Linux exploits

Hello, Khabrovites. On the eve of the start of the course “Administrator Linux. Professional “ our expert, Alexander Kolesnikov, has prepared an interesting article, which we are happy to share with you.

We also invite future students and everyone who wants to attend an open lesson on the topic “Methods and Features for Debugging Bash Shell Scripts.”

The Linux operating system has proven to the world all the power of open source projects – thanks to it, today we have the opportunity to look into the source code of a working operating system and, on its basis, assemble our own system for solving certain problems. Due to its openness, Linux was supposed to become the most secure operating system in the world, since open source allows developing and improving subsystems for protecting against attacks on the operating system and improving the operating system itself. Indeed, at the moment there are a large number of community-created protections: today it is simply not so easy to exploit buffer overflow vulnerabilities to gain elevated privileges in the same way as 20 years ago. Nevertheless, today you can find exploits in the public domain that can elevate user privileges even on the latest versions of the kernel. Let’s take a look at how it works and why it happens in this article. We’ll go through the main components of exploits and see how some of them work.

All information provided has been collected for informational purposes only.

Exploit types

Let us choose a general term by which we will denote what is exploit – an algorithm that disrupts the normal functioning of the operating system, namely, access control mechanisms. We also introduce the concept vulnerabilities Is a software imperfection that can be exploited by the exploit algorithm. Without vulnerability, an exploit cannot exist.

Let’s introduce a classification of exploits. The basic division of exploits into subgroups for any operating system begins at the architecture level. Operating systems today include at least 2 levels of privileges that they use for their work. Below is a figure that illustrates the separation of privileges. Picture taken from here

The picture very clearly shows that the operating system has a Kernel Space level, usually this is the most privileged mode, this is where what we call the operating system is. And the second level is User Space: this is where the usual applications and services that we use every day are launched.

Historically, vulnerabilities can be found for each of the above levels, for which an exploit can be created, but exploits for each of the levels have their own limitations.

At the user level, any exploit that affects the application will have exactly the same privileges that the user who launched the affected application used. Therefore, this type of exploit allows full control over the OS only if the application is launched by the system administrator. In contrast to the user level, kernel levelif it contains vulnerable code, it can immediately give the ability to manage the operating system with maximum privileges. Below we will focus on investigating these exploits.


Let us present a small statistics on the disclosure of vulnerabilities for the Linux kernel of the Debian, SUSE, Ubuntu, Arch Linux distributions of the last 4 years.

Data taken from here… The picture does not claim to be complete, but it shows that there are a lot of vulnerabilities, and even today there is plenty to choose from for building an exploit. Let’s try to describe what an exploit is.

Any exploit for any level of the operating system today consists of parts that must be implemented in its code:

  1. Preparatory operations:

    1) Setting the required memory display

    2) Creating the necessary objects in the OS

    3) Bypassing OS protection mechanisms for the vulnerability used

  2. Calling the vulnerable part of the software.

  3. Performs payload:

    1) To open access to the OS

    2) To change the OS configuration

    3) To disable the OS

By following all the points above, you can write a workable exploit. Let’s take a few exploits from past years for research and try to find out if we can find any patterns or borrowings that are used to violate access control in the Linux operating system. As objects of research, let’s take exploits that exploit the following vulnerabilities with CVE identifiers:



Parsing exploits

CVE-2020-8835 RIt applies to the Linux kernel from version 5.5.0. Vulnerability is in technology implementation ebpf… The technology was developed to enable the user to create custom handlers to filter network traffic. The main component for performing filtering is a virtual machine with its own set of commands. The code that is executed by the virtual machine lives in the kernel: a bug in this code gives the attacker the ability to work with memory with maximum privileges. In the case of the described vulnerability, the problem was that 32-bit instruction processing operations were not processed correctly, and the virtual machine could write and read data in the kernel’s RAM.

How the exploit author exploits this vulnerability and what payload is being executed will be discussed further.

Preparatory stage

The next part of the code is responsible for this stage.

Line 394 – create an object in memory that will store the command data for ebpf… Line 400 loads code into memory that will be executed in the virtual machine and will violate the conditions for processing 32-bit commands. Memory preparation is over, the following lines will create a socket object, which will ensure that the loaded commands are called for bpf… After that, the stage of invoking the vulnerability will begin.

Calling vulnerable code

Calling the vulnerable code, or rather, working with the commands of the virtual machine, is carried out from lines 423 to 441. The main task of this code is to get the base address of the structure that is in memory, in this case it is the heap of the process. Once these commands are executed, the exploit will be able to detect data in memory that the operating system uses to control access control. In Linux operating system, this data is stored in the structure taskstruct


The payload of this exploit is that after it is executed, you can start a process with user rights. root… To do this, the exploit code modifies the fields of the Linux kernel structure – cred this is the structure that goes into the structure taskstruct… Structure source code cred can be found here

Actions to modify fields struct cred can be seen on the lines 472,473,474… That is, this action clears the value uid, gid, sgid the process being created. From the OS point of view, this is setting the identifier values ​​that are usually used root… The method is very similar to the one used to attack the Windows operating system.

You can protect yourself without updating the OS if you make the following changes to the config: sudo sysctl kernel.unprivilegedbpfdisabled=1

CVE-2020-27194 – again vulnerability in ebpf… Available for kernel versions 5.8. *. The creators of this technology joke that bpf Is JavaScript for the core. In fact, this judgment is not far from the truth. The virtual machine actually manipulates commands using JIT technology, which by itself carries all the typical browser vulnerabilities into the operating system kernel, that is, it is difficult to configure protection subsystems in order to secure code execution. The vulnerability in question is that any area of ​​RAM can be modified from the virtual machine code. Perhaps this is due to the fact that the virtual machine is insecurely working with 64-bit operations. Completely similar vulnerability to the one we considered above.

The exploit designed to exploit the described vulnerability performs the same operations as the CVE-2020-8835 exploit. The exploit algorithm is as follows:

  1. Load code with processing 64-bit operations into memory

  2. Create a socket and send data to invoke commands ebpf

    1. Find the address of a structure in memory taskstruct by executing commands in a virtual machine

  3. Modify values uid,gid,sgid and start an interactive shell.

The author wrote the source code with new features and additional functions. We invite the reader to take a look at the code for himself. The above stages of the exploit operation will not let you get confused.

Protection against this vulnerability without using the update is the same: sudo sysctl kernel.unprivilegedbpf_disabled=1

What’s the bottom line?

Based on the two exploits that were discussed in the article, it can be assumed that privilege escalation in modern Linux is no longer the dark magic of programming, but a completely debugged boilerplate process that includes the reuse of functions and objects in RAM. In this case, you do not even need to write base-independent (shellcode) code that will perform most of the actions. It is easy enough to change the IDs that are used to assign privileges to users.

Learn more about the course “Administrator Linux. Professional “.

Register for an open lesson “Methods and Features for Debugging Bash Shell Scripts.”

Read more:

  • Linux Experiments LAB

  • How to trust the operating system again. Search for traces of compromise. Analysis of malware

  • Bypassing terminal restrictions

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *