Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171105135833.15025s7hrnp0yd4w@webmail.alunos.dcc.fc.up.pt>
Date: Sun, 05 Nov 2017 13:58:33 +0100
From: up201407890@...nos.dcc.fc.up.pt
To: oss-security@...ts.openwall.com, up201407890@...nos.dcc.fc.up.pt
Subject: Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid()
	not calling access_ok()

Hello again list,

Here's a video on how I bypassed KASLR and got root using only  
CVE-2017-5123, a non-controlled arbitrary write (though 0's are  
written), without a single read.

https://www.youtube.com/watch?v=DfwOJIcV5ZA

"This exploit uses solely CVE-2017-5123, a Linux kernel vulnerability  
for 4.12-4.13, which gives an attacker a write-not-what-only-where  
primitive, or in other words, the ability to write non-controlled user  
data to arbitrary kernel memory.
KASLR is bypassed using memory probing and root obtained via cred  
struct spraying and location predictability.

twitter.com/uid1000

Music is from Sonic the Hedgehog (1991) for the Sega Genesis."

I may write a more detailed write-up if people seem interested. :)

Thanks,
Federico Bento.


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.