Thanks for watching guys! ( come learn C at lowlevel.academy 🥺)

It was discovered in January, 2024. And has been patched already. All the rolling distributions would have the patch already installed. Ubuntu has already issued the patch back in Jan.

The most shocking part of this video was that 2016 was 8 years ago.

If you're wondering which kernel versions are vulnerable, here's what I found: The exploit affects kernel versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>.

I just read this entire write up yesterday, and I was blown away with the thoroughness and complexity of the research. And, it was only found because the author found a bug while trying to do some work. Most people just find another way, this guy found a wild exploit. Very impressive. Cheers to notselwyn

What I like about Linux is that when a vulnerability like this is found, the community comes together and fixes it asap.

me, a plucky wizards apprentice resetting user passwords and setting up accounts, watching a KZfaq video about dark sorcerers unraveling death itself and warping space and time

We’re making it out of the userspace with this one boys

Hi, this was a slightly unleveled video: It was basic in the beginning with you explaining what the kernel does and about syscalls, and then you explained the whole exploit in less time than that, which was too advanced. I know what the kernel is and that by interfacing with the kernel you are asking the kernel to do stuff. I also understand double-freeing and use after free, but socket buffer freelist/all those page descriptors/modprobe was explained in less than 2 minutes If you spent maybe 2 mins explaining the kernel and syscall basics part and 4-5 mins on the actual exploit, it would have more sense Thanks!

It was fixed almost immediately. That is a strong advantage of Open Source in contrast to big corp coverups

Time to finally root the Oculus Quest 2

Really enjoyed this kind of video from you! Admittedly, some of the exploit explanation went over my head and I'll need to do some further research on my end. You might have yourself a little niche here of in-depth explanations of vulnerabilities in an ELI5 manner if you want it. I'd love to see more videos like this with other well-known or new vulnerabilities.

Running in kernel is worse than running as root.

Great that you used one of the Tuxlets in your video, that I made with my son years ago. 👍

Relatively new here - background is in mechanical engineering but I would really like to learn embedded software development ( for myself and for my job). Really enjoy these types of videos. I will say I always write some of the acronyms from these videos down on stickies to look up later, given my lack of knowledge of the inner workings of computers. TIL what a TLB is. Anyways, looking forward to any and all videos 👍🏼

Welp, time to upgrade my kernel.

I love how you keep it short all the time, I don't want to watch through 40 minutes of detailed explanation. This is the perfect overview - thank you very much

the amount of grinding through kernel code and memory dumps that must have been put to develop this exploit is beyond my comprehension... now if i add to this that merely obtaining a kernel memory dump is way more complicated than in case of a user space results in me getting a headache just thinking about it ;-]

Bugs never went away, but recently, it feels like bugs just did 20 years in prison, and they've been released on parole.

I'm learning that the safest way to store your secure data is on a piece of paper

I am looking at the proprietary Linux devices at home and at work and just... curiously tapping my chin. This ought to be interesting (:

Really hope one day I could comprehend all this shenanigans lol .. great vid!

This works a bit like a digital Rube Goldberg machine.

okay the GH says this blows right through defaults on debian-core systems... does this work on more serious SELinux like RHEL or Gentoo?

Thanks for sharing your enthusiasm on this exploit. Next time, please try digging into it.

Hey @LowLevelLearning, how do you decide what to learn?

Can you talk about the backdoor in liblzma/xz that lets you avoid SSH?

The poor guy that was tasked to educate me about Linux wasn't allowed to use an updated Linux for education... he had to stick to one (old) version of RedHat, because that's what the book used... It took me 1 Google, 3 potential exploits and 15 minutes to become root of that educational Linux server. (Okay, I was familiar with Linux before they tried to educate me). I just made an extra root account, which was allowed to login via ssh. Could have locked out everyone else... but I was just making a point about using outdated software for education. Netfilter is quite a problem if it can elevate privileges. But at the same time kinda predictable... I'm happy that it's been found, so next iteration will be safer. Worst is how easy it can be used.

