September/October updates

author: Andrey Konovalov 2020-11-05 16:35:38 +0100
committer: GitHub 2020-11-05 16:35:38 +0100
commit: bedc708384015c8c5535d6ee947363659fbf4227 (patch)
tree: 8669c3e1f7a52f1b841e761ea859e436efebcb20 /README.md
parent: 01cbfb0259142da12cd83f407ae5f0f6abdfc74b (diff)
1 files changed, 30 insertions, 1 deletions
diff --git a/README.md b/README.md
index 48a2c52..8e7ea59 100644
--- a/README.md
+++ b/README.md
@@ -11,10 +11,16 @@ Pull requests are welcome.
 ## Workshops
+[2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop]
 [2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop]
 ## Exploitation Techniques
+[2020: "Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers"](https://www.usenix.org/system/files/woot20-paper1-slides-cho.pdf) [slides] [[paper](https://www.usenix.org/system/files/woot20-paper-cho.pdf)] [[video](https://www.youtube.com/watch?v=uI377m9S0qs)]
+[2020: "BlindSide: Speculative Probing: Hacking Blind in the Spectre Era"](https://www.vusec.net/projects/blindside/) [paper]
 [2020: "Structures that can be used with Kernel Exploit"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article]
 [2020: "Linux Kernel Stack Smashing" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/02/linux-kernel-stack-smashing.html?m=1) [article]
@@ -161,6 +167,10 @@ Pull requests are welcome.
 ### LPE
+[2020: "CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel" by Or Cohen](https://unit42.paloaltonetworks.com/cve-2020-14386/) [article, CVE-2020-14386]
+[2020: "Attacking the Qualcomm Adreno GPU" by Ben Hawkes](https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html) [article, CVE-2020-11179]
 [2020, Black Hat USA: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides, CVE-2019-10567] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)]
 [2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article, CVE-2020-0041]
@@ -380,6 +390,8 @@ Pull requests are welcome.
 ### RCE
+2020: BleedingTooth vulnarabilities by Andy Nguyen: [BadChoice](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq), [BadKarma](https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq), [BadVibes](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) [article, CVE-2020-12352, CVE-2020-12351, CVE-2020-24490]
 [2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) [article, CVE-2017-0569]
 [2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks"](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963) [whitepaper, CVE-2017-1000251]
@@ -395,6 +407,8 @@ Pull requests are welcome.
 ### Other
+[2020: "The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)" by Adam Zabrocki](http://blog.pi3.com.pl/?p=720) [article, CVE-2020-14356, CVE-2020-25220]
 [2020: "Curiosity around 'exec_id' and some problems associated with it" by Adam Zabrocki](https://www.openwall.com/lists/kernel-hardening/2020/03/25/1) [article]
 [2020: "The never ending problems of local ASLR holes in Linux"](https://blog.blazeinfosec.com/the-never-ending-problems-of-local-aslr-holes-in-linux/) [article, CVE-2019-11190]
@@ -418,6 +432,8 @@ Pull requests are welcome.
 ## Protection Bypass Techniques
+[2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro](https://www.youtube.com/watch?v=p1HUpSkHcZ0) [video]
 [2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article]
 [2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper]
@@ -465,6 +481,8 @@ Pull requests are welcome.
 ## Defensive
+[2020: "State of Linux kernel security" by Dmitry Vyukov](https://github.com/ossf/wg-securing-critical-projects/blob/main/presentations/The_state_of_the_Linux_kernel_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=PGwFyzh2KTA&t=1233)]
 [2020, OSTconf: "LKRG IN A NUTSHELL" by Adam Zabrocki](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides]
 [2020, Linux Plumbers: "syzkaller / sanitizers: status update" by Dmitry Vyukov](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)]
@@ -481,7 +499,7 @@ Pull requests are welcome.
 [2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video]
-[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/) [articles]
+[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/) [articles]
 [2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis]
@@ -556,6 +574,8 @@ Pull requests are welcome.
 ## Vulnerability Discovery
+[2020: "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel"](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) [paper]
 [2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-1-of-3) [article]
 [2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-2-of-3) [article]
@@ -777,6 +797,8 @@ https://github.com/chompie1337/s8_2019_2215_poc/
 https://github.com/c3r34lk1ll3r/CVE-2017-5123
+https://github.com/QuestEscape/exploit/tree/master/CVE-2018-9568_WrongZone
 ## Tools
@@ -886,6 +908,11 @@ DEF CON CTF Qualifier 2020 (fungez): [source](https://github.com/o-o-overflow/dc
 ASIS CTF 2020 (Shared House): [writeup](https://ptr-yudai.hatenablog.com/entry/2020/07/06/000622#354pts-Shared-House-7-solves)
+r2con CTF 2020: [source](https://github.com/esanfelix/r2con2020-ctf-kernel), [exploit](https://github.com/dialluvioso/box/blob/master/r2con2020-ctf-kernel/exploit.c)
+Seccon Online 2020 (Kstack): [source, exploit and writeup](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/kstack)
+N1 CTF 2020 (W2L): [writeup](https://github.com/Nu1LCTF/n1ctf-2020/blob/main/N1CTF2020%20Writeup%20By%20Nu1L.pdf)
 ## Misc
@@ -936,3 +963,5 @@ https://www.twitch.tv/dayzerosec/videos?filter=all&sort=time
 https://github.com/pr0cf5/kernel-exploit-practice
 https://github.com/milabs/lkrg-bypass
+https://github.com/V4bel/kernel-exploit-technique
author	Andrey Konovalov	2020-11-05 16:35:38 +0100
committer	GitHub	2020-11-05 16:35:38 +0100
commit	bedc708384015c8c5535d6ee947363659fbf4227 (patch)
tree	8669c3e1f7a52f1b841e761ea859e436efebcb20 /README.md
parent	01cbfb0259142da12cd83f407ae5f0f6abdfc74b (diff)