oss-sec mailing list archives
Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok()
From: up201407890 () alunos dcc fc up pt
Date: Sun, 05 Nov 2017 13:58:33 +0100
Hello again list,Here's a video on how I bypassed KASLR and got root using only CVE-2017-5123, a non-controlled arbitrary write (though 0's are written), without a single read.
https://www.youtube.com/watch?v=DfwOJIcV5ZA"This exploit uses solely CVE-2017-5123, a Linux kernel vulnerability for 4.12-4.13, which gives an attacker a write-not-what-only-where primitive, or in other words, the ability to write non-controlled user data to arbitrary kernel memory. KASLR is bypassed using memory probing and root obtained via cred struct spraying and location predictability.
twitter.com/uid1000 Music is from Sonic the Hedgehog (1991) for the Sega Genesis." I may write a more detailed write-up if people seem interested. :) Thanks, Federico Bento. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Current thread:
- Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok() up201407890 (Oct 25)
- Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok() up201407890 (Nov 05)
- Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok() Solar Designer (Nov 05)
- Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok() up201407890 (Nov 07)
- Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok() up201407890 (Nov 05)