242 - kCTF Changes, LogMeIn, and wlan VFS Bugs
2024-2-14 20:0:0 Author: dayzerosec.com(查看原文) 阅读量:7 收藏

The primitive in play here is a handle duplication attack, and basically the LogMeIn device driver has an IOCTL that will temporarily duplicate a handle specified by the caller (attacker). Along with allowing users to open the device with PROCESS_DUP_HANDLE one can open the device and then try to duplicate the newly created handle before it gets closed to continue to hold a reference to a privileged handle and use that for an elevation of privilege.

The Mediatek wlan driver on Android has several files exposed under the /proc virtual filesystem. Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer. As such it may overflow the caller’s buffer. The most obvious case of this would just result in a sort of self-exploitation but given the ability to share file descriptors across processes, one may be able to abuse this overflow to exploit a privileged process. It is a pretty interesting primitive to have, and not necessarily well controlled in-terms of what data is written, but feels like it could be a pretty cool exploit to pull-off.


文章来源: https://dayzerosec.com/podcast/242.html
如有侵权请联系:admin#unsafe.sh