio. Appears to require a local user, but also seems to be the kind of thing that might be projected through a web service bug into a RCE.
I'm loving your Cybersecurity stuff. That's the future
Appreciate the lecture!
"In 2016, about 8 years ago", god damn man, you're making me feel old
That visual aid chart is very Charlie from It's Always Sunny-esque.
Superb exploitation !
The author of that one must really really have a hands-on grip of Kernel code.
Kinda narrows it down some.
I'm proud I was able to understand half of this after my OS college classes
I get freelist is probably the prime example where to use linked lists over other alternatives, but for sake of argument assume freelist would have been a plain array (or vector). Would that have prevented the abuse from double free? (Yes I know fixing the double-free is the first priority)
I usually kinda understand a lot of general exploit stuff but this is just insane
I wish there was a linux/bsd channel ran by someone who actually knew anything.
0:23 i think the "author of this bug" was probably not using novel techniques, i think they just made a mistake writing some kernel code
He means the one who discovered the bug
windows/macos also have all kinds of bugs but no one knows because the source is not available
and so is harder to write attacks ?
Mac has less exploits than Linux and Windows combined. I'm a dualbooter for Win11Pro and Linux Mint and can confirm.
Sounds like you're projecting more than anything. "Bu-but, Windows and Mac also do-" That's cool, but is there a bug to exploit who asked?
@@BlueEyedVibeChecker I mean they're not wrong but the point is that Linux is backed by so many companies like Google, Microsoft, Oracle, Intel, AMD, etc so bugs are fixed extremely fast. The mac kernel is also open source. Windows lags behind
@@BlueEyedVibeChecker Mac has more exploits than Linux. It's based off of BSD. Back in 2007 they proved the point by porting all the old Linux exploits over to BSD. Now it's not even maintained as well as it was back then. BSD also isn't a mandatory access control kernel. So it's at least 20 years out of date. Don't be fooled, you're not as secure.
@@BlueEyedVibeCheckerthe fact the nobody tries to find exploits there doesnt mean they dont exist.
explaiend really well! thank you
Hmm, self learning cyber security here, so this attack would not work on environments where Structured Exception Handling Overwrite Protection is enabled, because the kernel entry does not match the one as recorded? Or is it not available on Linux? Thanks
How is double free a thing? Is it for multiple locks on the same file? Lock decrements instead of setting to 0? Are there double lock errors then when files are permanently closed?
Kinda, but it’s not files, it’s memory:
foo = kmalloc(whatever);
(lots of other stuff)
kfree(foo);
(more stuff)
kfree(foo);
The allocator uses the freed memory to store pointers to other free memory so that it knows what’s free (and not to waste additional memory to store this). You can imagine it as free pieces of memory pointing to other free pieces of memory in a long chain. If you free the same piece the second time, it will be in this chain twice. Now if you allocate a new piece, you could get this twice-freed piece back so you can write data to it - but it’s still in the list (since it was added twice) so whatever you write there, the allocator thinks is part of the free chain - so you can redirect the allocator and force it to write to memory it’s not supposed to.
I'm sick and this vid is already making me happy :)
feel better
Privilege escalation as a class does not depend on exploiting anything in the Linux kernel. It just means gaining permission to do some normally-restricted thing without proper authentication. This _can_ involve a Kernel exploit, but often means targeting set-uid binaries like ping or sudo. Alternatively you can target a service running with the desired permissions.
For example, suppose you have a guest user with ssh-only access to a desktop with a running X11 server. This user does not have permission on /dev/input, nor permission to talk to the X server. Further, suppose this is a legacy system with X11 installed setuid. If the user finds a vulnerability in X11 that makes it change permission on an existing X11 socket to 777 before it drops root, the user can use that vulnerability to give himself permission to talk to the primary user's already running X11 server. Then, through the running X11 server, the guest user can listen to the keyboard and mouse or snoop on existing windows. As this is not an intended permission, gained through an exploit, this is a privilege escalation attack.
