Seccomp is a computer security facility in the Linux kernel.
In this post, I will explain how to bypass seccomp by access the x32 syscall ABI.
It will work even if the seccomp is checking the current architecture. I will use
the Siskohl sandbox challenge from CSCCTF final 2021 and try to use a forbidden syscall.
the binary doesn’t use libseccomp instead it uses bpf seccomp
Seccomp info file
to examine which syscall is not allowed you can use seccomp-tools here is the seccomp
information from the binary
as you can see, we can’t use those syscalls and the filter checks the current architecture.
so we can’t bypass it by switching to 32-bit mode. in this post, I will try to use the x32 syscall
ABI and use open, read, and write syscall.
for example, I will try to see a file content inside /etc/passwd
Bypass seccomp filter
we can use 0x40000000 to bypass the filter, in order to call a forbidden syscall you can adding
the syscall number with 0x40000000, so our shellcode will look like: