Exploit Rowhammer - NaCl Sandbox Escape

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
36311
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
LOCAL
Платформа
LINUX_X86-64
CVE
cve-2015-3693 cve-2015-0565
Дата публикации
2015-03-09
Rowhammer - NaCl Sandbox Escape
Код:
Sources:
http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://code.google.com/p/google-security-research/issues/detail?id=284

Full PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36311.tar.gz


This is a proof-of-concept exploit that is able to escape from Native
Client's x86-64 sandbox on machines that are susceptible to the DRAM
"rowhammer" problem.  It works by inducing a bit flip in read-only
code so that the code is no longer safe, producing instruction
sequences that wouldn't pass NaCl's x86-64 validator.

Note that this uses the CLFLUSH instruction, so it doesn't work in
newer versions of NaCl where this instruction is disallowed by the
validator.

There are two ways to test the exploit program without getting a real
rowhammer-induced bit flip:

 * Unit testing: rowhammer_escape_test.c can be compiled and run as a
   Linux executable (instead of as a NaCl executable).  In this case,
   it tests each possible bit flip in its code template, checking that
   each is handled correctly.

 * Testing inside NaCl: The patch "inject_bit_flip_for_testing.patch"
   modifies NaCl's dyncode_create() syscall to inject a bit flip for
   testing purposes.  This syscall is NaCl's interface for loading
   code dynamically.

Mark Seaborn
[email protected]
March 2015
 
Источник
www.exploit-db.com

Похожие темы