It was discovered in January, 2024. And has been patched already. All the rolling distributions would have the patch already installed. Ubuntu has already issued the patch back in Jan.
@@sunilpaul6891 A professional researched bug like this is always patched before it becomes public like this, assume its fixed unless it's mentioned it's not
If you're wondering which kernel versions are vulnerable, here's what I found: The exploit affects kernel versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>.
I just read this entire write up yesterday, and I was blown away with the thoroughness and complexity of the research. And, it was only found because the author found a bug while trying to do some work. Most people just find another way, this guy found a wild exploit. Very impressive. Cheers to notselwyn
me, a plucky wizards apprentice resetting user passwords and setting up accounts, watching a UA-cam video about dark sorcerers unraveling death itself and warping space and time
@@Dirtyharry70585 there's so many more reasons to want to make exploits than just death and destruction. What about the pure beauty in the exploit itself?
my name is my passport, then only i can be i as good as i... especialy in tron trades of wireless energetic multi androidic communication, were the cyberwar algorithm makes attack due ineffecientcy by having a password different then own name.... entering string linguistic and design of solid state reality... and so on and so forth.... = no pwd, then it is my own PersonalComputer communication fassett!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
In contrast to Microsoft, who hides security bug reports while working feverishly to replace the functionality of the discovered back door by writing a patch which closes the discovered back door with a new back door. Only then does Microsoft admit that the security issue even exists.
linux community has no way to hide vulnerability fix, since fix goes open source. unlike with close source you can make a fix, and hackers will not know what was fixed and they can't exploit vulnerability on unpatched systems. i am not defending close source, I am just saying there is pros and cons everywhere
Hi, this was a slightly unleveled video: It was basic in the beginning with you explaining what the kernel does and about syscalls, and then you explained the whole exploit in less time than that, which was too advanced. I know what the kernel is and that by interfacing with the kernel you are asking the kernel to do stuff. I also understand double-freeing and use after free, but socket buffer freelist/all those page descriptors/modprobe was explained in less than 2 minutes If you spent maybe 2 mins explaining the kernel and syscall basics part and 4-5 mins on the actual exploit, it would have more sense Thanks!
A disadvantage is that a whole bunch of companies "just ship" open source solutions based off of Linux and barely provide any security updates, which are critically important. This is one of the reasons I don't like IoT, because it's extremely susceptible to issues like this.
from my understanding they're not really running or changing that much code inside the kernel, that might be pretty complicated, but they're letting the kernel execute their binary as root by changing a path, that's still not running inside the kernel
Tell me about it. I'm still on Fedora 37 with kernel 5.15 LTS, which I haven't updated in about 6 months because the updates stopped lmao. I might have to jump to the newest Fedora 40 beta.Luckily 99% of my apps are flatpaked, installed with the --user flag, and I have dconf commands to apply all my GNOME settings. So I would barely have to re-setup anything and will have all my apps and userdata once I upgrade.
What's the big deal? As I understand, malicious code running in userland could take advantage of the exploit to run arbitrary code as root? But why would you run malicious code on your computer??? My personal policy is that I don't run anything that I'm not getting from a trusted source. You have javascript on web pages but that runs in its own sandbox in the browser (on Windows as well), and if you have AdBlock installed then that blocks a lot of crud right there. The Internet is more centralized nowadays so most people spend their time on a few websites run by giant corporations. Presumably your personal network is protected with a wifi password and firewall. I mean, if you're a network admin and people can come in and run any kind of code on your network's computers, then maybe that's where it would be warranted to be a bit concerned about such a privilege escalation vulnerability. In olden days everything ran as root in Windows 3.1 (or the Windows analogue of "root"), but you would not become infected if you did not click on malicious .exe files (also best to avoid Internet Explorer and ActiveX). I think that if there is malicious code, which might be inclined to _attempt_ a privlege escalation exploit, running on your machine, then you're already in a bad place. In my opinion, it's not good to have malicious code running, even if it is not escalated up to root...
I love how you keep it short all the time, I don't want to watch through 40 minutes of detailed explanation. This is the perfect overview - thank you very much
Really enjoyed this kind of video from you! Admittedly, some of the exploit explanation went over my head and I'll need to do some further research on my end. You might have yourself a little niche here of in-depth explanations of vulnerabilities in an ELI5 manner if you want it. I'd love to see more videos like this with other well-known or new vulnerabilities.
The poor guy that was tasked to educate me about Linux wasn't allowed to use an updated Linux for education... he had to stick to one (old) version of RedHat, because that's what the book used... It took me 1 Google, 3 potential exploits and 15 minutes to become root of that educational Linux server. (Okay, I was familiar with Linux before they tried to educate me). I just made an extra root account, which was allowed to login via ssh. Could have locked out everyone else... but I was just making a point about using outdated software for education. Netfilter is quite a problem if it can elevate privileges. But at the same time kinda predictable... I'm happy that it's been found, so next iteration will be safer. Worst is how easy it can be used.
Even white hats are being cursed at in corporate setups. A lot of organisations still rely on security by obscurity and doesn't do the mental exercise of "how would I get in if I lost my key"... If you do that well enough, you can't... if it was a physical building of yours you'd probably find the least expensive window to break and pay for that. If you're clever you piggyback on some software that needs root. In that way, it's very difficult to lock out the legitimate admin. Problem is, an experienced hacker would probably also have installed a few back-doors upon arrival. Edit: having physical access to your server is the ultimate security... but so much is virtual today.
_I have learned so much from this channel its amazing. I was scared of writing _*_Hello World_*_ in C until last year, and now I am learning about exploits in the kernel. Thanks so much !!_
Relatively new here - background is in mechanical engineering but I would really like to learn embedded software development ( for myself and for my job). Really enjoy these types of videos. I will say I always write some of the acronyms from these videos down on stickies to look up later, given my lack of knowledge of the inner workings of computers. TIL what a TLB is. Anyways, looking forward to any and all videos 👍🏼
Analogy, you know how you can have a reference book which has a chapter list at the front, then every chapter has a section list at the start. That's how these work. Another common trick is to say: * Chapter 1 - Pages 100-199 * Chapter 2 - Pages 200-299 etc... Sure there may be some blank pages, but the hardware can be designed to be really really fast.
@@Sypaka assuming the location of the written information is known. Sure it isn't going to stop your kids from finding it, or Boeing, but it works against the hackers online
the amount of grinding through kernel code and memory dumps that must have been put to develop this exploit is beyond my comprehension... now if i add to this that merely obtaining a kernel memory dump is way more complicated than in case of a user space results in me getting a headache just thinking about it ;-]
Yeah all Linux distributions probably has this patched, but think about all the routers and phones and devices like smart TVs and everything that are connected to the internet and are probably still outdated, like your router if you have an ISP that doesn't allow you to switch it. A lot of these run on Linux and are likely using an outdated version of the kernel.
One thing many folks might not understand is that the attacker needs to have access to the system to exploit/gain this privilege. That being said, it can be used in a process where user xyz is harmlessly (or intentionally) installing something onto the box itself. This doesn't mean that any Linux system sitting idly on a network can be exploited from a pure network means. One of the overcites most folks make is hearing there is an exploit that gains root access means you need to drop everything and patch any and every system running Linux distro version xyz as the exploit affects them immediately. It really depends on the system, it's use, it's broad access, and several other factors. Granted, this is not to say you should not address such a situation, but by all means it doesn't mean the sky is falling either. All the same, very interesting how this one works, and thank you for breaking it down the way you have.
@@vaisakh_km eh, if I'm not trying yo completely kill the joke it's more like 3 months. Debian does apply security patches pretty effectively. To kill the joke completely, in reality, the bug is probably patched in latest and LTS kernels by now, it's just up to the distributions at this point, and Debian uses a patched version of the LTS kernel
So, this information only makes my situation way more puzzling to me. My respect for you guys is beyond comprehensive. I just wish I could cling onto the information and actually put it into play to fix my situation.
as someone who spent his teenage years in the 80’s aligning floppy disks who also had an engineering background - I always found that disks would run far more concentrically if you lowered the disk clamp slowly to give the cone a chance to clamp the disk correctly
Soooo, what is vulnerable to this? Is this something that can happen if you have a socket based connection? Do you need access before escalating? Itd be nice to know how to protect myself and not just how they do it.
This windows users priorities are not to inform linux users like yourself. It is a local privesc so unless someone accesses your system you're fine. If you install buggy software from GNOME and their diverse programmers you open up more privesc possibilities.
@@lawrencemanningProcess namespaces are enabled by default on most distros. A quick way to check is cat /proc/self/uid_map. If it exists, you have user NS.
Hmmm, what I hear is: NEW android rooting method (possibly) if someone implements this functionality into a su/sudo, someone else might be able to port it on android and we'll have a new way of rooting some of the older phones that either didn't have a way to be rooted or didn't have a big enough user base for someone to find a way to root them. ofc this is only possible if the same exploit is available in the android kernel.
I'm not surprised by this bug being complex. The kernel community and the associated companies and users have always values security and over time that value has increased drastically. Joe A. Verage doesn't want his router to become part of a botnet, Google wants no visitors on their servers. To name a few. The security net isn't perfect and the likelihood of something slipping through is higher in esoteric corners of the kernel such as rarely used subsystems or drivers. A security problem that's distributed across half the kernel is a small nightmare. But if something slips through the net it will be perceived as an egg hitting the face and be dealt with accordingly. On the other hand, Linux has become a huge beast, security is tough.
Privilege escalation as a class does not depend on exploiting anything in the Linux kernel. It just means gaining permission to do some normally-restricted thing without proper authentication. This _can_ involve a Kernel exploit, but often means targeting set-uid binaries like ping or sudo. Alternatively you can target a service running with the desired permissions. For example, suppose you have a guest user with ssh-only access to a desktop with a running X11 server. This user does not have permission on /dev/input, nor permission to talk to the X server. Further, suppose this is a legacy system with X11 installed setuid. If the user finds a vulnerability in X11 that makes it change permission on an existing X11 socket to 777 before it drops root, the user can use that vulnerability to give himself permission to talk to the primary user's already running X11 server. Then, through the running X11 server, the guest user can listen to the keyboard and mouse or snoop on existing windows. As this is not an intended permission, gained through an exploit, this is a privilege escalation attack. In practice, relatively few privilege escalation attacks use defects in the kernel. Local-user privilege escalation usually involves finding a misconfigured or defective setuid program. There are also remote-user privilege escalations, usually gaining admin rights on a website or similar service. In this case the attacker doesn't even get permission over a new process, just escalated privileges within a specific application.
setuid is not used on linux systems from 2008, where `capabilities` replaced most of its uses, and then we have SELinux on top for a long long long time. Been years without setuid files on any modern system. Non syscall derived escalations are ultra rare (Never heard of any for a long time)
@@framegrace1 There's been several privilege escalations caused by bugs in things like sudo and policykit, some of which have been pretty recent (e.g. due to some of the code in policykit being written in a "clever" (read: hacky) way and not handling argv[0] being NULL correctly, CVE-2021-4034)
@@framegrace1 Really? Because `/bin/su` and 12 other binaries in /bin, /sbin/, and /usr/bin are all setuid on my stock ubuntu VM. Sure, granular capabilities have helped, and programs like firejail take advantage of that to even further restrict capabilities of even normal users (which makes escaping firejails a relatively new area of escalation attacks). More than granular capabilities, dbus (and things built on top of dbus like the typical wayland implementations) use posix file handle passing to grant granular access to system resources across users. For example, X11 no longer is setuid because it gets access to /dev/input and the video card resources by asking for them over dbus. The Login1 provider (usually a combination of PAM + (e)logind, running as root) then opens these files and passes handles to them to X11 for session creation. Like with the possible firejail escape above, this means system services like Login1 listening over dbus are now viable attack surfaces for privilege escalation attacks.
