Description: Talkin' 'bout bugs 'n stuff
CSAW CTF 2015 was this past weekend, and like previous years I fielded a Linux kernel exploitation challenge for finalists in NYC. This year, I wrote the challenge “StringIPC.” Three of the 15 teams solved the challenge.
StringIPC is a kernel module providing a terrible IPC interface allowing processes to pass strings to one another. Clients interface with the driver by allocating (or opening an existing IPC) “channel.” Each channel is associated with a channel ID and buffer in kernel-land. This buffer may be read or written to by clients and is used to pass messages between them. The size of this buffer is chosen by the user at allocation time, and clients may seek, grow, or shrink the buffer at any time. The design of
Each team was presented with unprivileged access to a Digital Ocean droplet running 64-bit Ubuntu 14.04.3 LTS. The vulnerable kernel module StringIPC.ko was loaded on each system, and successful exploitation would allow for local privilege escalation and subsequent reading of the flag.