On 30/10/2018 18:37, Kees Cook wrote:
On Tue, Oct 30, 2018 at 8:26 AM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
I suppose the 'normal' attack goes like:
1) find buffer-overrun / bound check failure
2) use that to write to 'interesting' location
3) that write results arbitrary code execution
4) win
Of course, if the store of 2 is to the current cred structure, and
simply sets the effective uid to 0, we can skip 3.
In most cases, yes, gaining root is game over. However, I don't want
to discount other threat models: some systems have been designed not
to trust root, so a cred attack doesn't always get an attacker full
control (e.g. lockdown series, signed modules, encrypted VMs, etc).
Reading these points I see where I was not clear.
Maybe I can fix that. SELinux is a good example of safeguard against a
takeover of root, so it is a primary target. Unfortunately it contains
some state variables that can be used to disable it.
Other attack that comes to my mind, for executing code within the
kernel, without sweating too much with ROP is the following:
1) find the rabbit hole to write kernel data, whatever it might be
2) spray the keyring with own key
3) use the module loading infrastructure to load own module, signed with
the key at point 2)
Just to say that direct arbitrary code execution is becoming harder to
perform, but there are ways around it which rely more on overwriting
unprotected data.
They are a lower hanging fruit for an attacker.
--
igor