@@framegrace1 _"Been years without setuid files on any modern system."_ - The system I'm on now has like 20 setuid binaries. I'm pretty sure binaries like su, sudo, passwd, mount, chsh are still setuid on most if not all systems.
This video was fascinating to listen to as a Linux fan but if I am honest, I have no idea what he is talking about. This is on another level way over my head.
Sweet 'sploit, scary 'sploit. It must have been there for a long time and I wonder what other well resourced adversaries were sitting on it in a zeroday portfolio. Appears to require a local user, but also seems to be the kind of thing that might be projected through a web service bug into a RCE.
Yeah except they don't tell you about it and keep them open on purpose for the NSA, CIA etc. I'm also fairly confident that Bitlocker has a bunch of backdoors as well.
LLC has a knack for explaining complicated low level processes in a way noobs can understand, without boring the people that do actually know a bit more. Rare skill.
I wonder if segregating the kernel dynamic memory meta data from the allocate-able memory would make this harder? Use the freed block to hold their own meta data is nice, but is it an unnecessary risk?
Looks like any unpatched Linux system newer than 3.15 (!!) with USERNS enabled. So... the vast majority of them. A mitigation is to set the sysctl kernel.unprivileged_userns_clone=0
I am always astonished at how many bugs there are. I am glad that they are being caught and fixed. But it begs the question: will we ever enter into an era where there aren't any more vulnerabilities to exploit? Sometimes it seems like we are going the opposite direction and finding and fixing more bugs than ever before, which is frustrating. It angers me that at some level you simply have to let go and just trust that you computer is OK in the sense that criminals won't be able to get at it or your accounts. But still.
How is double free a thing? Is it for multiple locks on the same file? Lock decrements instead of setting to 0? Are there double lock errors then when files are permanently closed?
Kinda, but it’s not files, it’s memory: foo = kmalloc(whatever); (lots of other stuff) kfree(foo); (more stuff) kfree(foo); The allocator uses the freed memory to store pointers to other free memory so that it knows what’s free (and not to waste additional memory to store this). You can imagine it as free pieces of memory pointing to other free pieces of memory in a long chain. If you free the same piece the second time, it will be in this chain twice. Now if you allocate a new piece, you could get this twice-freed piece back so you can write data to it - but it’s still in the list (since it was added twice) so whatever you write there, the allocator thinks is part of the free chain - so you can redirect the allocator and force it to write to memory it’s not supposed to.
Level of discussions on this channel regularly makes my brain hurt in positive sense, but i can’t imagine level of those dudes who actually found this bug and used it. It’s WTF++ or even higher
Already gone, for the most part. Discovered in January and already patched in the kernel before the end of January. Downstream distros caught up with this update quickly, too. Ubuntu released the relevant kernel update on their package manager before the end of January, most other distros got it done by the end of February. At this point, the bug only lives in the computers of users that refuse to install security updates.
I am NO Expert on this. Years ago, however, I put a Linux disc in my Old Sony Vaio. It ran like a Breeze, and there was NO Further Malware. I'm typing this on a 2011 Macbook. IOS is slightly more vulnerable to viruses. But, it's Never been so Bad that I couldn't turn on the machine, or get to my browser. I've never had Dancing Bios (remember the Magistrate Virus, around twenty years ago??) The Problem with Apple, and also Chromebook, is that the system stops being updatable after a given number of years, and then you need to buy a new machine. RIPOFF! The Ransomware attacks against Electronic Health Records have ALL been Windows systems. And, that's NOT because of their Prevalence, Either. Windows is Dangerous by Design.
I didn't understand a thing after the graph went up, but I hope kernel patches it soon! Did kernel devs found about this exploit "from the news", or maybe they were given a head start into fixing it?
One of the reasons I love Linux compared to Windows at this point is how bugs and vulnerabilities are discovered and managed. On Windows, things like these are only discovered when Malware is taking advantage of it, take Wannacry as a perfect example. Nobody knew what EternalBlue was until after the damage was done. On Linux however, a bug like that making something like that possible will be discovered by the Kernel devs themselves and nothing malicious will be able to take advantage of it.
Machines run on smoke and magic. All modern computers are just so scientifically advanced you could call it magic, we've taken rock (metal) and sand (silicone) and made it "think" 🎉😂😅
Hmm, self learning cyber security here, so this attack would not work on environments where Structured Exception Handling Overwrite Protection is enabled, because the kernel entry does not match the one as recorded? Or is it not available on Linux? Thanks
I’d really like to know what percentage of your subscribers can actually follow this. Because technically I am a lower level software engineer. But tbh? W.T.F?!?!? I’d assume I’m not alone, but truly some people are on another level.
3:38 for a novice it would have been interesting if you would have elaborated on that matter a bit more. why does pulling certain levers result in a exploit?^^
I think what he's trying to say is that the "only" userspace->kernel interface is syscalls. "Open this file." "Read me 32 bytes from the file." "Now I want to send those bytes to another process running on the same system." In theory, the syscalls are *individually* tested incredibly thoroughly (thanks to tools like Google's Syzkaller project and the tireless efforts of a few heroes in the Linux community) to the point that I'm 99.9999% sure there are no single-syscall bugs in Linux... But a *collection* of them issued in just the right order can make the kernel take a series of steps that leads it into a pitfall, even if each step it took along the way would, in a vacuum, be considered "fine."
Why would a double free imply a use after free in this case? Are you saying that the memory was freed, and then the attacker somehow induced an allocation at that moment? Knowing that the 2nd free would soon occur?
