Conversation

Andrey Konovalov

@andreyknvl

·

Aug 9, 2018

Exploit for CVE-2017-18344: https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-18344/poc.c… Details: http://openwall.com/lists/oss-security/2018/08/09/6…

github.com

kernel-exploits/poc.c at master · xairy/kernel-exploits

My proof-of-concept exploits for the Linux kernel. Contribute to xairy/kernel-exploits development by creating an account on GitHub.

2

86

146

Federico Bento

@uid1000

·

Aug 9, 2018

Replying to

@andreyknvl

Neat tricks! Sad that SMAP breaks them :(

1

Andrey Konovalov

@andreyknvl

Replying to

@uid1000

Thanks! If there's a way to set some 8 byte kernel global variable from an unprivileged user, it could be used to bypass SMAP (by storing the pointer to the data you want to leak in this variable), but nothing really came to mind when I've been thinking about this

7:08 PM · Aug 9, 2018·Twitter Web Client

1

Like

Federico Bento

@uid1000

·

Aug 9, 2018

Replying to

@andreyknvl

Yeah, having an unprivileged user store a kernel address on a global variable would resolve the whole problem. And I assume with heap spraying it would still be very hard to guess right