In practice, relatively few privilege escalation attacks use defects in the kernel. Local-user privilege escalation usually involves finding a misconfigured or defective setuid program. There are also remote-user privilege escalations, usually gaining admin rights on a website or similar service. In this case the attacker doesn't even get permission over a new process, just escalated privileges within a specific application.
setuid is not used on linux systems from 2008, where `capabilities` replaced most of its uses, and then we have SELinux on top for a long long long time.
Been years without setuid files on any modern system. Non syscall derived escalations are ultra rare (Never heard of any for a long time)
@@framegrace1 There's been several privilege escalations caused by bugs in things like sudo and policykit, some of which have been pretty recent (e.g. due to some of the code in policykit being written in a "clever" (read: hacky) way and not handling argv[0] being NULL correctly, CVE-2021-4034)
@@framegrace1 Really? Because `/bin/su` and 12 other binaries in /bin, /sbin/, and /usr/bin are all setuid on my stock ubuntu VM. Sure, granular capabilities have helped, and programs like firejail take advantage of that to even further restrict capabilities of even normal users (which makes escaping firejails a relatively new area of escalation attacks).
More than granular capabilities, dbus (and things built on top of dbus like the typical wayland implementations) use posix file handle passing to grant granular access to system resources across users. For example, X11 no longer is setuid because it gets access to /dev/input and the video card resources by asking for them over dbus. The Login1 provider (usually a combination of PAM + (e)logind, running as root) then opens these files and passes handles to them to X11 for session creation. Like with the possible firejail escape above, this means system services like Login1 listening over dbus are now viable attack surfaces for privilege escalation attacks.
🤓
@@framegrace1 _"Been years without setuid files on any modern system."_ - The system I'm on now has like 20 setuid binaries. I'm pretty sure binaries like su, sudo, passwd, mount, chsh are still setuid on most if not all systems.
Soooo, what is vulnerable to this? Is this something that can happen if you have a socket based connection? Do you need access before escalating? Itd be nice to know how to protect myself and not just how they do it.
This windows users priorities are not to inform linux users like yourself. It is a local privesc so unless someone accesses your system you're fine. If you install buggy software from GNOME and their diverse programmers you open up more privesc possibilities.
Only spent 5 mins looking but it’s local and you need to have unpriv’d network namespaces allowed. I suspect that’s not the default in most distros. Plus a vuln kernel of course.
But “local” is somewhat misleading and not all the story. It *could* mean you are vulnerable if you have untrusted local users with shells, but it also means it’s a point of leverage; if someone can get an unpriv’d process, say a PHP script, to run arbitrary code they can use this to turn that unpriv’d access into root.
It has been patched for months so unless you’ve manually disabled security updates you are not vulnerable
@@Pharoah2 Yeap the clickbaity-ish nature of the title had me concerned, but it's pretty minor in the grand scheme of things. The "absolutely insane" bit is, I guess, the way it was found and the details of the exploit, not its scope.
@@lawrencemanning not your fault. I have no idea why he didn’t mention it in the video.
This is awesome. Thank you for explaining it.
many of these techniques are used for windows kernel exploitation quite often
Yeah except they don't tell you about it and keep them open on purpose for the NSA, CIA etc. I'm also fairly confident that Bitlocker has a bunch of backdoors as well.
@@ent2220 yeah why use that garbage when veracrypt is available
@@ent2220 Some guy made a video on CZcams how he cracks bitlocker in 50 seconds. Bitlocker is an absolute garbage.
with grsecurity kernel hardening you should be fine but ill have to test anyway
I didn't understand a thing after the graph went up, but I hope kernel patches it soon!
Did kernel devs found about this exploit "from the news", or maybe they were given a head start into fixing it?
Instant subscribe. Keep it up
Does this work on all Unix systems? I’d like to know if this can be done on a Mac in any way.
