SuDump: Exploiting suid binaries through the kernel

During our Apport research we exploited Ubuntu’s crash handler, and following that, we decided to once again audit the coredump creation code. But this time, we chose to focus on a more general different target, rather than a specific crash handler. In this post, we will explore how the Linux kernel itself behaves when a process crash happens.

We will show bugs we found in the Linux kernel that allow unprivileged users to create root-owned core files, and how we were able to use them to get an LPE through the sudo program on machines that have been configured by administrators to allow running a single innocent command.

On Linux, a coredump will be generated for a process upon receiving several signals. The signals that result in a core dump are listed here (taken from “man signal”):

When a process receives one of these signals, it will terminate and a coredump will be created. The coredump can be used to explore the memory of the process at the time of a crash.

Leave a Comment