A new<\/span> technique to exploit a complex\u00a0use-after-free (UAF)\u00a0vulnerability in the Linux kernel successfully bypasses modern security mitigations to gain root privileges.<\/p>\n The method targets CVE-2024-50264<\/a>, a difficult-to-exploit race condition bug in the AF_VSOCK subsystem that was recognized with a Pwnie Award for its complexity. The vulnerability, introduced in Linux v4.8, presents significant challenges for exploitation.<\/p>\n According to Alexander Popov, an unprivileged user can trigger the bug, but it comes with severe limitations, including an unstable race condition, an extremely short time window for memory corruption, and multiple ways for the kernel to crash during the attempt.<\/p>\n The original exploit strategy was highly complex, involving large-scale memory sprays and advanced techniques like SLUBStick and Dirty Pagetable.<\/p>\n Seeking a simpler path, the researcher devised a new approach centered on the Typically, a UAF write on this object would fail because a pointer field, The researcher\u2019s solution involves a clever manipulation of the message queue:<\/strong><\/p>\n This technique effectively creates a reliable exploit primitive from a UAF write, even under difficult conditions, without needing a prior kernel information leak.<\/p>\n To successfully execute the attack, several other hurdles had to be overcome. <\/p>\n The researcher used a cross-cache attack to replace the freed To solve this, a technique was used to slow down the responsible kernel worker by overwhelming it with notifications from This With this information, a second UAF was performed against a This allowed the attacker to directly modify the process credentials and escalate privileges to root, completing the data-only attack. <\/p>\n The entire exploit development process was refined using Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post New Technique Uncovered To Exploit Linux Kernel Use-After-Free Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n Linux Kernel Use-After-Free Vulnerability<\/strong><\/h2>\n
msg_msg<\/code> kernel object. The core of the new method is a technique that allows for the corruption of an msg_msg<\/code> object without causing the kernel to hang.<\/p>\nm_list.prev<\/code>, would be non-zero, causing a system hang when the kernel tries to acquire a spinlock.<\/p>\n\n
msg_msg<\/code> objects. Because the queue is full, the kernel allocates the objects but blocks the msgsnd()<\/code> system call, forcing it to wait for space.<\/li>\nmsg_msg<\/code> object.<\/li>\nmsg_msg<\/code> object to its queue, conveniently fixing the corrupted list pointers in the process and avoiding a crash.<\/li>\n<\/ol>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhGYwkaTWcR00L9l4E7fFhVJTeSb7VoVqOknlq2rmdc3jaHo3rARIeeQ_TVif8udQ2yLmsBbVIn9Ev3vm9HKuWKItpXDDZ379yQd7H3Zcd59vQwOsCw-n9iZ0lFWketh4V6MdPU0arh0USy_JS9VigqwxVfbzeOuh6JukZmRFqDSifab_OWQ8k02ey07J3q\/w640-h348\/uaf_write_msg_msg2.webp?ssl=1\")
<\/figure>\n<\/div>\nBypassing Kernel Defenses<\/strong><\/h2>\n
virtio_vsock_sock<\/code> object with the msg_msg<\/code> object, navigating around kernel hardening features like CONFIG_RANDOM_KMALLOC_CACHES<\/code>. The UAF write also occurred too quickly for this attack to work reliably.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgFGd8kL3Wn4Q2BR7TuuGB-_UsYjmnCE4G6EHuY2IADCMd7J0hEpLU8RHud03aJfhNscqqPVMbbGSfrhmNXjDH16KYPNAGy65kHkEpyBFK_Mhweb5fg70mq14JPYuPs5kSQViLe4Lildh2bXEPpnT_4JCmRZ0hSq-huUMnLIf5cjbMgxdGYhYcmvd-qjEFM\/w640-h348\/uaf_write_msg_msg.webp?ssl=1\")
<\/figure>\n<\/div>\ntimerfd<\/code> and epoll<\/code> instances, widening the race window significantly, Alexander said<\/a>.<\/p>\nmsg_msg<\/code> corruption was used to achieve an out-of-bounds read, leaking kernel memory that included the address of the process\u2019s credentials (struct cred<\/code>). <\/p>\npipe_buffer<\/code> object to gain arbitrary address read and write capabilities. <\/p>\nkernel-hack-drill<\/code>, a custom testing environment for experimenting with kernel exploit primitives in a controlled manner.<\/p>\n