One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221926 |
| Date de publication | 2022-08-24 11:55:31 (vue: 2022-11-25 18:05:33) |
| Titre | The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I) |
| Texte | A deep dive into an in-the-wild Android exploit Guest Post by Xingyu Jin, Android Security ResearchThis is part one of a two-part guest blog post, where first we'll look at the root cause of the CVE-2021-0920 vulnerability. In the second post, we'll dive into the in-the-wild 0-day exploitation of the vulnerability and post-compromise modules.Overview of in-the-wild CVE-2021-0920 exploits A surveillance vendor named Wintego has developed an exploit for Linux socket syscall 0-day, CVE-2021-0920, and used it in the wild since at least November 2020 based on the earliest captured sample, until the issue was fixed in November 2021. Combined with Chrome and Samsung browser exploits, the vendor was able to remotely root Samsung devices. The fix was released with the November 2021 Android Security Bulletin, and applied to Samsung devices in Samsung's December 2021 security update. Google's Threat Analysis Group (TAG) discovered Samsung browser exploit chains being used in the wild. TAG then performed root cause analysis and discovered that this vulnerability, CVE-2021-0920, was being used to escape the sandbox and elevate privileges. CVE-2021-0920 was reported to Linux/Android anonymously. The Google Android Security Team performed the full deep-dive analysis of the exploit. This issue was initially discovered in 2016 by a RedHat kernel developer and disclosed in a public email thread, but the Linux kernel community did not patch the issue until it was re-reported in 2021. Various Samsung devices were targeted, including the Samsung S10 and S20. By abusing an ephemeral race condition in Linux kernel garbage collection, the exploit code was able to obtain a use-after-free (UAF) in a kernel sk_buff object. The in-the-wild sample could effectively circumvent CONFIG_ARM64_UAO, achieve arbitrary read / write primitives and bypass Samsung RKP to elevate to root. Other Android devices were also vulnerable, but we did not find any exploit samples against them. Text extracted from captured samples dubbed the vulnerability “quantum Linux kernel garbage collection”, which appears to be a fitting title for this blogpost.Introduction CVE-2021-0920 is a use-after-free (UAF) |
| Envoyé | Oui |
| Condensat | #endif #ifdef config 𝛼 and 𝛼 are 𝛼 as 𝛼 for 𝛼 is 𝛼 sends 𝛼 to 𝛼:a sends 𝛼:f 𝛼:socket & msg &cursor &hitlist ¬ &scm &sk &sock &u &unix “quantum &err &gc &hitlist ¬ &sk &u * */ /* 0 1 = unixcb == 1 > 0 @list: and chunk cmfptr cmfptr++ cmfptr= combined dec delete do f fp fpl from get however i++ inc inflight is it its link list next null o offsetof other otherwise patch restore scm sizeof skb spin struct file struct sk struct unix the to uaf which *fp *fpl *list *new *scm *skb *skb; *sock; *user + + += chunk; /** 00 → 00 and 00 as 00 is 00 sends 00 while 00 will 000 00: 01 also 01 and 01 are 01 calls 01 gets 01 is 01 then 01’s 01’s receive 01f 0920 1𝛼: 10 → 10 and f 10’ 10’’ 11 as 11 to 11’ 11’s 11close 11f 1; i 1; i>=0; i 1f 01: 1inflight 2016 2017 2020 2021 21 is 21 to 21f 2inflight 31sock 𝛼 3inflight 4083 : 0 ; ifdmax; = = &gc = 0; i = atomic = err; = file = get = kmemdup = list = new = null = null; = put = scm = security = sock = unix = unixcb == inflight >= 0; i >count >count; >count; i++ >destructor >file >fp >fp and >fp to >fp which >fp; >gc >inflight >inflight which >link >max >msg >receive >recv >sk >unix >user a and a attempts a is a sends a to able about above abusing accept accepted accepting accidentally accordingly account achieve actions and actor actors actually add added additionally adds adversary advice after afterwards: again against alas all allocated allocates allows along already also altered amount analysis analysiscve analyzed andrey android anonymously another any anymore anyone appears appended applied arbitrary arcane are are:f 00: arm64 article does assume atomic attach attached available avoid avoided b and b and 𝛼 b are b is b sends b to b’ b’ from b’s back based because become been before beginning behavior being below ben besides bit blame blocked blog blogpost both break break; breakable browser buff buff buff carries buff looks buff object buffer buffers bug bulletin bump but bwd by:call bypass c#138 c#2149 c#2451 c#l103 c#l1886 c#l2290 c#l242 c#l261 c#l281 c#l306 c#l45 c#l68 call called caller calling calls can candidate candidate’s candidates candidates contains candidates list candidates list captured case cause causes cgrp chain chains chance change check child children children choose chrome chunk circumvent classid cleaning cleans clear cleared clears clock cloexec close closed closer closes closing cmsg code collection collection discovered collection” collector come comes coming commit community community: completion complexity complication compromise conclusion concrete concurrently condition config confusing consequence consider considered considers consume consumed contain contained contains continuing control cookie cookie structure copy core correct corresponding could count count: count; counters counting counts crafting creates creating credentials creds current cursor cve cycle cycle: cycles cycles:add cyclic data datagram datagrams datagrams: |
| Tags | Vulnerability Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.