当前位置:首页 > 报告详情

钱智云与胡佳毅与周金梦与唐奇与沈文博_PageJack一种强大的页面级UAF利用技术.pdf

上传人: 张** 编号:175586 2024-09-13 47页 1.36MB

1、#BHUSA BlackHatEventsPageJackPageJack:A Powerful Exploit Technique With Page:A Powerful Exploit Technique With Page-Level UAFLevel UAFSpeaker:Zhiyun QianContributors:Jiayi Hu,Jinmeng Zhou,Qi Tang,Wenbo Shen8/8/2024#BHUSA BlackHatEventsWho we areZhiyun QianJinmeng ZhouQi TangWenbo ShenJiayi Hu#BHUSA

2、BlackHatEventsOS kernel exploitsControl flow hijackEx:corrupt function pointer return-oriented programming(ROP)Data-only attacksEx:corrupt data pointer arbitrary read/write to modify key objects(e.g.,cred)corrupted_obj-func_ptr()Arbitrary codelocation*corrupted_obj-data_ptr=val;Arbitrary datalocatio

3、n#BHUSA BlackHatEventsControl-flow integrityData-only attack needed#BHUSA BlackHatEventsControl-flow hijacking vs data-only attack0246810121416182019-2020202120222023control-flow attack exploitsdata-only attacks exploitsData-only attacks#BHUSA BlackHatEventsPrevious data-only attacksCorruptglobal va

4、riable,e.g.,modprobe_pathheap variable,e.g.,cred#BHUSA BlackHatEventsPrevious data-only attacksCorrupt KASLR bypass needed AAW capability needed Protected by CONFIG_STATIC_USERMODEHELPERglobal variable,e.g.,modprobe_pathheap variable,e.g.,cred#BHUSA BlackHatEventsPrevious data-only attackCorruptglob

5、al variable,e.g.,modprobe_pathheap variable,e.g.,cred,file.f_mode.f_mapping.uidgid.Relative write(e.g.,OOB)on heapAAW not neededstruct file struct cred#BHUSA BlackHatEventsPrevious data-only attack:cross-cache challenge Most vulnerabilities happen in generic caches.(UAF,Double Free,Out-of-bound writ

6、e)Most critical heap objects are in dedicated caches.How to reach critical heap objects with relative writes?cross-cache attack needed#BHUSA BlackHatEventsPrevious data-only attack:cross-cache challenge Cross-cache attack techniques vary by vulnerability type,e.g.,OOB:less reliableUAF:more reliable

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文介绍了一种新的操作系统内核数据访问漏洞利用技术——PageJack。该技术利用了内核中释放但仍然可访问的物理页面,通过特定的内存布局操纵、页面指针篡改和对象喷洒等步骤,实现了对内核中关键对象的任意读写。PageJack技术能够绕过KASLR保护,并对抗SLAB_VIRTUAL防御。该技术适用于多种Linux和Android内核漏洞,如OOB、UAF和double free等。通过CVE-2022-0995案例,展示了如何利用PageJack技术实现权限提升。该技术已开源,相关 exploits 和 white paper 可访问指定链接获取。
"新型内核数据漏洞利用技术揭秘" "如何利用PageJack技术绕过KASLR保护?" "掌握Linux内核漏洞利用,从PageJack说起"
客服
商务合作
小程序
服务号
折叠