Show Notes

188 - Rusty Kernel Bugs, mast1c0re, and OpenSSH

A use-after-free (UAF) yielding double free in OpenSSH that’s hittable pre-authentication. The bug mainly comes down to the compat_kex_proposal function for doing key exchange, and its support for older clients that set the SSH_OLD_DHGEX flag. In that case, it would free() the kex_algorithms field from theoptions object, but also return that same pointer. Later on, kex_algorithmsis passed into the ASSEMBLE macro to assemble a list of algorithms, which will again free it, causing double free.

It’s hard to imagine how this code was supposed to work at all as it seems the only condition for triggering it is connecting with an older client. Though this is pre-auth, it would be difficult to exploit this vuln remotely. OpenSSH does have sandboxing in place, and you’d have to find a good heap reallocation gadget that’s accessible from pre-auth, which is probably uncommon. However, since the process you’d be targeting is a daemon spun up for that connection, you could keep trying until you got it to work without crashing the main ssh daemon.

A very easy stack overflow in the Okage Shadow King PS2 game. The profile name was copied into a stack buffer without bounds checking, allowing a stack overflow of the profile name to corrupt the return pointer on the stack. As this is PS2, no stack cookies, ASLR or DEP is present, so exploitation was fairly straightforward. By using PCSX2 and building scripts to deal with the checksums, they could debug the exploit and get MIPS shellcode running. What’s notable about this post isn’t so much the vuln/exploit as the impact on PS4/PS5 console exploitation. PS2 emulation is one of the few applications running that have JIT permissions, which is very relevant on PS5 where eXecute-Only Memory (XOM) is enforced.