1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
<!DOCTYPE html>
<html>
<head>
<title>SerenityOS bug bounty program</title>
<style>
body {
background: black;
color: lime;
font-family: monospace;
font-size: 14pt;
}
a {
font-weight: bold;
text-decoration: underline;
}
a:link, a:visited {
color: cyan;
}
a:active {
color: red;
}
</style>
</head>
<body>
<h1>SerenityOS bug bounty program :^)</h1>
<p>
Like any respectable software project, <a href="https://www.serenityos.org/">SerenityOS</a>
also runs a bug bounty program.
I don't have a huge budget, but I want to reward good honest work.
</p>
<p>
I will pay <b>$50</b> USD for exploitable bugs in these categories:
</p>
<ul>
<li>Remote code execution.</li>
<li>Local privilege escalation.</li>
<li>Arbitrary code execution in the Browser when loading a remote web page.</li>
</ul>
<p><b>Rules</b></p>
<ul>
<li>No rewards for bugs you caused yourself.</li>
<li>The PoC exploit needs to work against the master branch at the time of claim.</li>
<li>Max 3 bounties per person.</li>
<li>No duplicates. If a bug is already reported, only the earliest reporter may claim the reward. This includes bugs found by continuous fuzzing systems.</li>
<li>No rewards for bugs that require unlikely user interaction or social engineering.</li>
<li>Remote bugs must be exploitable with an unmodified "default setup" of SerenityOS. Bugs in programs that are not started by default don't qualify.</li>
<li>The PoC exploit needs to work on a QEMU-emulated CPU that supports SMAP, SMEP, UMIP, NX, WP, and TSD natively.</li>
<li>SerenityOS always runs with assertions enabled, so you'll need to find a way around them.</li>
</ul>
<p>
To claim a reward, get in touch with me either on the <a href="https://discord.gg/serenityos">SerenityOS Discord</a> (<i>awesomekling#1985</i>) or via <b><a href="mailto:kling@serenityos.org">kling@serenityos.org</a></b>. (And even if you are not interested in the reward, I'd still like to hear about any exploits!)
</p>
<p><b>Past exploits:</b></p>
<ul>
<li><b>2021-03-04:</b> <b>Iliad</b> used a VLA stack overflow in the TCP implementation to smash a nearby kernel stack and become root. (<a href="https://abigpickle.github.io/posts/2021/03/serenityos-kernel-hacking-adventures/">Writeup and exploit</a>)</li>
<li><b>2021-02-18:</b> <b>cees-elzinga</b> combined a ptrace race condition with an ASLR bypass to modify <code>/etc/passwd</code> and become root. (<a href="https://github.com/SerenityOS/serenity/issues/5230">Bug report and exploit</a>)</li>
<li><b>2021-02-11:</b> <b>vakzz</b> wrote the first-ever full chain exploit, stringing together a LibJS bug and a kernel bug to create a web page that got root access when viewed in our browser. (<a href="https://devcraft.io/2021/02/11/serenityos-writing-a-full-chain-exploit.html">Writeup and exploit</a>)</li>
<li><b>2020-12-22:</b> <b>ALLES! CTF</b> found a kernel LPE due to missing EFLAGS validation in <code>ptrace()</code>. (<a href="https://github.com/allesctf/writeups/blob/master/2020/hxpctf/wisdom2/writeup.md">Writeup and exploit</a>)</li>
<li><b>2020-12-20:</b> <b>yyyyyyy</b> found a kernel LPE due to a race condition between <code>execve()</code> and <code>ptrace()</code>. (<a href="https://hxp.io/blog/79/hxp-CTF-2020-wisdom2/">Writeup and exploit</a>)</li>
<li><b>2020-03-30:</b> <b>\0</b> claimed <font color="green"><b>$5</b></font> for reporting that the documentation neglects to mention that the default <b>anon</b> user can use <code>su</code> to become <b>root</b> by default. <a href="kiwis4kiwi.png">Donated to "Kiwis for Kiwi" charity as per \0's request.</a> Fixed with <a href="https://github.com/SerenityOS/serenity/commit/ec91d2eb9febafd82de3b30bd76fb621f3da5026">this commit</a>.</li>
<li><b>2019-12-30:</b> <b>Fire30</b> found a kernel LPE due to bad userspace pointer validation. (<a href="https://github.com/Fire30/CTF-WRITEUPS/tree/master/36c3_ctf/wisdom">Writeup and exploit</a>)</li>
<li><b>2019-12-29:</b> <b>braindead</b> found a kernel LPE due to a TOCTOU bug in <code>clock_nanosleep()</code>. (<a href="https://github.com/braindead/ctf-writeups/tree/master/2019/36c3/wisdom">Writeup and exploit</a>)</li>
</ul>
</body>
</html>
|
