钱智云与胡佳毅与周金梦与唐奇与沈文博_PageJack一种强大的页面级UAF利用技术.pdf

上传人：张**

编号：175586

2024-09-13

PDF 47页 1.36MB

《钱智云与胡佳毅与周金梦与唐奇与沈文博_PageJack一种强大的页面级UAF利用技术.pdf》由会员分享，可在线阅读，更多相关《钱智云与胡佳毅与周金梦与唐奇与沈文博_PageJack一种强大的页面级UAF利用技术.pdf（47页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsPageJackPageJack:A Powerful Exploit Technique With Page:A Powerful Exploit Technique With Page-Level UAFLevel UAFSpeaker:Zhiyun QianContributors:Jiayi Hu,Jinmeng Zhou,Qi Tang,Wenbo Shen8/8/2024#BHUSA BlackHatEventsWho we areZhiyun QianJinmeng ZhouQi TangWenbo ShenJiayi Hu#BHUSA

2、BlackHatEventsOS kernel exploitsControl flow hijackEx:corrupt function pointer return-oriented programming(ROP)Data-only attacksEx:corrupt data pointer arbitrary read/write to modify key objects(e.g.,cred)corrupted_obj-func_ptr()Arbitrary codelocation*corrupted_obj-data_ptr=val;Arbitrary datalocatio

3、n#BHUSA BlackHatEventsControl-flow integrityData-only attack needed#BHUSA BlackHatEventsControl-flow hijacking vs data-only attack0246810121416182019-2020202120222023control-flow attack exploitsdata-only attacks exploitsData-only attacks#BHUSA BlackHatEventsPrevious data-only attacksCorruptglobal va

4、riable,e.g.,modprobe_pathheap variable,e.g.,cred#BHUSA BlackHatEventsPrevious data-only attacksCorrupt KASLR bypass needed AAW capability needed Protected by CONFIG_STATIC_USERMODEHELPERglobal variable,e.g.,modprobe_pathheap variable,e.g.,cred#BHUSA BlackHatEventsPrevious data-only attackCorruptglob

5、al variable,e.g.,modprobe_pathheap variable,e.g.,cred,file.f_mode.f_mapping.uidgid.Relative write(e.g.,OOB)on heapAAW not neededstruct file struct cred#BHUSA BlackHatEventsPrevious data-only attack:cross-cache challenge Most vulnerabilities happen in generic caches.(UAF,Double Free,Out-of-bound writ

6、e)Most critical heap objects are in dedicated caches.How to reach critical heap objects with relative writes？cross-cache attack needed#BHUSA BlackHatEventsPrevious data-only attack:cross-cache challenge Cross-cache attack techniques vary by vulnerability type,e.g.,OOB:less reliableUAF:more reliable

钱智云与胡佳毅与周金梦与唐奇与沈文博_PageJack一种强大的页面级UAF利用技术.pdf

相关报告