A. Michael Noll, Gaussian Quadratic (1962)
The linux kernel socket sub-system is a surprisingly broad attack surface. It's a group of syscalls that all multiplex very heavily, so it's an excellent target for finding under-audited code paths when looking for kernel privilege escalation bugs.

One way to get a feel for the surface is to enumerate the set of instantiable socket types. I was personally bemused by the large number of obscure and mostly irrelevant sockets that are present by default in a standard distribution kernel. Here's the data from my test rig:

familytypeprotocoldescription
---------
110AF_UNIX STREAM
111AF_UNIX STREAM
120AF_UNIX DGRAM
121AF_UNIX DGRAM
130AF_UNIX RAW
131AF_UNIX RAW
150AF_UNIX SEQPACKET
151AF_UNIX SEQPACKET
210AF_INET STREAM IP
216AF_INET STREAM TCP
21132AF_INET STREAM SCTP
220AF_INET DGRAM IP
2217AF_INET DGRAM UDP
22136AF_INET DGRAM UDPLITE
250AF_INET SEQPACKET IP
25132AF_INET SEQPACKET SCTP
260AF_INET DCCP IP
2633AF_INET DCCP DCCP
320-255AF_AX25 DGRAM
330-255AF_AX25 RAW
350-255AF_AX25 SEQPACKET
420-255AF_IPX DGRAM
520-255AF_APPLETALK DGRAM
530-255AF_APPLETALK RAW
650AF_NETROM SEQPACKET
80,2-100-255AF_ATMPVC
950AF_X25 SEQPACKET
1210AF_INET6 STREAM IP
1016AF_INET6 STREAM TCP
101132AF_INET6 STREAM SCTP
1120AF_IPV6 DGRAM IP
10217AF_IPV6 DGRAM UDP
101136AF_IPV6 STREAM UDPLITE
1050AF_IPV6 SEQPACKET IP
105132AF_IPV6 STREAM SCTP
1060AF_IPV6 DCCP IP
10633AF_IPV6 DCCP DCCP
1150AF_ROSE SEQPACKET
1210-255AF_DECnet STREAM
1252AF_DECnet SEQPACKET NSP
1620-31AF_NETLINK DGRAM
1630-31AF_NETLINK RAW
1920-255AF_ECONET DGRAM
200,2-100-255AF_ATMSVC
2150AF_RDS SEQPACKET
2310-255AF_IRDA STREAM
2320AF_IRDA DGRAM UNITDATA
2321AF_IRDA DGRAM ULTRA
2350-255AF_IRDA SEQPACKET
240-100AF_PPPOX
2922AF_CAN STREAM BCM
2931AF_CAN RAW RAW
3113AF_BLUETOOTH STREAM RFCOMM
3120AF_BLUETOOTH DGRAM L2CAP
3131AF_BLUETOOTH RAW HCI
3133AF_BLUETOOTH RAW RFCOMM
3134AF_BLUETOOTH RAW BNEP
3135AF_BLUETOOTH RAW CMTP
3136AF_BLUETOOTH RAW HIDP
3150AF_BLUETOOTH SEQPACKET L2CAP
3152AF_BLUETOOTH SEQPACKET SCO
3322AF_RXRPC DGRAM
3620-255AF_IEEE802154 DGRAM
3630-255AF_IEEE802154 RAW

Armed with this list, it's a piece of cake to select a few of the lesser known socket families and choose an operation that is likely to be misused. I love the smell of privesc in the morning.

In my case, I first chose setsockopt. By its very nature it has to handle a lot of untrusted user-space input. After a couple of hours of auditing we get a few near misses, a nice memory leak and a non-exploitable unterminated string bug (I mention it since I haven't seen one of these for a long time), but nothing much worth sniffing at.

Another good option is ioctl (or maybe even accept), but my next bet was on sendmsg. I already knew that this call inherits some interesting idiosyncracies from the socket layer, so that was enough to get me hopeful. And sure enough, one of the first protocols I looked at suffered from a very classical heap overflow flaw. All in all, it was about 4 hours from writing some enumeration code to a kernel oops.

- hawkes@inertiawar.com (@benhawkes)