KASLR is broken anyway, at least on x86, even with KPTI (a Linux feature to mitigate Meltdown) enabled. See https://www.willsroot.io/2022/12/entrybleed.html, which still runs fine (with some modifications depending on the microarchitecture) on the latest AMD and Intel hardware that we've checked.

▲

bri3d 5 days ago | parent | next [-]

In addition to the original EntryBleed article, https://exploits.forsale/24h2-nt-exploit/ and the corresponding https://github.com/exploits-forsale/prefetch-tool are useful for understanding the same exploit on Windows (which works the exact same way, of course).

	▲	eigenform 5 days ago \| parent [-]
		(Sorry for the self-plug but) I also wrote a bit about the behavior of PREFETCH recently in case anyone is interested in this sort of thing. See this example (for Linux on AMD): https://github.com/eigenform/perfect/blob/e5da0c693ba5d1b654... .. and here's another example in the case of EntryBleed: https://github.com/eigenform/perfect/blob/e5da0c693ba5d1b654...

▲

bjackman 4 days ago | parent | prev | next [-]

Yeah, there are so many ways to defeat KASLR. We need to treat the randomisation as a road bump, not a mitigation.

Serious red team reports will just have a brief section like "then, we defeat KASLR with [technique]. Next..."

▲

jcalvinowens 4 days ago | parent | prev [-]

It still has some benefit: there's randomization within the kernel, knowing the base isn't always enough.