I get freelist is probably the prime example where to use linked lists over other alternatives, but for sake of argument assume freelist would have been a plain array (or vector). Would that have prevented the abuse from double free? (Yes I know fixing the double-free is the first priority)
Mac has less exploits than Linux and Windows combined. I'm a dualbooter for Win11Pro and Linux Mint and can confirm. Sounds like you're projecting more than anything. "Bu-but, Windows and Mac also do-" That's cool, but is there a bug to exploit who asked?
@@The_Prizessin_der_Verurteilung I mean they're not wrong but the point is that Linux is backed by so many companies like Google, Microsoft, Oracle, Intel, AMD, etc so bugs are fixed extremely fast. The mac kernel is also open source. Windows lags behind
@@The_Prizessin_der_Verurteilung Mac has more exploits than Linux. It's based off of BSD. Back in 2007 they proved the point by porting all the old Linux exploits over to BSD. Now it's not even maintained as well as it was back then. BSD also isn't a mandatory access control kernel. So it's at least 20 years out of date. Don't be fooled, you're not as secure.
Thanks for watching guys! ( come learn C at lowlevel.academy 🥺)
hi
Ha! I always knew Linux was unsafe!
That's why I'm still using Windows 98 and I only connect to the internet with my 56k modem...
@@Alfred-Neuman LUV that toilet-flushing sound.
I DO hope you are being Facetious and Sarcastic.
No, @@drpoundsign, Windows 98 is the newest version of Windows, safe and secure
rewrite the linux kernel in Rust???
It was discovered in January, 2024. And has been patched already. All the rolling distributions would have the patch already installed. Ubuntu has already issued the patch back in Jan.
Thanks!
Thanks! That definitely should have been part of the video
I got really worried because i run linux; thanks
Thanks for informing us!
@@sunilpaul6891 A professional researched bug like this is always patched before it becomes public like this, assume its fixed unless it's mentioned it's not
The most shocking part of this video was that 2016 was 8 years ago.
I missed the 2016 mentioned , where is it in the video ?
@@edwardmacnab354 2:02
@@edwardmacnab354 2:02
sad reacts only
@@edwardmacnab354 2:02, you didn't miss much!
If you're wondering which kernel versions are vulnerable, here's what I found: The exploit affects kernel versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>.
i’m on 6.8.0 so that means i’m safe? right?
@@BlaineworldYeah, you're fine. It's patched since 6.7.
I'm surprised he didn't include this in the video
o7!
@ap3ture0switch distro to fedora or arch. You'll always be up to speed.
I just read this entire write up yesterday, and I was blown away with the thoroughness and complexity of the research. And, it was only found because the author found a bug while trying to do some work. Most people just find another way, this guy found a wild exploit. Very impressive. Cheers to notselwyn
me, a plucky wizards apprentice resetting user passwords and setting up accounts, watching a UA-cam video about dark sorcerers unraveling death itself and warping space and time
I love this analogy XD
Simply about money and or destruction of property by people who have no morals, and could care less about who it affects or lives that can be lost
@@Dirtyharry70585 there's so many more reasons to want to make exploits than just death and destruction. What about the pure beauty in the exploit itself?
my name is my passport, then only i can be i as good as i... especialy in tron trades of wireless energetic multi androidic communication, were the cyberwar algorithm makes attack due ineffecientcy by having a password different then own name.... entering string linguistic and design of solid state reality... and so on and so forth.... = no pwd, then it is my own PersonalComputer communication fassett!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
We’re making it out of the userspace with this one boys
What I like about Linux is that when a vulnerability like this is found, the community comes together and fixes it asap.
In contrast to Microsoft, who hides security bug reports while working feverishly to replace the functionality of the discovered back door by writing a patch which closes the discovered back door with a new back door. Only then does Microsoft admit that the security issue even exists.
the sun never sets on the global open source community
yes! unlike Windows or other communities where they don't fix vulnerabilities asap. (???)
linux community has no way to hide vulnerability fix, since fix goes open source. unlike with close source you can make a fix, and hackers will not know what was fixed and they can't exploit vulnerability on unpatched systems.
i am not defending close source, I am just saying there is pros and cons everywhere
So how long was the vulnerability sold and exploited before it leaked? *That's the real question.*
Hi, this was a slightly unleveled video: It was basic in the beginning with you explaining what the kernel does and about syscalls, and then you explained the whole exploit in less time than that, which was too advanced. I know what the kernel is and that by interfacing with the kernel you are asking the kernel to do stuff. I also understand double-freeing and use after free, but socket buffer freelist/all those page descriptors/modprobe was explained in less than 2 minutes
If you spent maybe 2 mins explaining the kernel and syscall basics part and 4-5 mins on the actual exploit, it would have more sense
Thanks!
Nah, this deserves an hour at least.
i agree, i got very lost when he was explaining the actual exploit haha
Maybe he did it by intention, it's quite new after all. However he linked the full article in the description (77 min read) that goes into full detail
its mostly just data structure manipulation
Yeah, I got that same feeling. I will ask chatgpt now about that stuff
Time to finally root the Oculus Quest 2
it has already been done anyways
@@hyperkiko Why not do it again?
@@incogninto1-1 i will actually try it on my quest 3, i checked the kernel for the quest 3 and it isnt patched on it
looking for a poc right now
@@wheeI the github link in the description
It was fixed almost immediately. That is a strong advantage of Open Source in contrast to big corp coverups
If it was Windows, it would have been fixed before it was disclosed.
@@GoogleDoesEvil it would be fixed after it was disclosed after several years
@@kooostia16 it would then take 30 years for corporations to implement the fix
A disadvantage is that a whole bunch of companies "just ship" open source solutions based off of Linux and barely provide any security updates, which are critically important. This is one of the reasons I don't like IoT, because it's extremely susceptible to issues like this.
