Getting root on Ubuntu through wishful thinking

The narrative recounts a security researcher’s experience exploiting a double-free vulnerability (CVE-2021-3939) in Ubuntu's accountsservice, illustrating the complexity and unpredictability of such exploits. Initially discovered while preparing for a Black Hat EU 2021 presentation, the vulnerability involved a static variable mishandling leading to a double-free error. The researcher describes the difficulty in understanding how the exploit worked, despite having developed it, likening it to magic due to the unpredictable and chaotic nature of memory allocation and the role of randomness in successful exploitation. The exploit relied on non-determinism and timing, employing a two-process approach to trigger the bug and overwrite critical data structures in polkit, eventually gaining unauthorized access. The researcher highlights that, despite the crudeness and reliance on chance, the exploit effectively bypassed traditional defenses like address space layout randomization (ASLR) and heap metadata integrity checks, showcasing how strategic application logic manipulation can yield significant vulnerabilities.