Thanks for watching guys! ( come learn C at lowlevel.academy 🥺)

It was discovered in January, 2024. And has been patched already. All the rolling distributions would have the patch already installed. Ubuntu has already issued the patch back in Jan.

The most shocking part of this video was that 2016 was 8 years ago.

If you're wondering which kernel versions are vulnerable, here's what I found: The exploit affects kernel versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>.

me, a plucky wizards apprentice resetting user passwords and setting up accounts, watching a KZbin video about dark sorcerers unraveling death itself and warping space and time

What I like about Linux is that when a vulnerability like this is found, the community comes together and fixes it asap.

I just read this entire write up yesterday, and I was blown away with the thoroughness and complexity of the research. And, it was only found because the author found a bug while trying to do some work. Most people just find another way, this guy found a wild exploit. Very impressive. Cheers to notselwyn

We’re making it out of the userspace with this one boys

Hi, this was a slightly unleveled video: It was basic in the beginning with you explaining what the kernel does and about syscalls, and then you explained the whole exploit in less time than that, which was too advanced. I know what the kernel is and that by interfacing with the kernel you are asking the kernel to do stuff. I also understand double-freeing and use after free, but socket buffer freelist/all those page descriptors/modprobe was explained in less than 2 minutes If you spent maybe 2 mins explaining the kernel and syscall basics part and 4-5 mins on the actual exploit, it would have more sense Thanks!

Time to finally root the Oculus Quest 2

Running in kernel is worse than running as root.

It was fixed almost immediately. That is a strong advantage of Open Source in contrast to big corp coverups

I'm learning that the safest way to store your secure data is on a piece of paper

Welp, time to upgrade my kernel.

Really enjoyed this kind of video from you! Admittedly, some of the exploit explanation went over my head and I'll need to do some further research on my end. You might have yourself a little niche here of in-depth explanations of vulnerabilities in an ELI5 manner if you want it. I'd love to see more videos like this with other well-known or new vulnerabilities.

Bugs never went away, but recently, it feels like bugs just did 20 years in prison, and they've been released on parole.

Great that you used one of the Tuxlets in your video, that I made with my son years ago. 👍

The poor guy that was tasked to educate me about Linux wasn't allowed to use an updated Linux for education... he had to stick to one (old) version of RedHat, because that's what the book used... It took me 1 Google, 3 potential exploits and 15 minutes to become root of that educational Linux server. (Okay, I was familiar with Linux before they tried to educate me). I just made an extra root account, which was allowed to login via ssh. Could have locked out everyone else... but I was just making a point about using outdated software for education. Netfilter is quite a problem if it can elevate privileges. But at the same time kinda predictable... I'm happy that it's been found, so next iteration will be safer. Worst is how easy it can be used.

I am looking at the proprietary Linux devices at home and at work and just... curiously tapping my chin. This ought to be interesting (:

okay the GH says this blows right through defaults on debian-core systems... does this work on more serious SELinux like RHEL or Gentoo?

Relatively new here - background is in mechanical engineering but I would really like to learn embedded software development ( for myself and for my job). Really enjoy these types of videos. I will say I always write some of the acronyms from these videos down on stickies to look up later, given my lack of knowledge of the inner workings of computers. TIL what a TLB is. Anyways, looking forward to any and all videos 👍🏼

Hey @LowLevelLearning, how do you decide what to learn?

Hmmm, what I hear is: NEW android rooting method (possibly) if someone implements this functionality into a su/sudo, someone else might be able to port it on android and we'll have a new way of rooting some of the older phones that either didn't have a way to be rooted or didn't have a big enough user base for someone to find a way to root them. ofc this is only possible if the same exploit is available in the android kernel.

the amount of grinding through kernel code and memory dumps that must have been put to develop this exploit is beyond my comprehension... now if i add to this that merely obtaining a kernel memory dump is way more complicated than in case of a user space results in me getting a headache just thinking about it ;-]

This works a bit like a digital Rube Goldberg machine.

I love how you keep it short all the time, I don't want to watch through 40 minutes of detailed explanation. This is the perfect overview - thank you very much

Right after i installed debian...

