CVE-2020-27786 exploitation: userfaultfd + patching file struct /etc/passwd
Introduction In this blog post I will show how I wrote an exploit for CVE-2020-27786 to achieve local privilege escalation in Linux. MIDI is a sound device. Looking at https://www.cvedetails.com/cve/CVE-2020-27786/ it says: A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. We are going to realize this cve in kernel 4.9.220. The vulnerability The fops of the midi device can be found at https://elixir.bootlin.com/linux/v4.9.220/source/sound/core/rawmidi.c#L1484 In the fop write (fop read is similar), at last, it calls to snd_rawmidi_kernel_write1() where there is a race condition frame between spin_unlock_irqrestore and spin_lock_irqsave where copy_from_user can give a value to the object runtime->buffer, but this only happen in a really small window. Mitigation To better understand the vulnerability, take a look a...