Description
As the number of heap-related vulnerabilities in the Linux kernel continues to grow,
security researchers have focused on developing measures to make exploitation more
difficult. However, temporal memory safety vulnerability exploitation often evades
current hardening measures like KASLR, SMAP, SMEP or KCFI, as attackers can
circumvent these defences with data-only attacks that exploit type confusion. These
modern techniques typically use cross-cache attacks to overlap vulnerable objects with
page tables to achieve arbitrary read/write primitives in kernel memory. Ongoing
research is aimed at limiting the attacker’s possibility of achieving type confusion by
preventing the kernel allocator from reusing the same memory regions for different
object types. Since most current Linux heap exploits rely on using type confusion by
tricking the memory allocator to overlap objects of different types, it is believed that
the attacks will fail with these additional hardening measures in place.
This paper introduces a novel exploitation method targeting a double free vulnerability
on socket buffers, enabling privilege escalation and sandbox escape without the
need to overlap objects of different types. We demonstrate how this vulnerability can
be pivoted into a use-after on the credentials of a process, which we then manipulate
to achieve elevated privileges. Furthermore, we explore attack patterns that remain
effective against systems with hardened heaps, highlighting that current hardening
measures are not sufficient to fully prevent privilege escalation. We demonstrate the applicability
of the novel exploitation methods on Linux kernel v6.3.13 for CVE-2024-1086,
without the use of type confusion or cross-cache attacks.
|