@@GoogleDoesEvil it would have been fixed ? by windows ? , tell me you don't know the history of windows by not telling me --lol
Running in kernel is worse than running as root.
from my understanding they're not really running or changing that much code inside the kernel, that might be pretty complicated, but they're letting the kernel execute their binary as root by changing a path, that's still not running inside the kernel
Everything should run in kernel
This comment was posted by TempleOS Gang
@@dahahaka well, depends. Running inside the kernel could cause a kernel panic and crash the whole system, running as root just causes a segfault
@@rusi6219 niche and I love it
@@rusi6219 RIP Terry
Welp, time to upgrade my kernel.
you think? Might be why distros push out updates..
Tell me about it. I'm still on Fedora 37 with kernel 5.15 LTS, which I haven't updated in about 6 months because the updates stopped lmao. I might have to jump to the newest Fedora 40 beta.Luckily 99% of my apps are flatpaked, installed with the --user flag, and I have dconf commands to apply all my GNOME settings. So I would barely have to re-setup anything and will have all my apps and userdata once I upgrade.
What's the big deal? As I understand, malicious code running in userland could take advantage of the exploit to run arbitrary code as root? But why would you run malicious code on your computer??? My personal policy is that I don't run anything that I'm not getting from a trusted source. You have javascript on web pages but that runs in its own sandbox in the browser (on Windows as well), and if you have AdBlock installed then that blocks a lot of crud right there. The Internet is more centralized nowadays so most people spend their time on a few websites run by giant corporations. Presumably your personal network is protected with a wifi password and firewall. I mean, if you're a network admin and people can come in and run any kind of code on your network's computers, then maybe that's where it would be warranted to be a bit concerned about such a privilege escalation vulnerability.
In olden days everything ran as root in Windows 3.1 (or the Windows analogue of "root"), but you would not become infected if you did not click on malicious .exe files (also best to avoid Internet Explorer and ActiveX).
I think that if there is malicious code, which might be inclined to _attempt_ a privlege escalation exploit, running on your machine, then you're already in a bad place. In my opinion, it's not good to have malicious code running, even if it is not escalated up to root...
I love how you keep it short all the time, I don't want to watch through 40 minutes of detailed explanation. This is the perfect overview - thank you very much
Great that you used one of the Tuxlets in your video, that I made with my son years ago. 👍
Really enjoyed this kind of video from you! Admittedly, some of the exploit explanation went over my head and I'll need to do some further research on my end. You might have yourself a little niche here of in-depth explanations of vulnerabilities in an ELI5 manner if you want it. I'd love to see more videos like this with other well-known or new vulnerabilities.
Bugs never went away, but recently, it feels like bugs just did 20 years in prison, and they've been released on parole.
I am looking at the proprietary Linux devices at home and at work and just... curiously tapping my chin.
This ought to be interesting (:
The poor guy that was tasked to educate me about Linux wasn't allowed to use an updated Linux for education... he had to stick to one (old) version of RedHat, because that's what the book used...
It took me 1 Google, 3 potential exploits and 15 minutes to become root of that educational Linux server. (Okay, I was familiar with Linux before they tried to educate me).
I just made an extra root account, which was allowed to login via ssh. Could have locked out everyone else... but I was just making a point about using outdated software for education.
Netfilter is quite a problem if it can elevate privileges. But at the same time kinda predictable... I'm happy that it's been found, so next iteration will be safer. Worst is how easy it can be used.
Excellent whitehat hacking.
I'll do the same :3 already found the vulnerability
Even white hats are being cursed at in corporate setups.
A lot of organisations still rely on security by obscurity and doesn't do the mental exercise of "how would I get in if I lost my key"... If you do that well enough, you can't... if it was a physical building of yours you'd probably find the least expensive window to break and pay for that.
If you're clever you piggyback on some software that needs root. In that way, it's very difficult to lock out the legitimate admin.
Problem is, an experienced hacker would probably also have installed a few back-doors upon arrival.
Edit: having physical access to your server is the ultimate security... but so much is virtual today.
_I have learned so much from this channel its amazing. I was scared of writing _*_Hello World_*_ in C until last year, and now I am learning about exploits in the kernel. Thanks so much !!_
Welcome to the field! Now go do the next thing you're scared of failing!
This works a bit like a digital Rube Goldberg machine.
Relatively new here - background is in mechanical engineering but I would really like to learn embedded software development ( for myself and for my job). Really enjoy these types of videos. I will say I always write some of the acronyms from these videos down on stickies to look up later, given my lack of knowledge of the inner workings of computers. TIL what a TLB is. Anyways, looking forward to any and all videos 👍🏼
translate look-aside buffer. i learned it in early ee/cs course on cpu's
Analogy, you know how you can have a reference book which has a chapter list at the front, then every chapter has a section list at the start. That's how these work. Another common trick is to say:
* Chapter 1 - Pages 100-199
* Chapter 2 - Pages 200-299
etc...
Sure there may be some blank pages, but the hardware can be designed to be really really fast.
I'm learning that the safest way to store your secure data is on a piece of paper
Yep, no better method than writing your password on a sticky note and "hiding" it under your keyboard... lol
Only second to your brain, but sometimes the files can get corrupted up there or with package loss before reaching your fingers.
And all it takes, is a pencil to make a copy of everything you wrote.
@@Sypaka assuming the location of the written information is known. Sure it isn't going to stop your kids from finding it, or Boeing, but it works against the hackers online
@@Sypakaor a photo but you keep forgetting the whole part of physically being there
the amount of grinding through kernel code and memory dumps that must have been put to develop this exploit is beyond my comprehension... now if i add to this that merely obtaining a kernel memory dump is way more complicated than in case of a user space results in me getting a headache just thinking about it ;-]
Yeah all Linux distributions probably has this patched, but think about all the routers and phones and devices like smart TVs and everything that are connected to the internet and are probably still outdated, like your router if you have an ISP that doesn't allow you to switch it. A lot of these run on Linux and are likely using an outdated version of the kernel.
And to think, one can now hack it to put there own updated software that the manufacture locks you out of so you can't update.
@@techwolflupindoTheir?
One thing many folks might not understand is that the attacker needs to have access to the system to exploit/gain this privilege. That being said, it can be used in a process where user xyz is harmlessly (or intentionally) installing something onto the box itself. This doesn't mean that any Linux system sitting idly on a network can be exploited from a pure network means. One of the overcites most folks make is hearing there is an exploit that gains root access means you need to drop everything and patch any and every system running Linux distro version xyz as the exploit affects them immediately. It really depends on the system, it's use, it's broad access, and several other factors. Granted, this is not to say you should not address such a situation, but by all means it doesn't mean the sky is falling either. All the same, very interesting how this one works, and thank you for breaking it down the way you have.
Should have pointed out that so long as people were doing their updates, this was patched back in January. FUD, for clickbait!
Thank you for having a correct title, seen some people saying stuff like "linux got wrecked". I appreciate your title game more for being truthful.
Really hope one day I could comprehend all this shenanigans lol .. great vid!
Right after i installed debian...
XD good luck for next 10 years...
@@vaisakh_km eh, if I'm not trying yo completely kill the joke it's more like 3 months. Debian does apply security patches pretty effectively.
To kill the joke completely, in reality, the bug is probably patched in latest and LTS kernels by now, it's just up to the distributions at this point, and Debian uses a patched version of the LTS kernel
rm -rf
install gentoo
So? Just update the kernel like you would on any other distro
@@Excalibur13 rm -rf --no-preserve-root
you should definitely do more detailed exploit writeup videos! :)
He acknowledges himself that this is sth beyond his knowledge so better not try it...
You should do a video on the most impactful or crazy bugs of all time, or perhaps per decade/computing era
Nice one
So, this information only makes my situation way more puzzling to me. My respect for you guys is beyond comprehensive. I just wish I could cling onto the information and actually put it into play to fix my situation.
as someone who spent his teenage years in the 80’s aligning floppy disks who also had an engineering background - I always found that disks would run far more concentrically if you lowered the disk clamp slowly to give the cone a chance to clamp the disk correctly
This channel is so awesome and educational. Look forward to spending more time with it.
Can you talk about the backdoor in liblzma/xz that lets you avoid SSH?
He just did! The man is really quick
Soooo, what is vulnerable to this? Is this something that can happen if you have a socket based connection? Do you need access before escalating? Itd be nice to know how to protect myself and not just how they do it.
This windows users priorities are not to inform linux users like yourself. It is a local privesc so unless someone accesses your system you're fine. If you install buggy software from GNOME and their diverse programmers you open up more privesc possibilities.
It has been patched for months so unless you’ve manually disabled security updates you are not vulnerable
@@lawrencemanning not your fault. I have no idea why he didn’t mention it in the video.
@@lawrencemanningProcess namespaces are enabled by default on most distros. A quick way to check is cat /proc/self/uid_map. If it exists, you have user NS.
I love how the author made such a cool graphic instead of just writing about it. It's clearly a lot of steps.
"In 2016, about 8 years ago", god damn man, you're making me feel old
Thanks for sharing your enthusiasm on this exploit. Next time, please try digging into it.
Hmmm, what I hear is: NEW android rooting method (possibly)
if someone implements this functionality into a su/sudo, someone else might be able to port it on android and we'll have a new way of rooting some of the older phones that either didn't have a way to be rooted or didn't have a big enough user base for someone to find a way to root them. ofc this is only possible if the same exploit is available in the android kernel.
I dont understand almost any of these but still catches my genuine interest, congrats bro!!
I'm not surprised by this bug being complex. The kernel community and the associated companies and users have always values security and over time that value has increased drastically. Joe A. Verage doesn't want his router to become part of a botnet, Google wants no visitors on their servers. To name a few. The security net isn't perfect and the likelihood of something slipping through is higher in esoteric corners of the kernel such as rarely used subsystems or drivers. A security problem that's distributed across half the kernel is a small nightmare. But if something slips through the net it will be perceived as an egg hitting the face and be dealt with accordingly. On the other hand, Linux has become a huge beast, security is tough.
How was this bug discovered?
manual source code audit. absolutely insane
@@LowLevelTVwoah crazyyy
@@LowLevelTV That's pretty hardcore lol
That's amazing that someone would just...read the source code like that.
@@LowLevelTV That is nuts
I'm loving your Cybersecurity stuff. That's the future
Privilege escalation as a class does not depend on exploiting anything in the Linux kernel. It just means gaining permission to do some normally-restricted thing without proper authentication. This _can_ involve a Kernel exploit, but often means targeting set-uid binaries like ping or sudo. Alternatively you can target a service running with the desired permissions.
For example, suppose you have a guest user with ssh-only access to a desktop with a running X11 server. This user does not have permission on /dev/input, nor permission to talk to the X server. Further, suppose this is a legacy system with X11 installed setuid. If the user finds a vulnerability in X11 that makes it change permission on an existing X11 socket to 777 before it drops root, the user can use that vulnerability to give himself permission to talk to the primary user's already running X11 server. Then, through the running X11 server, the guest user can listen to the keyboard and mouse or snoop on existing windows. As this is not an intended permission, gained through an exploit, this is a privilege escalation attack.
In practice, relatively few privilege escalation attacks use defects in the kernel. Local-user privilege escalation usually involves finding a misconfigured or defective setuid program. There are also remote-user privilege escalations, usually gaining admin rights on a website or similar service. In this case the attacker doesn't even get permission over a new process, just escalated privileges within a specific application.
setuid is not used on linux systems from 2008, where `capabilities` replaced most of its uses, and then we have SELinux on top for a long long long time.
