R0 CREW

Kernel Pwning with eBPF: a Love Story

Find the released local privilege escalation (LPE) Proof-of-Concept for CVE-2021-3490 here: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490. It targets Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17.

This blog post is intended to give a detailed overview of eBPF from the perspective of an exploit developer. In this post, I cover:

  • The basics of how eBPF works
  • The internals of the eBPF verifier
  • A vulnerability (CVE-2021-3490) I exploit for local privilege escalation [13].
  • Debugging eBPF bytecode
  • Exploitation techniques for DoS, information leak, and LPE
  • Some interesting observations and other bugs I discovered
  • New mitigations that make the bug class more difficult to exploit
  • Weaknesses that are still present in eBPF today

I had no knowledge of eBPF going into this. My hope is that by sharing a PoC as well as my experience developing it, it can help others get started with eBPF exploitation.