|
Vitaly Nikolenko
@
vnik5287
Sydney, Australia
|
|
Security researcher @ DUASYNT. Kernels, hypervisors. PGP: 77B1 FBAC E0FD 2E94 F8AC 2D91 9566 2314 344F 85E8
|
|
|
779
Tweetovi
|
86
Pratim
|
3.650
Osobe koje vas prate
|
| Tweetovi |
|
Vitaly Nikolenko
@vnik5287
|
16. sij |
|
yeah. not a logic bug. UAF
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
16. sij |
|
I'll make my tech report and poc public soon. It was a fun bug affecting most major distributions. one exploit to rule them all w/ all kernel expl mitigation bypasses - no rop chains / hardcoded crap duasynt.com/blog/ubuntu-ce…
|
||
|
|
||
| Vitaly Nikolenko proslijedio/la je tweet | ||
|
Blue Frost Security
@bluefrostsec
|
7. sij |
|
Full analysis and exploit for Windows kernel ws2ifsl use-after-free (CVE-2019-1215) by our researcher @flxflndy labs.bluefrostsecurity.de/blog/2020/01/0…
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
7. sij |
|
oh it'll now be in style for the next few years while android oems catch up ;)
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
7. sij |
|
ROP/JOP pivoting to user space is now back in style git.kernel.org/pub/scm/linux/…
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
3. sij |
|
We'll be running our Android kernel exploitation training in Canada (2nd week of April 2020). If there're any other Canadian companies interested in this training during that month, please reach out!
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
29. pro |
|
Advanced ghetto cooling system pic.twitter.com/KsviI6eZIt
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
29. lis |
|
yep
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
29. lis |
|
scaling is fine too.. it's basically a single input/single exec path/single kernel subsystem per pi mutated to death with code coverage. not the smartest option but it works
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
29. lis |
|
well it's a slightly better cpu on pi 4s. disk access is still a bottleneck but my reasons for doing it on bare metal are different. I was triggering more bugs in qemu/vmware than in the kernel itself. not concerned about power consumption either
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
29. lis |
|
moar fuzzing moar pi pic.twitter.com/QepCBX2DLx
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
27. lis |
|
KASLR/SMEP/SMAP etc pic.twitter.com/Nf2BO58FMt
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
20. lis |
|
null-ptr-deref trigger in nfnetlink on upstream 4.4 kernels github.com/duasynt/meh/bl…
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
6. lis |
|
ubuntu kernel maintainers work in mysterious ways :)
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
6. lis |
|
hahah looks like it got un-"patched" in recent kernels. your version has the patch applied. try something more recent.. mine was 4.4.0-161 from Aug this year
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
6. lis |
|
it's fixed in all upstream lts releases afaik
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
6. lis |
|
don't know any Ubuntu lts versions that use 4.9? Upstream is fixed, it's just Ubuntu being special
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
6. lis |
|
combine with P0 null-page mmap bypass on older kernels / AMD or no-smep systems and you got yourself an easy ret2usr exploit
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
6. lis |
|
doesn't seem like ubuntu 4.4 LTS kernels want to pull the upstream patch. can still rip <-- 0 with syscall(__NR_clock_gettime, 10, 0) pic.twitter.com/SBceR9K20Y
|
||
|
|
||
|
Vitaly Nikolenko
@vnik5287
|
16. ruj |
|
We got the 64 bit version working back then. All I can remember it wasn't trivial
|
||
|
|
||