Been years without setuid files on any modern system. Non syscall derived escalations are ultra rare (Never heard of any for a long time)
@@framegrace1 There's been several privilege escalations caused by bugs in things like sudo and policykit, some of which have been pretty recent (e.g. due to some of the code in policykit being written in a "clever" (read: hacky) way and not handling argv[0] being NULL correctly, CVE-2021-4034)
@@framegrace1 Really? Because `/bin/su` and 12 other binaries in /bin, /sbin/, and /usr/bin are all setuid on my stock ubuntu VM. Sure, granular capabilities have helped, and programs like firejail take advantage of that to even further restrict capabilities of even normal users (which makes escaping firejails a relatively new area of escalation attacks).
More than granular capabilities, dbus (and things built on top of dbus like the typical wayland implementations) use posix file handle passing to grant granular access to system resources across users. For example, X11 no longer is setuid because it gets access to /dev/input and the video card resources by asking for them over dbus. The Login1 provider (usually a combination of PAM + (e)logind, running as root) then opens these files and passes handles to them to X11 for session creation. Like with the possible firejail escape above, this means system services like Login1 listening over dbus are now viable attack surfaces for privilege escalation attacks.
🤓
@@framegrace1 _"Been years without setuid files on any modern system."_ - The system I'm on now has like 20 setuid binaries. I'm pretty sure binaries like su, sudo, passwd, mount, chsh are still setuid on most if not all systems.
0:23 i think the "author of this bug" was probably not using novel techniques, i think they just made a mistake writing some kernel code
He means the one who discovered the bug
Superb exploitation !
The author of that one must really really have a hands-on grip of Kernel code.
Kinda narrows it down some.
This video was fascinating to listen to as a Linux fan but if I am honest, I have no idea what he is talking about. This is on another level way over my head.
Exploit explanation starts at 3:47
I'm sick and this vid is already making me happy :)
feel better
I'm proud I was able to understand half of this after my OS college classes
Sweet 'sploit, scary 'sploit. It must have been there for a long time and I wonder what other well resourced adversaries were sitting on it in a zeroday portfolio. Appears to require a local user, but also seems to be the kind of thing that might be projected through a web service bug into a RCE.
many of these techniques are used for windows kernel exploitation quite often
Yeah except they don't tell you about it and keep them open on purpose for the NSA, CIA etc. I'm also fairly confident that Bitlocker has a bunch of backdoors as well.
@@ent2220 yeah why use that garbage when veracrypt is available
@@ent2220 Some guy made a video on UA-cam how he cracks bitlocker in 50 seconds. Bitlocker is an absolute garbage.
dude i'm high on shrooms rn this is insane.
Highly based
;p
asa e frate
“Dirty Cow” sounds like it would be a drink in Wisconsin lmao
LLC has a knack for explaining complicated low level processes in a way noobs can understand, without boring the people that do actually know a bit more. Rare skill.
this video finished too soon!! Very simple explanation, this dude might be a great teacher.
Privilege escalations do not necessarily exploit kernel code, they could exploit weak applications which have higher privilege themselves
This is one of those channels I go to watch to feel smart. Knowing a little bit about computers, I understood everything and nothing 🤣
Programming vulkan graphics lets me at least not get confused when i hear about buffers and descriptors😅
I wonder if segregating the kernel dynamic memory meta data from the allocate-able memory would make this harder? Use the freed block to hold their own meta data is nice, but is it an unnecessary risk?
Some people work really hard to find these exploits. Way over achieving. AMAZING!!!!
That visual aid chart is very Charlie from It's Always Sunny-esque.
So, who was affected by this? Any system? Or just very specific network configuration?
Looks like any unpatched Linux system newer than 3.15 (!!) with USERNS enabled. So... the vast majority of them. A mitigation is to set the sysctl kernel.unprivileged_userns_clone=0
yeah and people pretend this is some ancient exploit that's not relevant like dirty cow, my school literally has this exploit
I am always astonished at how many bugs there are. I am glad that they are being caught and fixed. But it begs the question: will we ever enter into an era where there aren't any more vulnerabilities to exploit? Sometimes it seems like we are going the opposite direction and finding and fixing more bugs than ever before, which is frustrating. It angers me that at some level you simply have to let go and just trust that you computer is OK in the sense that criminals won't be able to get at it or your accounts. But still.
I usually kinda understand a lot of general exploit stuff but this is just insane
holy poop dude this video is popping off
get that root shell 🔥🚀🐚🐚
How is double free a thing? Is it for multiple locks on the same file? Lock decrements instead of setting to 0? Are there double lock errors then when files are permanently closed?
Kinda, but it’s not files, it’s memory:
foo = kmalloc(whatever);
(lots of other stuff)
kfree(foo);
(more stuff)
kfree(foo);
The allocator uses the freed memory to store pointers to other free memory so that it knows what’s free (and not to waste additional memory to store this). You can imagine it as free pieces of memory pointing to other free pieces of memory in a long chain. If you free the same piece the second time, it will be in this chain twice. Now if you allocate a new piece, you could get this twice-freed piece back so you can write data to it - but it’s still in the list (since it was added twice) so whatever you write there, the allocator thinks is part of the free chain - so you can redirect the allocator and force it to write to memory it’s not supposed to.
Yes, I definitely learned something here. That I am stupid as a rock! ))) Even though I've been doing system programming for 30 years now.
Level of discussions on this channel regularly makes my brain hurt in positive sense, but i can’t imagine level of those dudes who actually found this bug and used it. It’s WTF++ or even higher
Now the question is, how long will this bug last?
I has been fixed several months ago on 6.7
Already gone, for the most part. Discovered in January and already patched in the kernel before the end of January. Downstream distros caught up with this update quickly, too. Ubuntu released the relevant kernel update on their package manager before the end of January, most other distros got it done by the end of February. At this point, the bug only lives in the computers of users that refuse to install security updates.
