👏 YOU 👏 DON’T 👏 NEED 👏 TO 👏 PUBLISH 👏 ANOTHER 👏 ZERO 👏 DAY 👏 ON 👏 FRIDAY 👏 NIGHT 👏 YOU 👏 PIECE 👏 OF 👏 SHIT 👏

https://ze3tar.github.io/post-zcrx.html

and they’re all LPEs. the most boring of zerodays. give me an RCE and my cold, dead eyes will light up at least a little bit

this? this is just pathetic

@domi that was published two days ago

@domi when does it end

@domi and also i think this one required you to have a Mellanox ConnectX5, Intel 800-series or Netronome NFP series NIC in your system, which, yeah. At least on the bright side they seem to be decreasing in scope

im tired boss

@noisytoot first IA cap from yesterday, and i’m being informed about it right now

my point? still stands

@domi there just arent enough goofus monospace coding font blog posts on the subject. we need one by twitter guy 296356

@domi theyre all in the linux kernel because there isnt any other software anymore

@mothcompute that’s right. i ate everything else

@domi I'm crying why do they have their kernel version string at the bottom of the article and why are they running kali

@domi thank you for your service...

@domi new method better than responsible disclosure. eat it forever

@domi tried compiling the poc. GCC emitted an 83 line error message. lmfao

@domi I am on a "vulnerable" kernel version

@domi I saw it yesterday because someone mentioned it on IRC. they should've waited for a stable release to get the fix before publishing it but I don't think it's quite as bad as the other two since it requires you to actually have the affected hardware and CAP_NET_ADMIN already

@domi crying

/* KASLR + escalation */

static uint64_t kallsyms_addr(const char *sym)
{
    FILE *f = fopen("/proc/kallsyms", "r");
    if (!f) return 0;
    char line[256];
    uint64_t found = 0;
    while (fgets(line, sizeof(line), f)) {
        if (!strstr(line, sym)) continue;
        char *sp = strchr(line, ' ');
        if (!sp) continue;
        char type = *(sp + 1);
        if (type != 'D' && type != 'd' && type != 'T' && type != 't') continue;
        uint64_t addr = strtoull(line, NULL, 16);
        if (addr > 0xffffffff80000000ULL) { found = addr; break; }
    }
    fclose(f);
    return found;
}

@domi wait, /proc/callsyms will output the addresses of everything as 0 unless it is read by a privileged user? also, the binary needs some setcap command ran on it that can only be done by a privileged user? what are we even doing

@0x6e6174 @domi in their defense, the article does note that kallsyms is only useful when the kptr_restrict sysctl is disabled. but it says that's the "default on many systems" and uh, idk maybe my sample is biased but I've never seen it disabled

@domi

@mothcompute no need to worry about software eating the world if @domi has eaten all the software

@0x6e6174 @domi mark of the "security" "researcher"

@0x6e6174 absolutes cinema

@domi raw markdown version: https://ze3tar.github.io/posts/zcrx-freelist-oob.md

@tay @domi that, and also CAP_NET_ADMIN, which is like. lmao what are we even doign

@tay @domi like maybe it's a hot take but on any relatively complex/critical Linux box having CAP_NET_ADMIN could be LPE in itself

@ptrc @tay @domi And even if you don't get LPE right away, you can do MITM with that kind of thing and SSH is like the only protocol which defends against that (which is then only a rushed-admin away from getting access).

@domi i thought it was well known that linux is chock full of privilege escalation vulns? that's why hardly anyone does shared local systems any more

@domi we've been just, in love with responsible disclosure recently huh

@domi 😭 what ar they doin