Yeah all Linux distributions probably has this patched, but think about all the routers and phones and devices like smart TVs and everything that are connected to the internet and are probably still outdated, like your router if you have an ISP that doesn't allow you to switch it. A lot of these run on Linux and are likely using an outdated version of the kernel.

Really hope one day I could comprehend all this shenanigans lol .. great vid!

One thing many folks might not understand is that the attacker needs to have access to the system to exploit/gain this privilege. That being said, it can be used in a process where user xyz is harmlessly (or intentionally) installing something onto the box itself. This doesn't mean that any Linux system sitting idly on a network can be exploited from a pure network means. One of the overcites most folks make is hearing there is an exploit that gains root access means you need to drop everything and patch any and every system running Linux distro version xyz as the exploit affects them immediately. It really depends on the system, it's use, it's broad access, and several other factors. Granted, this is not to say you should not address such a situation, but by all means it doesn't mean the sky is falling either. All the same, very interesting how this one works, and thank you for breaking it down the way you have.

This channel is so awesome and educational. Look forward to spending more time with it.

Can you talk about the backdoor in liblzma/xz that lets you avoid SSH?

Should have pointed out that so long as people were doing their updates, this was patched back in January. FUD, for clickbait!

How is double free a thing? Is it for multiple locks on the same file? Lock decrements instead of setting to 0? Are there double lock errors then when files are permanently closed?

Hmm, self learning cyber security here, so this attack would not work on environments where Structured Exception Handling Overwrite Protection is enabled, because the kernel entry does not match the one as recorded? Or is it not available on Linux? Thanks

I wonder if segregating the kernel dynamic memory meta data from the allocate-able memory would make this harder? Use the freed block to hold their own meta data is nice, but is it an unnecessary risk?

Thanks for sharing your enthusiasm on this exploit. Next time, please try digging into it.

I dont understand almost any of these but still catches my genuine interest, congrats bro!!

Does this work on all Unix systems? I’d like to know if this can be done on a Mac in any way.

Congrats on doing an excellent job explaining it. Thanks!

Exploit explanation starts at 3:47

How was this bug discovered?

Thank you for the quality content don't hesitate to go super go level and in depth I love it

Subscribed 😊🎉 great content

I get freelist is probably the prime example where to use linked lists over other alternatives, but for sake of argument assume freelist would have been a plain array (or vector). Would that have prevented the abuse from double free? (Yes I know fixing the double-free is the first priority)

So, this information only makes my situation way more puzzling to me. My respect for you guys is beyond comprehensive. I just wish I could cling onto the information and actually put it into play to fix my situation.

you should definitely do more detailed exploit writeup videos! :)

I had this question over "immutable" os utilizing overlayfs, and escaping containers and chroot in this low level way.

dude i'm high on shrooms rn this is insane.

as someone who spent his teenage years in the 80’s aligning floppy disks who also had an engineering background - I always found that disks would run far more concentrically if you lowered the disk clamp slowly to give the cone a chance to clamp the disk correctly

Soooo, what is vulnerable to this? Is this something that can happen if you have a socket based connection? Do you need access before escalating? Itd be nice to know how to protect myself and not just how they do it.

modprobe? You should sign the module if you are using secure boot, right? Does the exploit work with secure boot? kinda tired to look for my self r8 now :)

So how do you double free the kernel without being root? Or another privelaged user?

When do you anticipate this to be fixed and various distro's available?

I run the CVE testing code from the github account on a very recent (and patched) kernel and it froze and crashed the system. Very interesting

Thank you for having a correct title, seen some people saying stuff like "linux got wrecked". I appreciate your title game more for being truthful.

So, who was affected by this? Any system? Or just very specific network configuration?

Why would a double free imply a use after free in this case? Are you saying that the memory was freed, and then the attacker somehow induced an allocation at that moment? Knowing that the 2nd free would soon occur?

Sweet 'sploit, scary 'sploit. It must have been there for a long time and I wonder what other well resourced adversaries were sitting on it in a zeroday portfolio. Appears to require a local user, but also seems to be the kind of thing that might be projected through a web service bug into a RCE.

what tool created that flowchart? it's svg based..

