Find the released local privilege escalation (LPE) Proof-of-Concept for CVE-2021-3490 here: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490. It targets Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17.
This blog post is intended to give a detailed overview of eBPF from the perspective of an exploit developer. In this post, I cover:
- The basics of how eBPF works
- The internals of the eBPF verifier
- A vulnerability (CVE-2021-3490) I exploit for local privilege escalation .
- Debugging eBPF bytecode
- Exploitation techniques for DoS, information leak, and LPE
- Some interesting observations and other bugs I discovered
- New mitigations that make the bug class more difficult to exploit
- Weaknesses that are still present in eBPF today
I had no knowledge of eBPF going into this. My hope is that by sharing a PoC as well as my experience developing it, it can help others get started with eBPF exploitation.