November/December updates

author: Andrey Konovalov 2023-01-08 17:08:05 +0100
committer: Andrey Konovalov 2023-01-08 17:08:05 +0100
commit: 938abc1d92d0dd191f575eb03c2b3657b4e111ab (patch)
tree: 247ac176f4752b327543000411cf8e398fc6a76b /README.md
parent: b48c6dc8c01fca1aba9d45da99c5acc4eb4f4c43 (diff)
1 files changed, 49 insertions, 5 deletions
diff --git a/README.md b/README.md
index ad1da23..e04ad55 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Exploitation
+[2022: "FUSE for Linux Exploitation 101"](https://exploiter.dev/blog/2022/FUSE-exploit.html) [article]
+[2022: "Kernel Exploit Recipes"](https://drive.google.com/file/d/1kRHgQ9qDr4vgxJ4rVL-UNKvCamva_TRB/view) [brochure]
 [2022: "pipe_buffer arbitrary read write" by Jayden R](https://interruptlabs.co.uk/labs/pipe_buffer/) [article]
 [2022: "Joy of exploiting the Kernel"](https://docs.google.com/presentation/d/e/2PACX-1vR4mpH3aARLMOhJemVGEw1cduXPEo_PvrbZMum8QwOJ6rhZvvezsif4qtgSydVVt8jPT1fztgD5Mj7q/pub?slide=id.p) [slides]
@@ -60,6 +64,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2022: "Pawnyable: Linux Kernel Exploitation" by ptr-yudai](https://pawnyable.cafe/linux-kernel/index.html) [articles]
+[2022: "DirtyCred: Escalating Privilege in Linux Kernel"](https://zplin.me/papers/DirtyCred.pdf) [paper] [[slides](https://zplin.me/papers/DirtyCred_CCS_slides.pdf)] [[artifacts](https://github.com/Markakd/DirtyCred)]
 [2022: "DirtyCred: Cautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe"](https://i.blackhat.com/USA-22/Thursday/US-22-Lin-Cautious-A-New-Exploitation-Method.pdf) [slides] [[artifacts](https://github.com/Markakd/DirtyCred)]
 [2022: "CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel"](https://syst3mfailure.io/corjail) [article]
@@ -271,6 +277,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Info-leaks
+[2022: "EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)"](https://www.willsroot.io/2022/12/entrybleed.html) [article] [CVE-2022-4543]
 [2022: "Yet another bug into Netfilter" by Arthur Mongodin](https://www.randorisec.fr/yet-another-bug-netfilter/) [article] [CVE-2022-1972]
 [2022: "The AMD Branch (Mis)predictor: Just Set it and Forget it!" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_just_set_it_and_forget_it) [article] [Spectre]
@@ -312,6 +320,20 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### LPE
+[2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez](https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/) [article] [CVE-2022-32250]
+[2022: "Exploiting CVE-2022-42703 - Bringing back the stack attack" by Seth Jenkins](https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html) [article] [CVE-2022-42703]
+[2022: "CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF"](https://1day.dev/notes/CVE-2022-2602-DirtyCred-File-Exploitation-applied-on-an-io_uring-UAF/) [article] [CVE-2022-2602]
+[2022: "DirtyCred Remastered: how to turn an UAF into Privilege Escalation"](https://exploiter.dev/blog/2022/CVE-2022-2602.html) [article] [CVE-2022-2602]
+[2022: "Exploiting cross table object reference in Linux Netfilter table (NFT) module"](https://docs.google.com/presentation/d/1qcPPz9E_X3z5h_E-Cc7Qmy1ppP4hWjFZQCQ5ZCb9hw8/edit?usp=sharing) [slides] [CVE-2022-2078] [CVE-2022-2586]
+[2022: "Linux Kernel n-day exploit development"](https://1day.dev/notes/Linux-Kernel-n-day-exploit-development/) [article] [CVE-2020-27786]
+[2022: "Linux Kernel Exploit Development: 1day case study" by Alessandro Groppo](https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study/) [article] [CVE-2020-27786]
 [2022: "[CVE-2022-1786] A Journey To The Dawn"](https://blog.kylebot.net/2022/10/16/CVE-2022-1786/) [article] [CVE-2022-1786]
