Linux kernel universal heap spray userfaultfd+setxattr
In Summary : This kernel heap spraying technique was demonstrated during the beVX workshop DCCP UAF n-day and then used for the 0day in t...
https://updatesinfosec.blogspot.com/2018/09/linux-kernel-universal-heap-spray.html
In Summary :
This kernel heap spraying technique was demonstrated during the beVX workshop DCCP UAF n-day and then used for the 0day in the kernel IrDA subsystem (Ubuntu 16.04). Unlike the existing public heap sprays, it is applicable to very small objects (under 8 or 16 bytes in size) or objects where we need the first N bytes to be controlled (i.e., no uncontrolled header in the target object). This techniques was used to exploit two UAF kernel vulnerabilities and as I've mentioned during the workshop, the term "heap spray" is not really applicable when it comes down to exploiting UAF vulnerabilities. It is generally not required to "spray" (allocate) multiple objects. A single properly-placed allocation is generally all that's needed to place the target object over the previous allocation of the freed/vulnerable object. [...]
kindly refer the following link as follow up :
https://ift.tt/2IjABNA
This kernel heap spraying technique was demonstrated during the beVX workshop DCCP UAF n-day and then used for the 0day in the kernel IrDA subsystem (Ubuntu 16.04). Unlike the existing public heap sprays, it is applicable to very small objects (under 8 or 16 bytes in size) or objects where we need the first N bytes to be controlled (i.e., no uncontrolled header in the target object). This techniques was used to exploit two UAF kernel vulnerabilities and as I've mentioned during the workshop, the term "heap spray" is not really applicable when it comes down to exploiting UAF vulnerabilities. It is generally not required to "spray" (allocate) multiple objects. A single properly-placed allocation is generally all that's needed to place the target object over the previous allocation of the freed/vulnerable object. [...]
kindly refer the following link as follow up :
https://ift.tt/2IjABNA