I run the CVE testing code from the github account on a very recent (and patched) kernel and it froze and crashed the system. Very interesting
Yes, I definitely learned something here. That I am stupid as a rock! ))) Even though I've been doing system programming for 30 years now.
This is one of those channels I go to watch to feel smart. Knowing a little bit about computers, I understood everything and nothing 🤣
Programming vulkan graphics lets me at least not get confused when i hear about buffers and descriptors😅
the moment it is found the repo would have been nuked with pull requests. that's the power of open source
That's exactly the reason why I'm still rocking on the granddaddy 1.1.0 Linux kernel from '97. These Gen-alpha skibidi toilet vulns be like, "Ew, we only swipe right on the TikTok kernels." They don't even peep this golden oldie. USB drivers, more like USB driers, Bluetooth? more like Blue-toothless. My network's as untouched as a sealed vintage comic book, NSA/FBI/Mossad can't even. Just me, my unshakeable, mouse-less xorg, my dial-up connection, and my CASIO watch. Hackers peep that setup and they're like, "Nah, we ain't touching that with a ten-foot pole." ROFLCOPTER
DoubleFree to SideChannel attack.... "Hold my beer!" lol
wtf did i just read
"These Gen-alpha skibidi toilet vulns be like, "Ew, we only swipe right on the TikTok kernels." bruh, what do you smoke? xD
new copypasta just dropped
@@user_of_the_name holy hell!
Sounds a little similar to Asahi Lina's MacOS exploit, that also messed with page tables. At least that second half of the exploit
modprobe? You should sign the module if you are using secure boot, right? Does the exploit work with secure boot?
kinda tired to look for my self r8 now :)
I dont even use modules. Run a custom kernel with whatever i need enabled or disabled.
So, who was affected by this? Any system? Or just very specific network configuration?
Looks like any unpatched Linux system newer than 3.15 (!!) with USERNS enabled. So... the vast majority of them. A mitigation is to set the sysctl kernel.unprivileged_userns_clone=0
netfilter is a good attack surface even in wiki leaks you will find some old exploits on linux that uses the netfilter
Why would a double free imply a use after free in this case? Are you saying that the memory was freed, and then the attacker somehow induced an allocation at that moment? Knowing that the 2nd free would soon occur?
I thought the entire reason we pass syscall argument by registers and not the kernel stack is that those kind of things don't happen.
LLC has a knack for explaining complicated low level processes in a way noobs can understand, without boring the people that do actually know a bit more. Rare skill.
When do you anticipate this to be fixed and various distro's available?
Newer Kernels (6.7+) have this already patched.
Privilege escalations do not necessarily exploit kernel code, they could exploit weak applications which have higher privilege themselves
Woah the levels this went through.
Sometimes I think some of these guys probably put this forward as advertisement for selling exploits or getting hired to develop them lmao.
Let's all take a moment and appreciate that guy's diagram-making skills.
So could the same thing be done on Mac OS since it is based on UNIX like LINUX is?
I wanna see the faulty code path that can cause the double free and what the mitigation is.
So how do you double free the kernel without being root? Or another privelaged user?
Now the question is, how long will this bug last?
I has been fixed several months ago on 6.7
Already gone, for the most part. Discovered in January and already patched in the kernel before the end of January. Downstream distros caught up with this update quickly, too. Ubuntu released the relevant kernel update on their package manager before the end of January, most other distros got it done by the end of February. At this point, the bug only lives in the computers of users that refuse to install security updates.
@@martenkahr3365 Can't forget companies that ship products based off of Linux and don't provide security fixes for them (commonly seen in IoT)
@@martenkahr3365 such as every home router or IoT lightbulb out there?
usually i can follow along, but this is very complicated, it makes me wonder if things in the world of exploitation are about to get much more in depth and crazy
Sentient AI will have a field day with all the imperfections sprinkled around in our various operating systems and software...
fuck, i have to update everything again.