[TCTF 2017 final] cred_jar (linux kernel driver pwn) write-up

Categories CTF

As the offical write-up by f00l [1] stated, there is a data race in put_jar ()and get_jar(), and the attack window is pretty large thanks to the lock_mutex in both functions.


By leveraging the race condition, we can obtain a dangling pointer ptr to a kernel heap chunk, and we can make sure we have won that race by query the ID previous set because the ID will be modified by the following free operation.

In the following steps we need to exploit this UAF, note we got cred_jar length and fd and bk pointer in control which gives us a arbitrary write and read primitive starting from the heap chunk, we can overwrite next chunk’s FD, after unlinking and freeing the next chunk, the link list head can be hijacked.

To gain RIP control, we can hijack the list head near the function pointers in the driver’s data section. Then after a open_cred_jar and get_cred_jar_ctx operation, we obtain’s a ctx which point to the driver’s data section. write to this ctx will hijack function pointers.

The kernel does not enable SMAP protection, so the exploit is relatively easy, just stack pivot to user space mmap memory, disable smep, and escalate the priviledge.

The following is the the SMEP bypass exploit code, it is not as elegant as the official one, which write to the cred_jar kmalloc cache directly.





No Comments

Leave a Reply