首页 > 代码库 > 0ctf 2017 kernel pwn knote write up
0ctf 2017 kernel pwn knote write up
UAF due to using hlist_add_behind() without checking.
There is a pair locker(mutex_lock) at delete_note(), but isn’t at edit_note_time().
And it doesn’t check the flag before hlist_add_behind() in insert_note().
for(;;) { /* add before a larger epoch */ iter = hlist_entry(node, struct note_t, next); if (iter->epoch > epoch) { hlist_add_before(&(note->next), node); flag = true; break; } if (node->next == NULL) break; node = node->next; } /* at behind the last node */ // if (!flag) <-- patch... // it can lead to hlist broken. hlist_add_behind(&(note->next), node);Exploitation:
1. UaF
First we could free arbitrary object (eg. tty_struct) via any vulnerabilities,
re-allocate fake object with evil functions or rop gadgets.
Finally we can call related function in user mode.
2. kernel info leak
should use the kzalloc() instead of kmalloc()
0ctf 2017 kernel pwn knote write up
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。