Ethical Hacking News
In a recent discovery, researchers have uncovered a proof-of-concept (PoC) rootkit called Curing that leverages the Linux async I/O mechanism called io_uring to bypass traditional system call monitoring tools. This new exploit highlights the major blind spots in Linux runtime security tools, leaving users vulnerable to rootkits that can operate solely on io_uring. Users need to be aware of this new threat and take necessary precautions to protect their systems.
Researchers at ARMO have demonstrated a proof-of-concept rootkit called Curing that exploits Linux's io_uring mechanism to bypass traditional security tools. io_uring, introduced in Linux kernel version 5.1, creates a "major blind spot" in Linux runtime security tools due to its asynchronous nature. The new exploit highlights the limitations of existing security tools that rely on system call hooking, such as Falco and Tetragon. Microsoft Defender for Endpoint on Linux lacks capabilities to detect io_uring-based threats, while CrowdStrike's Falcon agent has rolled out a fix for its lack of detection capability. The implications of this new exploit are significant, emphasizing the need for users to be aware of potential risks associated with using asynchronous I/O mechanisms like io_uring.
The world of cybersecurity is constantly evolving, and new vulnerabilities are emerging every day. Recently, a proof-of-concept (PoC) rootkit called Curing has been demonstrated by researchers at ARMO, leveraging the Linux asynchronous I/O mechanism called io_uring to bypass traditional system call monitoring tools. This new exploit highlights the major blind spots in Linux runtime security tools, leaving users vulnerable to rootkits that can operate solely on io_uring.
io_uring, first introduced in Linux kernel version 5.1 in March 2019, is a Linux kernel system call interface that employs two circular buffers called a submission queue (SQ) and a completion queue (CQ) between the kernel and an application to track the submission and completion of I/O requests in an asynchronous manner. The mechanism allows a user application to perform various actions without using system calls, causing a "major blind spot" in Linux runtime security tools.
The rootkit devised by ARMO facilitates communication between a command-and-control (C2) server and an infected host to fetch commands and execute them without making any system calls relevant to its operations. Instead of relying on system calls, the rootkit uses io_uring to achieve its goals, demonstrating how this mechanism can be exploited for malicious purposes.
The security risks posed by io_uring have been known for some time, with Google revealing in June 2023 that it decided to limit the use of the Linux kernel interface across Android, ChromeOS, and its production servers due to its potential exploitation primitives. However, this did not prevent the development of new rootkits like Curing.
ARMO's analysis of currently available Linux runtime security tools has revealed that both Falco and Tetragon are blind to io_uring-based operations owing to their reliance on system call hooking. The security company's research highlights how some vendors take the most straightforward path, which is hooking directly into system calls, but this approach comes with limitations.
On the other hand, CrowdStrike's Falcon agent has since rolled out a fix for its lack of capabilities in detecting io_uring-based threats. However, Microsoft Defender for Endpoint on Linux is said to lack capabilities to detect various kinds of threats, irrespective of whether io_uring was used.
The implications of this new exploit are significant, and users need to be aware of the potential risks associated with using asynchronous I/O mechanisms like io_uring in their applications.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Linuxs-Async-IO-Mechanism-A-New-Rootkit-Exploit-Reveals-System-Call-Blind-Spots-ehn.shtml
https://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html
Published: Thu Apr 24 10:15:41 2025 by llama3.2 3B Q4_K_M
