diff options
| author | Andrey Konovalov | 2021-07-04 19:41:56 +0200 |
|---|---|---|
| committer | Andrey Konovalov | 2021-07-04 19:51:37 +0200 |
| commit | 97121099c5c6b47f99620674ea2691e2d4beff96 (patch) | |
| tree | a3543a91218703ef5740c7994fd96c83ecd69903 | |
| parent | 40cf5bc5b79da64b55fe192ee428ae840697aef3 (diff) | |
May/June updates
| -rw-r--r-- | README.md | 30 |
1 files changed, 29 insertions, 1 deletions
| @@ -217,6 +217,8 @@ Pull requests are welcome. | |||
| 217 | 217 | ||
| 218 | ### Info-leaks | 218 | ### Info-leaks |
| 219 | 219 | ||
| 220 | [2021: "Linux Kernel /proc/pid/syscall information disclosure vulnerability"](https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211) [article] [CVE-2020-28588] | ||
| 221 | |||
| 220 | [2021: "Spectre exploits in the "wild""](https://dustri.org/b/spectre-exploits-in-the-wild.html) [article] | 222 | [2021: "Spectre exploits in the "wild""](https://dustri.org/b/spectre-exploits-in-the-wild.html) [article] |
| 221 | 223 | ||
| 222 | [2021: "VDSO As A Potential KASLR Oracle" by Philip Pettersson and Alex Radocea](https://www.longterm.io/vdso_sidechannel.html) [article] | 224 | [2021: "VDSO As A Potential KASLR Oracle" by Philip Pettersson and Alex Radocea](https://www.longterm.io/vdso_sidechannel.html) [article] |
| @@ -248,6 +250,14 @@ Pull requests are welcome. | |||
| 248 | 250 | ||
| 249 | ### LPE | 251 | ### LPE |
| 250 | 252 | ||
| 253 | [2021: "CVE-2021-20226 a reference counting bug which leads to local privilege escalation in io_uring"](https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a) [article] [CVE-2021–20226] | ||
| 254 | |||
| 255 | [2021: "CVE-2021-32606: CAN ISOTP local privilege escalation"](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md) [article] [CVE-2021-32606] | ||
| 256 | |||
| 257 | [2021: "CVE-2021-3609: CAN BCM local privilege escalation"](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md) [article] [[announcement](https://www.openwall.com/lists/oss-security/2021/06/19/1)] [CVE-2021-3609] | ||
| 258 | |||
| 259 | [2021: "SSD Advisory – OverlayFS PE"](https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/) [article] [CVE-2021-3493] | ||
| 260 | |||
| 251 | [2021: "[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver" by Gyorgy Miru](https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/) [article] [CVE-2020-28343, SVE-2020-18610] | 261 | [2021: "[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver" by Gyorgy Miru](https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/) [article] [CVE-2020-28343, SVE-2020-18610] |
| 252 | 262 | ||
| 253 | [2021: "CVE-2021-20226: A Reference-Counting Bug in the Linux Kernel io_uring Subsystem" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/4/22/cve-2021-20226-a-reference-counting-bug-in-the-linux-kernel-iouring-subsystem) [article] [CVE-2021-20226] | 263 | [2021: "CVE-2021-20226: A Reference-Counting Bug in the Linux Kernel io_uring Subsystem" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/4/22/cve-2021-20226-a-reference-counting-bug-in-the-linux-kernel-iouring-subsystem) [article] [CVE-2021-20226] |
| @@ -256,7 +266,7 @@ Pull requests are welcome. | |||
| 256 | 266 | ||
| 257 | [2021: "New Old Bugs in the Linux Kernel"](https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html) [article] [CVE-2021-27365, CVE-2021-27363, CVE-2021-27364] | 267 | [2021: "New Old Bugs in the Linux Kernel"](https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html) [article] [CVE-2021-27365, CVE-2021-27363, CVE-2021-27364] |
| 258 | 268 | ||
| 259 | [2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel"](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708.pdf)] [CVE-2021-26708] | 269 | [2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel"](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708.pdf)] [[video](https://www.youtube.com/watch?v=EMcjHfceX44)] [CVE-2021-26708] |
| 260 | 270 | ||
| 261 | [2021: "The curious case of CVE-2020-14381"](https://blog.frizn.fr/linux-kernel/cve-2020-14381) [article] [CVE-2020-14381] | 271 | [2021: "The curious case of CVE-2020-14381"](https://blog.frizn.fr/linux-kernel/cve-2020-14381) [article] [CVE-2020-14381] |
| 262 | 272 | ||
| @@ -266,6 +276,8 @@ Pull requests are welcome. | |||
| 266 | 276 | ||
| 267 | [2021: "Exploiting CVE-2014-3153 (Towelroot)" by Elon Gliksberg](https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html) [article] [CVE-2014-3153] | 277 | [2021: "Exploiting CVE-2014-3153 (Towelroot)" by Elon Gliksberg](https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html) [article] [CVE-2014-3153] |
| 268 | 278 | ||
| 279 | [2021: "CVE-2014-3153" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2014-3153) [article] [CVE-2014-3153] | ||
| 280 | |||
| 269 | [2020: "An iOS hacker tries Android" by Brandon Azad](https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html) [article] [CVE-2020-28343, SVE-2020-18610] | 281 | [2020: "An iOS hacker tries Android" by Brandon Azad](https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html) [article] [CVE-2020-28343, SVE-2020-18610] |
| 270 | 282 | ||
