New Kernel Exploit: Bypassing the modprobe_path Patch with AF_ALG
2025-03-19
This security research blog post details a novel method for exploiting the modprobe_path technique, circumventing a patch merged into the Upstream kernel last year. This patch rendered the previous method of triggering modprobe_path by executing dummy files ineffective. The new method leverages AF_ALG sockets. By calling bind(), it triggers request_module(), allowing execution of the file pointed to by modprobe_path, achieving privilege escalation. Combined with lau's memfd_create() technique, this results in a completely fileless exploit, reducing the chance of detection. The patch hasn't yet reached stable kernel releases, so the older method still works; however, the AF_ALG method will be crucial in the future.
Read more
Development