Novel Exploitation Tactics in Linux Userspace: One Byte OOB Write to ROP Chain

Presented at A New HOPE (2022), July 22, 2022, 8 p.m. (50 minutes)

Many of the complex surfaces in the GNU C library, such as malloc or IO, have been thoroughly deconstructed and analyzed to be utilized in exploit chains in Linux userspace. However, one surface, the runtime loader, is yet to be brought to its full potential. In this talk, Sammy will discuss going from one byte out-of-bounds write to a complete ROP chain without IO access and no brute force under extremely restrictive seccomp, without ever needing memory information leaks.

The talk will showcase cutting-edge exploitation tactics in Linux userspace, with a primary focus on utilizing rtdl, to pull off exploits that previously - without rtld - were completely inaccessible.

Presenters:

• Sammy Hajhamid
  **Sammy Hajhamid (@pepsipu)** is a blockchain security auditor at OtterSec and is also a CTF player for DiceGang, a U.S.-based CTF team, specializing in binary exploitation. In his free time, he hacks and designs operating systems and embedded software, among other pwn-related things.

Links:

• https://scheduler.hope.net/new-hope/talk/YQR8ZK/
• https://infocon.org/cons/2600/A New HOPE (2022)/A New HOPE (2022) Novel Exploitation Tactics in Linux Userspace One Byte OOB Write to ROP Chain.mp4
• https://infocon.org/cons/2600/A New HOPE (2022)/A New HOPE (2022) Novel Exploitation Tactics in Linux Userspace One Byte OOB Write to ROP Chain.srt (subtitles)