Show Notes

242 - kCTF Changes, LogMeIn, and wlan VFS Bugs

The primitive in play here is a handle duplication attack, and basically the LogMeIn device driver has an IOCTL that will temporarily duplicate a handle specified by the caller (attacker). Along with allowing users to open the device with PROCESS_DUP_HANDLE one can open the device and then try to duplicate the newly created handle before it gets closed to continue to hold a reference to a privileged handle and use that for an elevation of privilege.

The Mediatek wlan driver on Android has several files exposed under the /proc virtual filesystem. Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer. As such it may overflow the caller’s buffer. The most obvious case of this would just result in a sort of self-exploitation but given the ability to share file descriptors across processes, one may be able to abuse this overflow to exploit a privileged process. It is a pretty interesting primitive to have, and not necessarily well controlled in-terms of what data is written, but feels like it could be a pretty cool exploit to pull-off.