Vulnerabilities tagged "kernel"

LogMeIn Driver Handle Duplication Vulnerability Leading to Privilege Escalation

The primitive in play here is a handle duplication attack, and basically the LogMeIn device driver has an IOCTL that will temporarily duplicate a handle specified by the caller (attacker). Along with allowing users to open the device with `PROCESS_DUP_HANDLE` one can open the device and then try to duplicate the newly created handle before it gets closed to continue to hold a reference to a privileged handle and use that for an elevation of privilege.

XNU: NFSSVC root check bypass; use after free due to insufficient locking in upcall worker threads

This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...

Exploiting null-dereferences in the Linux kernel

The last time we covered a "how to exploit a null-deref in the modern era" post we were...disappointed (and potentially attacked by North Korea but that's another story), this one is legit. Rather than focusing on the null-deref as the core memory corruption though, it abuses the handling of the null-dereference with a kernel oops and the side-effects of the oops to overflow a reference count.