@@martenkahr3365 Can't forget companies that ship products based off of Linux and don't provide security fixes for them (commonly seen in IoT)
@@martenkahr3365 such as every home router or IoT lightbulb out there?
okay the GH says this blows right through defaults on debian-core systems... does this work on more serious SELinux like RHEL or Gentoo?
I had this question over "immutable" os utilizing overlayfs, and escaping containers and chroot in this low level way.
Congrats on doing an excellent job explaining it. Thanks!
I am NO Expert on this. Years ago, however, I put a Linux disc in my Old Sony Vaio. It ran like a Breeze, and there was NO Further Malware. I'm typing this on a 2011 Macbook. IOS is slightly more vulnerable to viruses. But, it's Never been so Bad that I couldn't turn on the machine, or get to my browser. I've never had Dancing Bios (remember the Magistrate Virus, around twenty years ago??)
The Problem with Apple, and also Chromebook, is that the system stops being updatable after a given number of years, and then you need to buy a new machine. RIPOFF!
The Ransomware attacks against Electronic Health Records have ALL been Windows systems. And, that's NOT because of their Prevalence, Either.
Windows is Dangerous by Design.
Windows is perfectly safe, its users are dangerous as hell. :)
I didn't understand a thing after the graph went up, but I hope kernel patches it soon!
Did kernel devs found about this exploit "from the news", or maybe they were given a head start into fixing it?
the moment it is found the repo would have been nuked with pull requests. that's the power of open source
Thank you for the quality content don't hesitate to go super go level and in depth I love it
I run the CVE testing code from the github account on a very recent (and patched) kernel and it froze and crashed the system. Very interesting
One of the reasons I love Linux compared to Windows at this point is how bugs and vulnerabilities are discovered and managed. On Windows, things like these are only discovered when Malware is taking advantage of it, take Wannacry as a perfect example. Nobody knew what EternalBlue was until after the damage was done. On Linux however, a bug like that making something like that possible will be discovered by the Kernel devs themselves and nothing malicious will be able to take advantage of it.
Double-free wouldn't have happened if the kernel was written in Rust 😎 *puts on long socks with beautiful rainbow hair and naruto runs away*
ur right because then it would have been abandoned after a few months
@@honse246 look into trans suicide rate and the rate of abandoned rust projects starts to make sense
@@rusi6219 lmao
@@rusi6219they’re not abandoned, they’re done -NoBoilerplate
@@rusi6219HOLY SHIT 💀that was a dark one. Well played 👏
So could the same thing be done on Mac OS since it is based on UNIX like LINUX is?
Sentient AI will have a field day with all the imperfections sprinkled around in our various operating systems and software...
Hey @LowLevelLearning, how do you decide what to learn?
I thought the entire reason we pass syscall argument by registers and not the kernel stack is that those kind of things don't happen.
Daily reminder: there is no such thing as perfection.
Machines run on smoke and magic. All modern computers are just so scientifically advanced you could call it magic, we've taken rock (metal) and sand (silicone) and made it "think" 🎉😂😅
Hmm, self learning cyber security here, so this attack would not work on environments where Structured Exception Handling Overwrite Protection is enabled, because the kernel entry does not match the one as recorded? Or is it not available on Linux? Thanks
I’d really like to know what percentage of your subscribers can actually follow this. Because technically I am a lower level software engineer. But tbh? W.T.F?!?!? I’d assume I’m not alone, but truly some people are on another level.
3:38 for a novice it would have been interesting if you would have elaborated on that matter a bit more. why does pulling certain levers result in a exploit?^^
I think what he's trying to say is that the "only" userspace->kernel interface is syscalls. "Open this file." "Read me 32 bytes from the file." "Now I want to send those bytes to another process running on the same system." In theory, the syscalls are *individually* tested incredibly thoroughly (thanks to tools like Google's Syzkaller project and the tireless efforts of a few heroes in the Linux community) to the point that I'm 99.9999% sure there are no single-syscall bugs in Linux... But a *collection* of them issued in just the right order can make the kernel take a series of steps that leads it into a pitfall, even if each step it took along the way would, in a vacuum, be considered "fine."
Why would a double free imply a use after free in this case? Are you saying that the memory was freed, and then the attacker somehow induced an allocation at that moment? Knowing that the 2nd free would soon occur?
Let's all take a moment and appreciate that guy's diagram-making skills.
Is it possible to use this exploit to get root access on a Android device?
I get freelist is probably the prime example where to use linked lists over other alternatives, but for sake of argument assume freelist would have been a plain array (or vector). Would that have prevented the abuse from double free? (Yes I know fixing the double-free is the first priority)
with grsecurity kernel hardening you should be fine but ill have to test anyway
Appreciate the lecture!
windows/macos also have all kinds of bugs but no one knows because the source is not available
and so is harder to write attacks ?
Mac has less exploits than Linux and Windows combined. I'm a dualbooter for Win11Pro and Linux Mint and can confirm.
Sounds like you're projecting more than anything. "Bu-but, Windows and Mac also do-" That's cool, but is there a bug to exploit who asked?
@@The_Prizessin_der_Verurteilung I mean they're not wrong but the point is that Linux is backed by so many companies like Google, Microsoft, Oracle, Intel, AMD, etc so bugs are fixed extremely fast. The mac kernel is also open source. Windows lags behind
@@The_Prizessin_der_Verurteilung Mac has more exploits than Linux. It's based off of BSD. Back in 2007 they proved the point by porting all the old Linux exploits over to BSD. Now it's not even maintained as well as it was back then. BSD also isn't a mandatory access control kernel. So it's at least 20 years out of date. Don't be fooled, you're not as secure.
@@The_Prizessin_der_Verurteilungthe fact the nobody tries to find exploits there doesnt mean they dont exist.
netfilter is a good attack surface even in wiki leaks you will find some old exploits on linux that uses the netfilter
So how do you double free the kernel without being root? Or another privelaged user?
Does this work on all Unix systems? I’d like to know if this can be done on a Mac in any way.