MuelNova

Recently, I've been working on some development projects, and I keep all my projects on OneDrive, using ln -s to create a symbolic link in WSL2 for development.

The IO performance across file systems like WSL2 ext4 and NTFS is painfully slow. Some venv and node_modules also heavily pollute my OneDrive. Despite some optimizations, frequent use of commands like git status has made me somewhat dissatisfied with this approach. However, I've always felt that the benefits of OneDrive synchronization outweigh these side effects, so I haven't done anything about it. Yesterday, I came across Dev Drive and suddenly thought, why not change it?

Considering that projects typically involve a large number of files, mostly small ones, I decided to migrate certain folders to WSL2 and use Robocopy to synchronize content bidirectionally between OneDrive and WSL2, trading space for efficiency.

This article will be tailored to my specific use case. If you just need to back up WSL2 content to OneDrive, I recommend referring to this article.

Before We Begin​

In this article, we will follow along with Linux Kernel Teaching, progressing from basic to advanced kernel studies, to prepare for potential future kernel development work.

It's worth noting that this course also has a Chinese version, and you can support their efforts by starring the repository at linux-kernel-labs-zh/docs-linux-kernel-labs-zh-cn.

In subsequent blog posts, I may simply summarize the course content, as copying existing material without adding my own insights would be pointless. Our focus will be on the experimental sections.

Leetcode problem-solving can be a tad monotonous, so I plan to tackle one real problem set for a day (smile). I won't be tackling particularly difficult problems or extensive simulations to ensure a fast problem-solving pace.

I will follow a specific order in solving problems.

Attachment download link: https://pwnable.tw/static/chall/netatalk.tgz + https://pwnable.tw/static/libc/libc-18292bd12d37bfaf58e8dded9db7f1f5da1192cb.so

It took about 1.5 days, and overall it was a very productive debugging and reproducing process. I learned some exploitation and debugging techniques, and it was very helpful for expanding my mindset.

The discovery process of the vulnerability is explained clearly by the author in Exploiting an 18 Year Old Bug. A Write-up for CVE-2018–1160 | by Jacob Baines, which is very interesting. You can also find a translated version at Discovery and Exploitation of Netatalk CVE-2018-1160_c01dkit's Blog-CSDN Blog.

The author mentioned in their blog that this vulnerability can only be exploited on NAS with -no-pie. However, the creator of the HITCON 2019 challenge, DDAA, provided an exploit approach in HITCON CTF 2019 Pwn 371 Netatalk (ddaa.tw), which basically involves leveraging the nature of fork where child processes do not change the memory layout — in other words, ASLR plays a very minor role (laughs). This way, we can expose a valid address through a side channel and then exploit it.

Recently encountered this vulnerability, it seems to have a wide range of potential exploits. Although most machines in China seem to have a relatively low version of libc, let's take a look at it first.

Environment Setup​

Testing Environment​

OS: Ubuntu 22.04.1 LTS on Windows 10 x86_64

Kernel: 5.15.123.1-microsoft-standard-WSL2

Glibc: 2.35-0ubuntu3.3

_rtld_global​

• Arbitrary Write OG once
• Write func + arg1 twice
• Forge _rtld_global structure

Cause​

In short, when exit calls _dl_fini, it will invoke _rtld_lock_lock_recursive and _rtld_lock_unlock_recursive for locking and unlocking. After these macros expand, they are respectively _rtld_global._dl_lock_lock_recursive(&_rtld_global._dl_load_lock.mutex) and _rtld_global._dl_lock_unlock_recursive(&_rtld_global._dl_load_lock.mutex)

Usage​

libc-2.23 _rtld_global:0x5f0040   __rtld_lock_lock_recursive: 3848  __rtld_lock_unlock_recursive: 3856
libc-2.27 _rtld_global:0x619060   __rtld_lock_lock_recursive: 3840  __rtld_lock_unlock_recursive: 3848
libc-2.31 _rtld_global:0x23e060   __rtld_lock_lock_recursive: 3848  __rtld_lock_unlock_recursive: 3856

Modify _rtld_lock_lock_recursive/_rtld_lock_unlock_recursive to OneGadget.

Or modify _rtld_lock_lock_recursive/_rtld_lock_unlock_recursive to func, then modify _rtld_global._dl_load_lock.mutex to arg1.

Feeling tired of typing ssh, git pull, and npm run build every time to deploy your blog? Well, I thought about using a webhook.

But still need to manually resolve the conflicts in package-lock.json, wondering if there's a way to ignore it (just ignore this thing!)

I don't know what happened, I used to be able to access services in WSL2 directly from the host using localhost:port, but suddenly it doesn't work today. Taking this opportunity, I'll create a virtual network card based on the documentation I read recently to set up a WSL2 bridge, which will not only support IPv6 but also allow direct access to my WSL2 services in the local network without the need for port forwarding. Since my WSL2 is not sandboxed anyway, I'm not too concerned about security xD.

Frustrated with syncing data across multiple platforms for years, I suddenly remembered that I still have a SanDisk 256G Gen3.1 USB flash drive I can use, so I decided to research how to install Arch Linux on a USB drive.

Preparation:

• VMWare Workstation
• Arch Linux image
• A fast and large capacity USB drive (recommended USB 3.0+, with a size of 50GB or more)

After much thought, I decided to share some small and not-so-interesting things from my life here rather than in the clown section or the blog section.