Posts by

Kernel Configuration Glossary
February 28, 2019
In our post “Millions of Binaries Later: a Look Into Linux Hardening in the Wild”, we examined the security properties of different distributions. In the following, we provide a glossary for the security-relevant kernel configuration options discussed in that post (scraped from the Linux Kernel Driver Database). Option Description Significance CONFIG_X86_SMAP Supervisor Mode Access Prevention […]
Linux Hardening in the Wild
February 28, 2019
TL;DR: Millions of Binaries Later In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, […]
UAFs in Linux Kernel Modules: CVE-2019-8912 & CVE-2019-8956
February 22, 2019
A researcher using syzkaller found a locally-exploitable bug in Linux’s crypto API, CVE-2019-8912, which allows for a use-after-free in sockfs_setattr. It’s received sudden buzz, probably because a bug in the kernel’s cryptography API sounds pretty scary! And, there’s a hot 2-for-1 special for Linux use-after-free bugs with the announcement of CVE-2019-8956, too. What makes it […]
Nested Guests: CVE-2019-7221
February 18, 2019
Earlier this month, twin KVM bugs found by Google’s Project Zero team were released publicly: CVE-2019-7221, a use-after-free vulnerability, and CVE-2019-7222, a memory leak that can assist exploitation of the former vulnerability. Why is it cool? If successfully exploited, CVE-2019-7221 can give an attacker a guest-to-host escape and root privileges on that host. It’s a […]
Dirty Sock: CVE-2019-7304
February 13, 2019
Today, Chris Moberly blogged about his local privilege escalation bug in Ubuntu Linux, CVE-2019-7304, a.k.a. the “Dirty Sock” exploit (ew). This affects snapd, which is installed on Ubuntu 16.04.4 LTS and later by default, but snapd is also available for other Linux distributions with a manual install. Beneath the hype: Snapd’s auto-update should mean you […]
A Brief Review of CVE-2019-5736: runc Container Breakout
February 12, 2019
A group of researchers yesterday announced CVE-2019-5736, a runc container breakout affecting container tools including Docker, Kubernetes, and containerd. Why it matters: Because many people run containers as “root,” the exploitability here is pretty easy. However, it still requires some level of interaction: Starting from an attacker-controlled container “Exec” (in Docker) into a compromised container […]
Exploiting systemd-journald Part 2
February 6, 2019
Introduction This is the second part in a multipart series on exploiting two vulnerabilities in systemd-journald, which were published by Qualys on January 9th. In the first post, we covered how to communicate with journald, and built a simple proof-of-concept to exploit the vulnerability, using predefined constants for fixed addresses (with ASLR disabled). In this […]
Capsule8’s Stance on Publication and Vulnerability Disclosure
February 4, 2019
Last week, Capsule8 Labs released an exploit for the problems in systemd that Qualys identified on January 9th, as part of series analyzing the vulnerabilities CVE-2018-16865 and CVE-2018-16866. We were asked why we would “weaponize” the exploits and if it would arm those looking to do harm.  We have decided to expand on our reasoning, […]