| 271 | [2020: "Exploiting a Single Instruction Race Condition in Binder"](https://blog.longterm.io/cve-2020-0423.html) [article] [CVE-2020-0423] | 283 | [2020: "Exploiting a Single Instruction Race Condition in Binder"](https://blog.longterm.io/cve-2020-0423.html) [article] [CVE-2020-0423] |
| @@ -506,6 +518,10 @@ Pull requests are welcome. | |||
| 506 | 518 | ||
| 507 | ### Other | 519 | ### Other |
| 508 | 520 | ||
| 521 | [2021: "An EPYC escape: Case-study of a KVM breakout" by Felix Wilhelm](https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html) [article] [CVE-2021-29657] | ||
| 522 | |||
| 523 | [2021: "CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free" by Ben Hawkes](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html) [article] [CVE-2021-1905] | ||
| 524 | |||
| 509 | [2021: "A foray into Linux kernel exploitation on Android" by Ayaz Mammadov](https://mcyoloswagham.github.io/linux/) [article] | 525 | [2021: "A foray into Linux kernel exploitation on Android" by Ayaz Mammadov](https://mcyoloswagham.github.io/linux/) [article] |
| 510 | 526 | ||
| 511 | [2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier) [article] | 527 | [2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier) [article] |
| @@ -635,6 +651,8 @@ Pull requests are welcome. | |||
| 635 | 651 | ||
| 636 | [2018: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko at OffensiveCon](https://www.youtube.com/watch?v=mpfKN1URqdQ) [video] | 652 | [2018: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko at OffensiveCon](https://www.youtube.com/watch?v=mpfKN1URqdQ) [video] |
| 637 | 653 | ||
| 654 | [2018: "K-Miner: Uncovering Memory Corruption in Linux"](http://lib.21h.io/library/XHEQU6AX/download/SLDEJFQG/2018_K-Miner_-_Uncovering_Memory_Corruption_in_Linux_Internet_Society.pdf) [paper] | ||
| 655 | |||
| 638 | [2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko](https://blog.linuxplumbersconf.org/2017/ocw/system/presentations/4825/original/KMSAN%20presentation%20for%20LPC%202017.pdf) [slides] | 656 | [2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko](https://blog.linuxplumbersconf.org/2017/ocw/system/presentations/4825/original/KMSAN%20presentation%20for%20LPC%202017.pdf) [slides] |
| 639 | 657 | ||
| 640 | [2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai](http://powerofcommunity.net/poc2017/yu.pdf) [slides] | 658 | [2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai](http://powerofcommunity.net/poc2017/yu.pdf) [slides] |
| @@ -953,8 +971,16 @@ https://github.com/evdenis/cvehound | |||
| 953 | 971 | ||
| 954 | [github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs) | 972 | [github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs) |
| 955 | 973 | ||
| 974 | 3kCTF 2021 (echo): [source and exploit](https://github.com/MaherAzzouzi/3k21-pwn/tree/main/echo) | ||
| 975 | |||
| 976 | 3kCTF 2021 (klibrary): [source](https://github.com/MaherAzzouzi/3k21-pwn/tree/main/klibrary), [writeup](https://meowmeowxw.gitlab.io/ctf/3k-2021-klibrary/) | ||
| 977 | |||
| 956 | DiceCTF 2021 (HashBrown): [writeup](https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html) | 978 | DiceCTF 2021 (HashBrown): [writeup](https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html) |
| 957 | 979 | ||
| 980 | CUCTF 2020 (Hotrod): [writeup](https://syst3mfailure.io/hotrod) | ||
| 981 | |||
| 982 | SpamAndFlags 2020 (Secstore): [writeup](https://pwnfirstsear.ch/2020/05/10/spamandhexctf2020-secstore.html#secstore-1) | ||
| 983 | |||
| 958 | BSidesTLV CTF 2020 (Kapara): [writeup and exploit](https://jctf.team/BSidesTLV-2020/Kapara/), [video writeup](https://media.handmade-seattle.com/linux-kernel-adventures/) | 984 | BSidesTLV CTF 2020 (Kapara): [writeup and exploit](https://jctf.team/BSidesTLV-2020/Kapara/), [video writeup](https://media.handmade-seattle.com/linux-kernel-adventures/) |
| 959 | 985 | ||
| 960 | HITCON CTF 2020 (spark): [source and exploit #1](https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020/spark), [writeup and exploit #2](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/spark), [exploit #3](https://gist.github.com/sampritipanda/9fb8f1f92aef6591246e74ed5847c910) | 986 | HITCON CTF 2020 (spark): [source and exploit #1](https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020/spark), [writeup and exploit #2](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/spark), [exploit #3](https://gist.github.com/sampritipanda/9fb8f1f92aef6591246e74ed5847c910) |
| @@ -1061,6 +1087,8 @@ https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting | |||
| 1061 | 1087 | ||
| 1062 | ## Misc | 1088 | ## Misc |
| 1063 | 1089 | ||
| 1090 | [2021: "The Complicated History of a Simple Linux Kernel API"](https://www.grsecurity.net/complicated_history_simple_linux_kernel_api) [article] | ||
| 1091 | |||
| 1064 | [2021: "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commit"](https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf) [paper] | 1092 | [2021: "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commit"](https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf) [paper] |
| 1065 | 1093 | ||
| 1066 | [2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko](https://www.youtube.com/watch?v=5-eRsA0l8Pg) [video] | 1094 | [2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko](https://www.youtube.com/watch?v=5-eRsA0l8Pg) [video] |