 [2022: "A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain" by Maddie Stone](https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html) [article] [CVE-2021-25369] [CVE-2021-25370]
@@ -696,6 +718,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 ### Other
+[2022: "Linux Kernel: Infoleak in Bluetooth L2CAP Handling"](https://github.com/google/security-research/security/advisories/GHSA-vccx-8h74-2357) [advisory] [CVE-2022-42895]
+[2022: "Linux Kernel: UAF in Bluetooth L2CAP Handshake"](https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4) [advisory] [CVE-2022-42896]
 [2022: "Vulnerability Details for CVE-2022-41218"](https://github.com/V4bel/CVE-2022-41218) [article] [CVE-2022-41218]
 [2022: "Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free"](https://accessvector.net/2022/linux-itimers-uaf) [article]
@@ -755,6 +781,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2022: "Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools" by Andrey Konovalov](https://docs.google.com/presentation/d/1qA8fqRDHKX_WM_ZdDN37EQQZwSTNJ4FFws82tbUSKxY/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=KmFVPyHyfqQ)] [[article](https://lwn.net/Articles/909245/)]
+[2022: "PrIntFuzz: Fuzzing Linux Drivers via Automated Virtual Device Simulation"](https://dl.acm.org/doi/pdf/10.1145/3533767.3534226) [paper]
+[2022: "KSG: Augmenting Kernel Fuzzing with System Call Specification Generation"](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/atc22.pdf) [paper]
+[2022: "Demystifying the Dependency Challenge in Kernel Fuzzing"](https://github.com/ZHYfeng/Dependency/blob/master/Paper.pdf) [paper]
+[2022: "Hunting for Linux kernel public vulnerabilities"](https://1day.dev/notes/Hunting-for-Linux-kernel-public-vulnerabilities/) [article]
 [2022: "DangZero: Efficient Use-After-Free Detection via Direct Page Table Access"](https://download.vusec.net/papers/dangzero_ccs22.pdf) [paper]
 [2022: "How I started chasing speculative type confusion bugs in the kernel and ended up with 'real' ones" by Jakob Koschel](https://lpc.events/event/16/contributions/1211/attachments/979/1981/LPC2022_slides_Jakob_Koschel.pdf) [slides] [[video](https://www.youtube.com/watch?v=LigVc74INaA)]
@@ -783,7 +817,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2021: "BSOD: Binary-only Scalable fuzzing Of device Drivers" by Fabian Toepfer and Dominik Maier](https://dmnk.co/raid21-bsod.pdf) [paper]
-[2021: "LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution" at USENIX](https://www.usenix.org/system/files/sec22summer_liu-jian.pdf) [paper]
+[2021: "LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution" at USENIX](https://www.usenix.org/system/files/sec22summer_liu-jian.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec22_slides-liu_jian.pdf)]
 [2021: "An Analysis of Speculative Type Confusion Vulnerabilities in the Wild" at USENIX](https://www.usenix.org/system/files/sec21-kirzner.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_kirzner.pdf)] [[video](https://www.youtube.com/watch?v=Gxv6LcabKrg)]
@@ -988,7 +1022,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2022: "Compilers: The Old New Security Frontier" by Brad Spengler](https://grsecurity.net/Compilers_The_Old_New_Security_Frontier_BlueHat_IL_2022.pdf) [slides]
-[2022: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication"](https://www.usenix.org/system/files/sec22fall_yoo.pdf) [paper]
+[2022: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication"](https://www.usenix.org/system/files/sec22fall_yoo.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec22_slides-yoo.pdf)]
 [2022: "Preventing Kernel Hacks with HAKC"](https://nebelwelt.net/files/22NDSS2.pdf) [paper]
@@ -1000,11 +1034,11 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2022: "Kernel Hardening for 32-bit Arm Processors" by Keith Packard at Linux Conf AU](https://www.youtube.com/watch?v=kmMGdSVDVuQ) [video]
-[2021: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication"](https://arxiv.org/pdf/2112.07213.pdf) [paper]
 [2021: "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" by Andrey Konovalov](https://docs.google.com/presentation/d/1IpICtHR1T3oHka858cx1dSNRu2XcT79-RCRPgzCuiRk/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=UwMt0e_dC_Q)]
-[2021: "Midas: Systematic Kernel TOCTTOU Protection" at USENIX](https://www.usenix.org/system/files/sec22summer_bhattacharyya.pdf) [paper]
+[2021: "Attack surface analysis of the Linux kernel based on complexity metrics" by Stefan Bavendiek](https://www.researchgate.net/profile/Stefan-Bavendiek/publication/365872100_Attack_surface_analysis_of_the_Linux_kernel_based_on_complexity_metrics/links/638786d9bbdef30dc9877e26/Attack-surface-analysis-of-the-Linux-kernel-based-on-complexity-metrics.pdf) [thesis]
+[2021: "Midas: Systematic Kernel TOCTTOU Protection" at USENIX](https://www.usenix.org/system/files/sec22summer_bhattacharyya.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec22_slides-bhattacharyya.pdf)]
 [2021: "Undo Workarounds for Kernel Bugs" at USENIX](https://www.usenix.org/system/files/sec21-talebi.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_talebi.pdf)] [[video](https://www.youtube.com/watch?v=4QwMMCjAll8)]
@@ -1110,6 +1144,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 [2014: "Kernel Self-Protection through Quantified Attack Surface Reduction" by Anil Kurmus](https://publikationsserver.tu-braunschweig.de/servlets/MCRFileNodeServlet/digibib_derivate_00036154/Diss_Kurmus_Anil.pdf) [paper]
+[2014: "A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel" by Anil Kurmus and Robby Zippel](http://static.securegoose.org/papers/ccs14.pdf) [paper]
 [2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler](https://forums.grsecurity.net/viewtopic.php?f=7&t=3367) [article]
 [2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat](https://access.redhat.com/articles/20484) [article]
@@ -1309,6 +1345,10 @@ https://github.com/vusec/kasper
 https://github.com/martinradev/gdb-pt-dump
+https://github.com/chompie1337/kernel_obj_finder
+https://github.com/marin-m/vmlinux-to-elf
 ## Practice
@@ -1475,6 +1515,8 @@ https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting
 ## Misc
+[2022: "Mind the Gap" by Ian Beer](https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html) [article]
 [2022: "Designing subsystems for FUZZ-ability" by Dmitry Vyukov](https://lpc.events/event/16/contributions/1309/attachments/988/1979/Designing%20subsystems%20for%20testability_fuzzing%20%28PDF%20version%29.pdf) [slides] [[video](https://www.youtube.com/watch?v=zmF_AswbVbQ)]
 [2022: "Making syzbot reports more developer-friendly" by Aleksandr Nogikh](https://lpc.events/event/16/contributions/1311/attachments/1013/1951/Making%20syzbot%20reports%20more%20developer-friendly.pdf) [slides] [[video](https://www.youtube.com/watch?v=ePldLzdAArg)]
@@ -1526,3 +1568,5 @@ https://github.com/davidmalcolm/antipatterns.ko
 https://kernel.dance/
 https://github.com/0xricksanchez/like-dbg
+https://github.com/ameetsaahu/Kernel-exploitation
author	Andrey Konovalov	2023-01-08 17:08:05 +0100
committer	Andrey Konovalov	2023-01-08 17:08:05 +0100
commit	938abc1d92d0dd191f575eb03c2b3657b4e111ab (patch)
tree	247ac176f4752b327543000411cf8e398fc6a76b /README.md
parent	b48c6dc8c01fca1aba9d45da99c5acc4eb4f4c43 (diff)