January/February updates

author: Andrey Konovalov 2022-03-09 21:33:31 +0100
committer: Andrey Konovalov 2022-03-09 21:42:56 +0100
commit: 4cf9f639e09bae8566f8192b97770eadc717e3f7 (patch)
tree: 383c88b93d73263ae23b7bae9498511550b2c63b /README.md
parent: bf13e7ec833b4f296d13ff474def1abf8e3867ef (diff)
1 files changed, 59 insertions, 5 deletions
diff --git a/README.md b/README.md
index 58ba914..e042eb9 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 ### Exploitation
+[2022: "Learning Linux kernel exploitation - Part 1 - Laying the groundwork"](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/) [article]
 [2021: "ExpRace: Exploiting Kernel Races through Raising Interrupts" at USENIX](https://www.usenix.org/system/files/sec21-lee-yoochan.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_lee_yoochan.pdf)] [[video](https://www.youtube.com/watch?v=CIHRw5YPr9o)]
 [2021: "Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel"](https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html) [article] [[part2](https://syst3mfailure.io/wall-of-perdition)]
@@ -229,9 +231,15 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 [Linux Kernel CVEs](https://www.linuxkernelcves.com/)
+[Assorted advisories by Gyorgy Miru and kutyacica](https://labs.taszk.io/blog/)
 ### Info-leaks
+[2022: "The AMD Branch (Mis)predictor: Just Set it and Forget it!" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_just_set_it_and_forget_it) [article] [Spectre]
+[2022: "The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before) [article] [Spectre]
 [2021: "Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak"](https://ssd-disclosure.com/ssd-advisory-samsung-s10-s9-kernel-4-14-android-10-kernel-function-address-text-and-heap-address-information-leak/) [article] [CVE-TBD]
 [2021: "Linux Kernel /proc/pid/syscall information disclosure vulnerability"](https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211) [article] [CVE-2020-28588]
@@ -267,6 +275,22 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 ### LPE
+[2022: "Put an io_uring on it: Exploiting the Linux Kernel" by Valentina Palmiotti](https://www.graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel) [article] [CVE-2021-41073]
+[2022: "The Dirty Pipe Vulnerability" by Max Kellermann](https://dirtypipe.cm4all.com/) [article] [CVE-2022-0847]
+[2022: "CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers"](https://www.willsroot.io/2022/01/cve-2022-0185.html) [article] [CVE-2022-0185]
+[2022: "CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup" by Alejandro Guerrero](https://www.openwall.com/lists/oss-security/2022/01/25/14) [article] [CVE-2022-0185]
+[2022: "CVE-2022-0185: A Case Study"](https://www.hackthebox.com/blog/CVE-2022-0185:_A_case_study) [article] [CVE-2022-0185]
+[2022: "Linux kernel Use-After-Free (CVE-2021-23134) PoC"](https://ruia-ruia.github.io/NFC-UAF/) [article] [CVE-2021-23134]
+[2022: "Exploiting CVE-2021-26708 (Linux kernel) with ssh"](https://hardenedvault.net/2022/03/01/poc-cve-2021-26708.html) [article] [CVE-2021-26708]
+[2022: "exploiting CVE-2019-2215" by cutesmilee](https://cutesmilee.github.io/kernel/linux/android/2022/02/17/cve-2019-2215_writeup.html) [article] [CVE-2019-2215]
 [2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008]
 [2021: "PWN2OWN Local Escalation of Privilege Category, Ubuntu Desktop Exploit"](https://flatt.tech/assets/reports/210401_pwn2own/whitepaper.pdf) [article] [CVE-TBD]
@@ -566,6 +590,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 ### RCE
+[2022: "Zenith: Pwn2Own TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability" by Axel Souchet](https://github.com/0vercl0k/zenith) [article] [CVE-2022-24354]
 [2021: "BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution" by Andy Nguyen](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup): [BadChoice](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq), [BadKarma](https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq), [BadVibes](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) [article] [CVE-2020-12352, CVE-2020-12351, CVE-2020-24490]
 [2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) [article] [CVE-2017-0569]
@@ -581,6 +607,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 ### Other
+[2022: "CVE-2022-0435: A Remote Stack Overflow in The Linux" by Samuel Page](https://blog.immunityinc.com/p/a-remote-stack-overflow-in-the-linux-kernel/) [article] [CVE-2022-0435]
 [2022: "CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers" by Max Van Amernngen](https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/) [article] [CVE-2021-45608]
 [2021: "CVE-2021-1048: refcount increment on mid-destruction file" by Jann Horn](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1048.html) [article] [CVE-2021-1048]
@@ -593,8 +621,6 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 [2021: "CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution" by Max Van Amerongen](https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/) [article] [CVE-2021-43267]
-[2021: "Kernel Vmalloc Use-After-Free in the ION Allocator" by Gyorgy Miru](https://labs.taszk.io/blog/post/61_android_ion_uaf/) [article] [CVE-TBD]
 [2021: "An EPYC escape: Case-study of a KVM breakout" by Felix Wilhelm](https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html) [article] [CVE-2021-29657]
 [2021: "CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free" by Ben Hawkes](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html) [article] [CVE-2021-1905]
@@ -628,6 +654,12 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 ## Finding Bugs
+[2022: "Case Studies of Fuzzing with Xen" by Tamas K Lengyel at OffensiveCon](https://www.slideshare.net/tklengyel/offensivecon2022-case-studies-of-fuzzing-with-xen) [slides]
+[2021: "Rtkaller: State-aware Task Generation for RTOS Fuzzing"](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/emsoft21.pdf) [paper]
+[2021: "BSOD: Binary-only Scalable fuzzing Of device Drivers" by Fabian Toepfer and Dominik Maier](https://dmnk.co/raid21-bsod.pdf) [paper]
 [2021: "LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution" at USENIX](https://www.usenix.org/system/files/sec22summer_liu-jian.pdf) [paper]
 [2021: "An Analysis of Speculative Type Confusion Vulnerabilities in the Wild" at USENIX](https://www.usenix.org/system/files/sec21-kirzner.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_kirzner.pdf)] [[video](https://www.youtube.com/watch?v=Gxv6LcabKrg)]
@@ -811,6 +843,16 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
+[2022: "Mitigating Processor Vulnerabilities by Restructuring the Kernel Address Space" by Sebastian Eydam](https://fosdem.org/2022/schedule/event/seydam/attachments/slides/4837/export/events/attachments/seydam/slides/4837/fosdem_pres_seydam.pdf) [slides]
+[2022: "Meaningful Bounds Checking in the Linux Kernel" by Kees Cook at Linux Conf AU](https://outflux.net/slides/2022/lca/) [slides] [[video](https://www.youtube.com/watch?v=17Nqwl30Ch0)]
+[2022: "Mitigating kernel risks on 32-bit ARM" by Ard Biesheuvel](https://security.googleblog.com/2022/02/mitigating-kernel-risks-on-32-bit-arm.html) [article]
+[2022: "Kernel Hardening for 32-bit Arm Processors" by Keith Packard at Linux Conf AU](https://www.youtube.com/watch?v=kmMGdSVDVuQ) [video]
+[2021: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication"](https://arxiv.org/pdf/2112.07213.pdf) [paper]
 [2021: "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" by Andrey Konovalov](https://docs.google.com/presentation/d/1IpICtHR1T3oHka858cx1dSNRu2XcT79-RCRPgzCuiRk/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=UwMt0e_dC_Q)]
 [2021: "Midas: Systematic Kernel TOCTTOU Protection" at USENIX](https://www.usenix.org/system/files/sec22summer_bhattacharyya.pdf) [paper]
@@ -930,10 +972,10 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
 ## Exploits
-https://github.com/bsauce/kernel-exploit-factory
 [Project Zero bug reports](https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=linux%20kernel&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids&sort=-id)
+https://github.com/bsauce/kernel-exploit-factory
 https://www.exploit-db.com/search/?action=search&description=linux+kernel
 https://github.com/offensive-security/exploit-database/tree/master/platforms/linux/local
@@ -1014,6 +1056,12 @@ https://github.com/scannells/exploits/tree/master/CVE-2020-27194
 https://github.com/lntrx/CVE-2021-28663
+https://haxx.in/files/dirtypipez.c
+https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit
+https://github.com/Bonfee/CVE-2022-25636
 ## Tools
@@ -1096,6 +1144,8 @@ https://github.com/redplait/lkcd
 https://github.com/Kyle-Kyle/pwning-toolset/blob/main/linux-kernel/fgkaslr_gadgets.py
+https://github.com/vusec/kasper
 ## Practice
@@ -1178,7 +1228,7 @@ r2con CTF 2019: [source, exploit, and writeup](https://github.com/esanfelix/r2co
 HITCON CTF Quals 2019 (PoE): [source and exploit](https://github.com/david942j/ctf-writeups/tree/master/hitcon-quals-2019/PoE)
-Balsn CTF 2019 (KrazyNote): [exploit](https://github.com/Mem2019/Mem2019.github.io/blob/master/codes/krazynote.c)
+Balsn CTF 2019 (KrazyNote): [exploit](https://github.com/Mem2019/Mem2019.github.io/blob/master/codes/krazynote.c), [writeup](https://pr0cf5.github.io/ctf/2019/10/10/balsn-ctf-krazynote.html)
 TokyoWesterns CTF 2019 (gnote): [writeup](https://rpis.ec/blog/tokyowesterns-2019-gnote/), video [part 1](https://www.youtube.com/watch?v=n7osrud3PMI), [part 2](https://www.youtube.com/watch?v=i8gZ85VC2Mw)
@@ -1293,3 +1343,7 @@ https://github.com/V4bel/kernel-exploit-technique
 https://github.com/mudongliang/reproduce_kernel_bugs
 https://github.com/bata24/gef
+https://github.com/PaoloMonti42/salt
+https://github.com/davidmalcolm/antipatterns.ko
author	Andrey Konovalov	2022-03-09 21:33:31 +0100
committer	Andrey Konovalov	2022-03-09 21:42:56 +0100
commit	4cf9f639e09bae8566f8192b97770eadc717e3f7 (patch)
tree	383c88b93d73263ae23b7bae9498511550b2c63b /README.md
parent	bf13e7ec833b4f296d13ff474def1abf8e3867ef (diff)