For example, it is properly disabled in Red Hat distributions. The faulty configuration is not the default in most Linux distributions. If the config parameter `unprivileged_bpf_disabled` in the kernel is set to 0, it will be possible to run eBPF programs as an unprivileged user and the attack vector described in this paper may be possible. This means that the config parameter `unprivileged_bpf_disabled` should be set to 1 in the kernel to disable the possibility of running eBPF programs as an unprivileged user.
Linux, mainly Ubuntu, but possibly any Linux machine where unprivileged_bpf_disabled flag is set to 0.Įxploitation for Privilege Escalation T1068Įnsure that your Linux distro is configured not to allow unprivileged users to run eBPF programs. On the other side of the cyber spectrum, Red Teamers and pen-testers are encouraged to read this attack domain to enrich their attack engagements with hands-on tips from a senior security researcher. SOC, Blue Teamers, DFIR and any other corporate function that manages the risk and response to attacks on Ubuntu devices. Who should take the time to read this document in full? You might be prone to an attack that leverages eBPF bugs if you are running an Ubuntu workstation or server that was provisioned in the past 2 years. The fast-pass to disabling this privilege escalation technique is to set the configuration flag for this subsystem to prevent unauthorized privileged access and assure the environment has the latest kernel update.įor older kernels, a modern perimeter of access needs to be established to prevent and restrict possible unauthorized access. In this paper we will review how it is done. This would result in the ability to run malicious code at the kernel level and achieve privilege escalation. Although eBPF does impose restrictions on the code running in it, some of them can be bypassed. Such is the potential case with the common traffic monitoring Linux subsystem called eBPF.ĮBBF is a two-way street that, if abused, allows the adversary direct access and privilege to the Linux kernel.
Modern hacking techniques often use legitimate operating system tools for bad purposes.
Reading this blog will allow you to understand the eBPF mechanism and how a fairly small bug can lead to the compromise of the entire system. 2022 discoveries of new privilege escalation techniques
0 kommentar(er)