Yeah all Linux distributions probably has this patched, but think about all the routers and phones and devices like smart TVs and everything that are connected to the internet and are probably still outdated, like your router if you have an ISP that doesn't allow you to switch it. A lot of these run on Linux and are likely using an outdated version of the kernel.

Should have pointed out that so long as people were doing their updates, this was patched back in January. FUD, for clickbait!

This channel is so awesome and educational. Look forward to spending more time with it.

you should definitely do more detailed exploit writeup videos! :)

Exploit explanation starts at 3:47

Hmmm, what I hear is: NEW android rooting method (possibly) if someone implements this functionality into a su/sudo, someone else might be able to port it on android and we'll have a new way of rooting some of the older phones that either didn't have a way to be rooted or didn't have a big enough user base for someone to find a way to root them. ofc this is only possible if the same exploit is available in the android kernel.

You should do a video on the most impactful or crazy bugs of all time, or perhaps per decade/computing era

I dont understand almost any of these but still catches my genuine interest, congrats bro!!

Thank you for the quality content don't hesitate to go super go level and in depth I love it

So, this information only makes my situation way more puzzling to me. My respect for you guys is beyond comprehensive. I just wish I could cling onto the information and actually put it into play to fix my situation.

So how do you double free the kernel without being root? Or another privelaged user?

I wonder if segregating the kernel dynamic memory meta data from the allocate-able memory would make this harder? Use the freed block to hold their own meta data is nice, but is it an unnecessary risk?

as someone who spent his teenage years in the 80’s aligning floppy disks who also had an engineering background - I always found that disks would run far more concentrically if you lowered the disk clamp slowly to give the cone a chance to clamp the disk correctly

Does this work on all Unix systems? I’d like to know if this can be done on a Mac in any way.

I had this question over "immutable" os utilizing overlayfs, and escaping containers and chroot in this low level way.

Right after i installed debian...

How is double free a thing? Is it for multiple locks on the same file? Lock decrements instead of setting to 0? Are there double lock errors then when files are permanently closed?

This video was fascinating to listen to as a Linux fan but if I am honest, I have no idea what he is talking about. This is on another level way over my head.

Hmm, self learning cyber security here, so this attack would not work on environments where Structured Exception Handling Overwrite Protection is enabled, because the kernel entry does not match the one as recorded? Or is it not available on Linux? Thanks

Congrats on doing an excellent job explaining it. Thanks!

Thank you for having a correct title, seen some people saying stuff like "linux got wrecked". I appreciate your title game more for being truthful.

_I have learned so much from this channel its amazing. I was scared of writing _*_Hello World_*_ in C until last year, and now I am learning about exploits in the kernel. Thanks so much !!_

Sweet 'sploit, scary 'sploit. It must have been there for a long time and I wonder what other well resourced adversaries were sitting on it in a zeroday portfolio. Appears to require a local user, but also seems to be the kind of thing that might be projected through a web service bug into a RCE.

with grsecurity kernel hardening you should be fine but ill have to test anyway

So could the same thing be done on Mac OS since it is based on UNIX like LINUX is?

I get freelist is probably the prime example where to use linked lists over other alternatives, but for sake of argument assume freelist would have been a plain array (or vector). Would that have prevented the abuse from double free? (Yes I know fixing the double-free is the first priority)

I love how the author made such a cool graphic instead of just writing about it. It's clearly a lot of steps.

Superb exploitation ! The author of that one must really really have a hands-on grip of Kernel code. Kinda narrows it down some.

this video finished too soon!! Very simple explanation, this dude might be a great teacher.

I'm proud I was able to understand half of this after my OS college classes

modprobe? You should sign the module if you are using secure boot, right? Does the exploit work with secure boot? kinda tired to look for my self r8 now :)

