Skip to content

Botti01/eBPF-CVE-exploitation

Repository files navigation

eBPF CVE Exploitation Research

Author: Andrea Botticella (s347291) Course: Security Verification and Testing — Politecnico di Torino, A.Y. 2025/2026

This repository contains academic research on Linux kernel vulnerabilities, focusing exclusively on eBPF verifier bugs. The project analyzes recent CVEs, explores exploit primitives, and develops Proof of Concepts (PoCs) using a milestone-driven methodology.

Unlike standard exploit repositories, this project emphasizes the methodology of vulnerability analysis: it documents not only successful exploitation paths but also failed approaches, explaining why techniques were blocked by verifier state tracking or kernel mitigation mechanisms.

Project Structure

s347291_Botticella_Andrea/
├── common/                         ← Shared exploit infrastructure (headers, wrappers)
│   └── include/
│       ├── bpf_helpers.h           ← BPF helper definitions
│       └── exploit_common.h        ← Common exploit macros
├── CVEs/                           ← Analyzed vulnerabilities (one per directory)
│   ├── CVE-2021-3444/              ← ★ Full unprivileged LPE achieved
│   │   ├── README.md               ← Detailed vulnerability analysis and results
│   │   ├── configs/                ← Kernel configs (4.19.19 + 5.10.15)
│   │   ├── poc/                    ← Milestones for 5.10.15
│   │   ├── poc_4.19/               ← Full exploit for 4.19.19
│   │   └── exploit_overlay/        ← Buildroot overlay
│   ├── CVE-2021-3600/
│   ├── CVE-2023-52452/
│   └── CVE-2024-26589/
├── execution/                      ← Automation scripts (build.sh)
├── patches/                        ← Per-kernel build patches
├── report/                         ← Final academic report (LaTeX)
│   ├── main.tex                    ← Report entry point
│   ├── sections/                   ← Per-CVE chapters + introduction + conclusion
│   ├── compile_report.sh           ← Compilation script
│   └── s347291_Botticella_Andrea.pdf
└── README.md

Vulnerabilities Analyzed

Each CVE directory contains a self-contained environment with vulnerability analysis, PoC source code organized into milestones, and build/run instructions.

For detailed information, refer to each CVE's README.md.

CVE Bug Class Target Kernel Primitive LPE Result
CVE-2021-3444 mod32 dst truncation 4.19.19 Heap R/W ✅ Full LPE (uid=1001→root)
CVE-2021-3600 div32 src truncation 5.10.15 Heap R/W ❌ Blocked by alu_limit
CVE-2023-52452 Stack depth miscalc. 6.7.1 Stack R ❌ Partial (leak + corruption)
CVE-2024-26589 Missing switch case 6.7.1 Stack R/W ❌ Requires CAP_NET_ADMIN

Milestone Methodology

Each CVE follows a structured 4-milestone approach:

Milestone Goal
M1 Confirm vulnerability (verifier/runtime state divergence)
M2 Build OOB read primitive (information leak / KASLR bypass)
M3 Build OOB write primitive or controlled corruption
M4 Attempt full privilege escalation chain

Highlight: CVE-2021-3444 — Full Local Privilege Escalation

The crown jewel of this research is a complete unprivileged LPE from uid=1001 to uid=0 (root) on Linux 4.19.19, achieved through a six-phase exploit chain:

  1. SLUB heap spray — Controlled heap layout via targeted-hole allocation
  2. OOB read — Leak array_map_ops address for KASLR bypass
  3. Structure verification — Confirm adjacent map metadata
  4. value_size corruption — Extend heap R/W from 256 to 2048 bytes
  5. ops pointer hijack — Redirect bpf_map_ops to userspace fake table
  6. ret2usr shellcode — Hand-written x86-64 shellcode: prepare_kernel_cred(0) + commit_creds() + ops pointer restoration → root

Testing Environment

The project features a fully reproducible, Buildroot-based QEMU/KVM lab environment. For each CVE, the specific vulnerable kernel version is compiled and a minimal custom root filesystem is generated. Exploits are statically cross-compiled on the host and injected into the VM image using Buildroot's overlay mechanism.

Quick Start

# 1. Compile the PoCs for the desired CVE
make -C CVEs/<CVE-ID>/poc

# 2. Select the CVE and target kernel interactively, configure and build
bash execution/build.sh

# 3. Boot the QEMU virtual machine
bash execution/build.sh boot

Once inside the VM, compiled milestones are available in the root directory (e.g., /milestone1, /milestone2, /exploit).

Kernel Configurations

CVE Kernel Key Config
CVE-2021-3444 4.19.19 No alu_limit, SMEP/SMAP/KPTI disabled
CVE-2021-3444 5.10.15 With alu_limit (defense-in-depth analysis)
CVE-2021-3600 5.10.15 CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y
CVE-2023-52452 6.7.1 CONFIG_DEBUG_INFO=y, KASLR disabled
CVE-2024-26589 6.7.1 Flow dissector hook enabled

Report

The final academic report is a 34-page LaTeX document covering all four CVEs with detailed vulnerability analysis, patch details, PoC methodology, experimental results, and a comparative conclusion.

cd report && bash compile_report.sh

Disclaimer

This project is for educational and academic research purposes only. All experiments are conducted in controlled, isolated virtual machine environments. No real systems were targeted.

About

Academic research project focused on analyzing and exploiting recent eBPF verifier vulnerabilities (CVEs). Includes PoCs and exploit development for educational purposes.

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors