As requested, a thread about remote kernel exploits! Part 1 - Linux and macOS/iOS. š
Linux first, starting off with older material in this area and move into more recent.
1/ twiz / sgrakkyu - http://phrack.org/issues/64/6.... in 2007 discussed remote exploitation of kernel stack overflow with an example vulnerability introduced as a proof of concept. This used concepts from a real kernel exploit for madwifi. http://www.milw0rm.com/exploit...
2/ Sgrakku also published a SCTP FORWARD-TSN Chunk Memory Corruption exploit https://kernelbof.blogspot.de/... hijacking vsyscall and before that a madwifi exploit in 2006 https://www.exploit-db.com/exp...
3/ In 2012 @djrbliss published https://www.cs.dartmouth.edu/~... How this compares to a LPE. Process vs. Interrupt Context. At the time the memory protections implemented. A vulnerability in ROSE, ROP, making the stack executable. Syscall hooking + ICMP triggered backdoor.
4/ In 2020 @theflow discovered multiple vulnerability within the Linux Bluetooth stack https://google.github.io/secur... The first of these BadVibes CVE-2020-24490 a remotely triggable Heap corruption issue.
4.1/ A stack based information leak CVE-2020-12352, which can be used understand the memory layout of the remote target and disclose data back to the attacker. A final vuln BadKarma CVE-2020-12351 a heap based type confusion. Andy then discussed chaining BadKarma with BadChoice
5/ In 2022 @sam4k1 revisited some of these areas and what is relevant now getting RCE on a modern kernel. He discussed a vuln in TIPC, remote heap feng shui, getting rid of KASLR + stack cookies, discussed hard + soft mitigations https://conference.hitb.org/hi... https://blog.immunityinc.com/p...
6/ In 2023 at OffensiveCon @guteissier and @laomaiweng discussed multiple vulnerabilities they identified in KSMBD. How these vulns were chained together + features of the SMB protocol which helped them gain effective primitives https://www.youtube.com/watch?...
Moving onto the macOS and iOS side..
7/ In 2017 @laginimaineb published multiple blog posts about remotely exploiting the WiFi stack https://googleprojectzero.blog... Tooling, WiFi firmware, multiple vulns + exploit which allowed RCE on the WiFI chip. He discussed gaining control of the iOS kernel + host isolation mechanisms.
8/ In 2018 @kevin_backhouse discovered a remotely triggable bug CVE-2018-4407 (an out of bounds write) within the neworking subsystem ICMP packet handling code https://securitylab.github.com... Kevin developed a proof of concept denial of service trigger for this issue.
9/ In 2020 @i41nbeer developed https://googleprojectzero.blog... a full iOS zero-click radio proximity exploit for a vulnerability he found within the AWDL code. He located a attacker controlled u16 passed to the length value of memmove causing memory corruption.
9.1/ Whilst the vulnerability itself was relatively simple, the challenges to trigger and exploit were non trivial. Ian performs a deep dive into AWDL, packet crafting, exploit mitigation channels on the A12/A13. In the process identifying more remotely exploitable vulns.
10/ In 2020 I also disclosed a vulnerability I found within the XNU 6LowPAN stack which Apple classified as a kernel remote (https://support.apple.com/en-u... I am still not aware if any Apple products were really running 6LowPAN at the time I did the research https://alexplaskett.github.io...
10.1/ This blog demonstrates the use of CodeQL inspired by @kevin_backhouse previous work. 6LowPAN was later disabled from XNU kernel build configs after @i41nbeer identified another issue with this code https://bugs.chromium.org/p/pr...
Part 2 of this series will cover windows
@alexjplaskett Baseband OTA -> mDSP RTOS -> Kernel šŖš»šŖš»
@alexjplaskett Waiting for part two of this :)