Privilege escalation as a class does not depend on exploiting anything in the Linux kernel. It just means gaining permission to do some normally-restricted thing without proper authentication. This _can_ involve a Kernel exploit, but often means targeting set-uid binaries like ping or sudo. Alternatively you can target a service running with the desired permissions. For example, suppose you have a guest user with ssh-only access to a desktop with a running X11 server. This user does not have permission on /dev/input, nor permission to talk to the X server. Further, suppose this is a legacy system with X11 installed setuid. If the user finds a vulnerability in X11 that makes it change permission on an existing X11 socket to 777 before it drops root, the user can use that vulnerability to give himself permission to talk to the primary user's already running X11 server. Then, through the running X11 server, the guest user can listen to the keyboard and mouse or snoop on existing windows. As this is not an intended permission, gained through an exploit, this is a privilege escalation attack. In practice, relatively few privilege escalation attacks use defects in the kernel. Local-user privilege escalation usually involves finding a misconfigured or defective setuid program. There are also remote-user privilege escalations, usually gaining admin rights on a website or similar service. In this case the attacker doesn't even get permission over a new process, just escalated privileges within a specific application.

How was this bug discovered?

Is it possible to use this exploit to get root access on a Android device?

I wish there was a linux/bsd channel ran by someone who actually knew anything.

I run the CVE testing code from the github account on a very recent (and patched) kernel and it froze and crashed the system. Very interesting

I'm loving your Cybersecurity stuff. That's the future

I usually kinda understand a lot of general exploit stuff but this is just insane

Soooo, what is vulnerable to this? Is this something that can happen if you have a socket based connection? Do you need access before escalating? Itd be nice to know how to protect myself and not just how they do it.

many of these techniques are used for windows kernel exploitation quite often

I didn't understand a thing after the graph went up, but I hope kernel patches it soon! Did kernel devs found about this exploit "from the news", or maybe they were given a head start into fixing it?

It's impossible to catch exploit like this in closed source software. Libarchive that was modified by the author of the Linux backdoor is actively used in Windows for more than a year. We know this thanks to Linux being Open Source.

Sounds a little similar to Asahi Lina's MacOS exploit, that also messed with page tables. At least that second half of the exploit

"In 2016, about 8 years ago", god damn man, you're making me feel old

“Dirty Cow” sounds like it would be a drink in Wisconsin lmao

That visual aid chart is very Charlie from It's Always Sunny-esque.

So, who was affected by this? Any system? Or just very specific network configuration?

Why would a double free imply a use after free in this case? Are you saying that the memory was freed, and then the attacker somehow induced an allocation at that moment? Knowing that the 2nd free would soon occur?

the moment it is found the repo would have been nuked with pull requests. that's the power of open source

I wanna see the faulty code path that can cause the double free and what the mitigation is.

dude i'm high on shrooms rn this is insane.

holy poop dude this video is popping off get that root shell 🔥🚀🐚🐚

what tool created that flowchart? it's svg based..

0:23 i think the "author of this bug" was probably not using novel techniques, i think they just made a mistake writing some kernel code

netfilter is a good attack surface even in wiki leaks you will find some old exploits on linux that uses the netfilter

When do you anticipate this to be fixed and various distro's available?

I'm sick and this vid is already making me happy :)

So you're saying now I can run system updates without typing my password?

I always wondered what Dirty Cow was doing to my phone to root it.

This is awesome. Thank you for explaining it.

Did not understand that much, but still was rather interesting to watch! Thanks for the video!

This is one of those channels I go to watch to feel smart. Knowing a little bit about computers, I understood everything and nothing 🤣

I thought the entire reason we pass syscall argument by registers and not the kernel stack is that those kind of things don't happen.

Yes, I definitely learned something here. That I am stupid as a rock! ))) Even though I've been doing system programming for 30 years now.

What is the best way to learn Win32 API and Windows exploitation?

One wonders how many embedded and iot devices were affected by this backdoor, errr, bug...

Woah the levels this went through. Sometimes I think some of these guys probably put this forward as advertisement for selling exploits or getting hired to develop them lmao.

I’d really like to know what percentage of your subscribers can actually follow this. Because technically I am a lower level software engineer. But tbh? W.T.F?!?!? I’d assume I’m not alone, but truly some people are on another level.

Appreciate the lecture!

explaiend really well! thank you

LLC has a knack for explaining complicated low level processes in a way noobs can understand, without boring the people that do actually know a bit more. Rare skill.

Privilege escalations do not necessarily exploit kernel code, they could exploit weak applications which have higher privilege themselves