Category Archives: Linux

A Linux Memory Trick

Posted on February 6, 2013 by drosenbe

I discovered a neat little trick on Linux: on x86 (and a few other less common architectures), it’s possible to determine from an unprivileged process whether an address residing within the kernel address space is mapped or unmapped.

Posted in Kernel, Linux | Comments disabled

Rooting the XYBoard/Xoom 2

Posted on February 17, 2012 by drosenbe

Another day, another tablet rooted. I wonder when Motorola will realize that it’s hopeless to try to prevent device owners from controlling their own hardware.

Posted in Android, Exploitation, Linux | Comments disabled

Re-Rooting the LG Esteem

Posted on February 15, 2012 by drosenbe

Someone told me that LG patched the last vulnerability used to root the LG Esteem. Here’s another root.

Posted in Android, Linux | Comments disabled

Rooting the Samsung Admire

Posted on September 12, 2011 by drosenbe

On request of the Samsung Admire community, I decided to root another Android phone.

Posted in Exploitation, Linux | Comments disabled

Rooting the Droid 3

Posted on August 25, 2011 by drosenbe

The Motorola Droid 3 was released July 14, 2011, and has no public technique available to get root access. On request of some members of the Android community, I decided to audit the platform in order to root the device.

Posted in Exploitation, Linux | Comments disabled

WP: Safe or Not?

Posted on August 12, 2011 by drosenbe

During the course of kernel exploitation (or some other form of runtime kernel modification), it is frequently desirable to be able to modify the contents of read-only memory. On x86, a classic trick is to leverage the WP (write-protect) bit in the CR0 register.

Posted in Exploitation, Kernel, Linux | Comments disabled

SMEP: What is It, and How to Beat It on Linux

Posted on June 5, 2011 by drosenbe

On May 16, 2011, Fenghua Yu submitted a series of patches to the upstream Linux kernel implementing support for a new Intel CPU feature: Supervisor Mode Execution Protection (SMEP). This feature is enabled by toggling a bit in the cr4 register, and the result is the CPU will generate a fault whenever ring0 attempts to execute code from a page marked with the user bit.

Posted in Exploitation, Kernel, Linux | Comments disabled

Fun with Filesystems

Posted on July 10, 2010 by drosenbe

I recently completed a round of bug hunting in Linux filesystems, where I found a series of mostly minor security issues. Filesystems are a great place to start looking for kernel bugs, since the code is relatively easy to understand and review. I discovered and reported issues in btrfs (CVE-2010-1636), ext4 (CVE-2010-2066), gfs2 (CVE-2010-1641, CVE-2010-2525), and xfs (CVE-2010-2226).

Posted in Kernel, Linux | Comments disabled

Integer overflow in ld.so (CVE-2010-0830)

Posted on May 2, 2010 by drosenbe

A month or so ago, I reported an integer overflow vulnerability in ld.so (the linker/loader included with glibc) that could be exploited to achieve arbitrary code execution. The catch is, the vulnerability is triggered in the processing of a maliciously crafted ELF binary, so the actual potential for exploitation in real life is minimal. In many cases, invoking ld.so on an untrusted binary results in the execution of that binary, so in practice this should never be done. However, there are some options that can be used with ld.so that should not result in code execution, such as the case … Continue reading

Posted in Exploitation, Linux | Comments disabled

Fun with FORTIFY_SOURCE

Posted on April 27, 2010 by drosenbe

I wanted to share a neat little trick I discovered while playing with gcc’s FORTIFY_SOURCE feature.

Posted in Exploitation, Linux | Comments disabled