Since vulnerabilities in Linux kernel are on the increase, attackers have turned their interests into related exploitation techniques. However, compared with numerous researches on exploiting use-after-free vulnerabilities in the user applications, few efforts studied how to exploit use-after-free vulnerabilities in Linux kernel due to the difficulties that mainly come from the uncertainty of the kernel memory layout. Without specific information leakage, attackers could only conduct a blind memory overwriting strategy trying to corrupt the critical part of the kernel, for which the success rate is negligible. In this work, we present a novel memory collision strategy to exploit the use-after-free vulnerabilities in Linux kernel reliably. The insight of our exploit strategy is that a probabilistic memory collision can be constructed according to the widely deployed kernel memory reuse mechanisms, which significantly increases the success rate of the attack. Based on this insight, we present two practical memory collision attacks: An object-based attack that leverages the memory recycling mechanism of the kernel allocator to achieve freed vulnerable object covering, and a physmap-based attack that takes advantage of the overlap between the physmap and the SLAB caches to achieve a more flexible memory manipulation. Our proposed attacks are universal for various Linux kernels of different architectures and could successfully exploit systems with use-after-free vulnerabilities in kernel. Particularly, we achieve privilege escalation on various popular Android devices (kernel version>=4.3) including those with 64-bit processors by exploiting the CVE-2015-3636 use-after-free vulnerability in Linux kernel. To our knowledge, this is the first generic kernel exploit for the latest version of Android. Finally, to defend this kind of memory collision, we propose two corresponding mitigation schemes.
[1]
Periklis Akritidis,et al.
Cling: A Memory Allocator to Mitigate Dangling Pointers
,
2010,
USENIX Security Symposium.
[2]
Emery D. Berger,et al.
DieHarder: securing the heap
,
2010,
CCS '10.
[3]
Yves Younan,et al.
FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers
,
2015,
NDSS.
[4]
Derek Bruening,et al.
AddressSanitizer: A Fast Address Sanity Checker
,
2012,
USENIX Annual Technical Conference.
[5]
Milo M. K. Martin,et al.
CETS: compiler enforced temporal safety for C
,
2010,
ISMM '10.
[6]
Wouter Joosen,et al.
Runtime countermeasures for code injection attacks against C and C++ programs
,
2012,
CSUR.
[7]
Hovav Shacham,et al.
On the effectiveness of address-space randomization
,
2004,
CCS '04.
[8]
Wenke Lee,et al.
Preventing Use-after-free with Dangling Pointers Nullification
,
2015,
NDSS.
[9]
Greg Kroah-Hartman,et al.
Linux Device Drivers
,
1998
.
[10]
Robert N. M. Watson,et al.
Exploiting Concurrency Vulnerabilities in System Call Wrappers
,
2007,
WOOT.
[11]
Rob Williams,et al.
Linux device drivers
,
2006
.
[12]
Dawn Xiaodong Song,et al.
SoK: Eternal War in Memory
,
2013,
2013 IEEE Symposium on Security and Privacy.
[13]
Dan Boneh,et al.
Hacking Blind
,
2014,
2014 IEEE Symposium on Security and Privacy.
[14]
Angelos D. Keromytis,et al.
ret2dir: Rethinking Kernel Isolation
,
2014,
USENIX Security Symposium.