1

I know the way to bypass filter mode, but I don't know the way to bypass strict mode.

At 64bit The code has:

  1. read 1024 bytes at rwxp mapped buf
  2. run buf()
  3. scanf address and scanf value. write value(long) at address(long)

and has only canary and partial RELRO at this, how can I bypass strict mode seccomp?

apaderno
  • 28,547
  • 16
  • 75
  • 90
Dotch
  • 19
  • 1
  • 1
    the whole point is you can't bypass it. You have to find a way to do your thing with only the calls that are allowed – user253751 Apr 26 '22 at 17:24

1 Answers1

0

If you find a way, you'll get a CVE!

In seriousness, it is possible to find a way around SECCOMP in that if the handler thread listening to the messages from the SECCOMP-ed jail thread has a length check type bug, you could then exploit the handler thread (which presumably isn't as strongly SECCOMP-ed as the jail thread). Then you'd follow a normal exploit chain.

However, in the general case, folks are putting SECCOMP on a process because it's doing untrusted stuff. As a result it's unlikely that code execution on a jailed thread will allow for priv escalation, simply because it's unlikely the code trusts the inputs from the jailed thread!

Bypassing SECCOMP directly would be really hard, you'd have to find a kernel vulnerability in one of the allowed system calls, or a processor-level vulnerability. In strict mode this is normally considered intractable.

ListsOfArrays
  • 442
  • 6
  • 14