"In 2016, about 8 years ago", god damn man, you're making me feel old

So could the same thing be done on Mac OS since it is based on UNIX like LINUX is?

You should do a video on the most impactful or crazy bugs of all time, or perhaps per decade/computing era

I wish there was a linux/bsd channel ran by someone who actually knew anything.

Appreciate the lecture!

I love how the author made such a cool graphic instead of just writing about it. It's clearly a lot of steps.

with grsecurity kernel hardening you should be fine but ill have to test anyway

I wanna see the faulty code path that can cause the double free and what the mitigation is.

“Dirty Cow” sounds like it would be a drink in Wisconsin lmao

I usually kinda understand a lot of general exploit stuff but this is just insane

this video finished too soon!! Very simple explanation, this dude might be a great teacher.

explaiend really well! thank you

This video was fascinating to listen to as a Linux fan but if I am honest, I have no idea what he is talking about. This is on another level way over my head.

That visual aid chart is very Charlie from It's Always Sunny-esque.

I'm loving your Cybersecurity stuff. That's the future

What is the best way to learn Win32 API and Windows exploitation?

Is it possible to use this exploit to get root access on a Android device?

I'm proud I was able to understand half of this after my OS college classes

It's impossible to catch exploit like this in closed source software. Libarchive that was modified by the author of the Linux backdoor is actively used in Windows for more than a year. We know this thanks to Linux being Open Source.

Privilege escalation as a class does not depend on exploiting anything in the Linux kernel. It just means gaining permission to do some normally-restricted thing without proper authentication. This _can_ involve a Kernel exploit, but often means targeting set-uid binaries like ping or sudo. Alternatively you can target a service running with the desired permissions. For example, suppose you have a guest user with ssh-only access to a desktop with a running X11 server. This user does not have permission on /dev/input, nor permission to talk to the X server. Further, suppose this is a legacy system with X11 installed setuid. If the user finds a vulnerability in X11 that makes it change permission on an existing X11 socket to 777 before it drops root, the user can use that vulnerability to give himself permission to talk to the primary user's already running X11 server. Then, through the running X11 server, the guest user can listen to the keyboard and mouse or snoop on existing windows. As this is not an intended permission, gained through an exploit, this is a privilege escalation attack. In practice, relatively few privilege escalation attacks use defects in the kernel. Local-user privilege escalation usually involves finding a misconfigured or defective setuid program. There are also remote-user privilege escalations, usually gaining admin rights on a website or similar service. In this case the attacker doesn't even get permission over a new process, just escalated privileges within a specific application.

Instant subscribe. Keep it up

I'm sick and this vid is already making me happy :)

Requires musl-gcc does this mean it's linked against musl lib? If so it wouldn't work on the majority of Linux systems that use glibc.

windows/macos also have all kinds of bugs but no one knows because the source is not available

So you're saying now I can run system updates without typing my password?

This is awesome. Thank you for explaining it.

I didn't understand a thing after the graph went up, but I hope kernel patches it soon! Did kernel devs found about this exploit "from the news", or maybe they were given a head start into fixing it?

Superb exploitation ! The author of that one must really really have a hands-on grip of Kernel code. Kinda narrows it down some.

0:23 i think the "author of this bug" was probably not using novel techniques, i think they just made a mistake writing some kernel code

Pls tell me when it patched and how i should apply the patch?

LLC has a knack for explaining complicated low level processes in a way noobs can understand, without boring the people that do actually know a bit more. Rare skill.

the moment it is found the repo would have been nuked with pull requests. that's the power of open source

Sounds a little similar to Asahi Lina's MacOS exploit, that also messed with page tables. At least that second half of the exploit

I thought the entire reason we pass syscall argument by registers and not the kernel stack is that those kind of things don't happen.

Now the question is, how long will this bug last?

Yes, I definitely learned something here. That I am stupid as a rock! ))) Even though I've been doing system programming for 30 years now.

many of these techniques are used for windows kernel exploitation quite often

That’s why really wanna learn eBPF but can’t seem to

Would this double-free be possible in other languages, e.g. Rust?

Privilege escalations do not necessarily exploit kernel code, they could exploit weak applications which have higher privilege themselves