Capability Check Bypass in Fuchsia OS

We discussed this vulnerability as part of our weekly podcast on 01 June 2022

The majority of this post is going into background on Fuchsia and exploiting a fake vulnerability, there was one novel vulnerability that the author came across though. To obtain a KASLR bypass, the author thought to try and gain access to the kernel log for any pointers that might be leaked. This couldn’t be done normally, but they came across sys_debuglog_create. The documentation indicated that this would require a resource of ZX_RSRC_KIND_ROOT type, basically this is a capability check requiring “root” privileges. Yet when he actually tried to use the function, passing in some dummy resource value, it worked.

This is because the function first checks if the provided resource is valid, and then checks its type. If the resource is an invalid handle, the code just carries on like normal, bypassing the security check.