summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md40
1 files changed, 37 insertions, 3 deletions
diff --git a/README.md b/README.md
index 370fe12..953aad4 100644
--- a/README.md
+++ b/README.md
@@ -47,11 +47,15 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
47 47
48### Exploitation 48### Exploitation
49 49
50[2022: "Linux kernel heap feng shui in 2022" by Michael S and Vitaly Nikolenko](https://duasynt.com/blog/linux-kernel-heap-feng-shui-2022) [article]
51
52[2022: "LiKE: A Series on Linux Kernel Exploitation" by sam4k](https://sam4k.com/like-a-series-on-linux-kernel-exploitation/) [article] [[modprobe_path](https://sam4k.com/like-techniques-modprobe_path/)]
53
50[2022: "Racing against the clock -- hitting a tiny kernel race window" by Jann Horn](https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html) [article] 54[2022: "Racing against the clock -- hitting a tiny kernel race window" by Jann Horn](https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html) [article]
51 55
52[2022: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability"](https://www.usenix.org/system/files/sec22fall_zeng.pdf) [paper] 56[2022: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability"](https://www.usenix.org/system/files/sec22fall_zeng.pdf) [paper]
53 57
54[2022: "Learning Linux kernel exploitation - Part 1 - Laying the groundwork"](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/) [article] 58[2022: "Learning Linux kernel exploitation" by 0x434b](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/) [article] [[part 2](https://0x434b.dev/learning-linux-kernel-exploitation-part-2-cve-2022-0847/)]
55 59
56[2021: "ExpRace: Exploiting Kernel Races through Raising Interrupts" at USENIX](https://www.usenix.org/system/files/sec21-lee-yoochan.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_lee_yoochan.pdf)] [[video](https://www.youtube.com/watch?v=CIHRw5YPr9o)] 60[2021: "ExpRace: Exploiting Kernel Races through Raising Interrupts" at USENIX](https://www.usenix.org/system/files/sec21-lee-yoochan.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_lee_yoochan.pdf)] [[video](https://www.youtube.com/watch?v=CIHRw5YPr9o)]
57 61
@@ -180,7 +184,9 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
180[2005: "The story of exploiting kmalloc() overflows"](https://argp.github.io/public/kmalloc_exploitation.pdf) [article] 184[2005: "The story of exploiting kmalloc() overflows"](https://argp.github.io/public/kmalloc_exploitation.pdf) [article]
181 185
182 186
183## Protection Bypasses 187### Protection Bypasses
188
189[2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler](https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals) [article]
184 190
185[2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen](https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Chen-A-General-Approach-To-Bypassing-Many-Kernel-Protections-And-Its-Mitigation.pdf) [slides] [[video](https://www.youtube.com/watch?v=EIwEF3tCtg4)] 191[2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen](https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Chen-A-General-Approach-To-Bypassing-Many-Kernel-Protections-And-Its-Mitigation.pdf) [slides] [[video](https://www.youtube.com/watch?v=EIwEF3tCtg4)]
186 192
@@ -240,6 +246,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
240 246
241### Info-leaks 247### Info-leaks
242 248
249[2022: "Yet another bug into Netfilter" by Arthur Mongodin](https://www.randorisec.fr/yet-another-bug-netfilter/) [article] [CVE-2022-1972]
250
243[2022: "The AMD Branch (Mis)predictor: Just Set it and Forget it!" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_just_set_it_and_forget_it) [article] [Spectre] 251[2022: "The AMD Branch (Mis)predictor: Just Set it and Forget it!" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_just_set_it_and_forget_it) [article] [Spectre]
244 252
245[2022: "The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before) [article] [Spectre] 253[2022: "The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)" by Pawel Wieczorkiewicz](https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before) [article] [Spectre]
@@ -279,6 +287,16 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
279 287
280### LPE 288### LPE
281 289
290[2022: "The Android kernel mitigations obstacle race" by Man Yue Mo](https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/) [article] [CVE-2022-22057]
291
292[2022: "io_uring - new code, new bugs, and a new exploit technique" by Lam Jun Rong](https://starlabs.sg/blog/2022/06/io_uring-new-code-new-bugs-and-a-new-exploit-technique/) [article] [CVE-2021-41073]
293
294[2022: "Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)" by lolcads](https://lolcads.github.io/posts/2022/06/dirty_pipe_cve_2022_0847/) [article] [CVE-2022-0847]
295
296[2022: "DirtyPipe-Android/TECHNICAL-DETAILS.md" by polygraphene](https://github.com/polygraphene/DirtyPipe-Android/blob/master/TECHNICAL-DETAILS.md) [article] [CVE-2022-0847]
297
298[2022: "Weaponizing dirtypipe on android" by Giovanni Rocca](https://docs.google.com/presentation/d/1Tq00gy1GtiK0OvNYOy_kCz0er9ZECBXGoy5Lfy5MD3M/edit?usp=sharing) [slides] [[exploit](https://github.com/iGio90/DirtyPipeZ)] [CVE-2022-0847]
299
282[2022: "How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables" by David Bouman](https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/) [CVE-2022-1015] [CVE-2022-1016] 300[2022: "How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables" by David Bouman](https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/) [CVE-2022-1015] [CVE-2022-1016]
283 301
284[2022: "The Discovery and Exploitation of CVE-2022-25636" by Nick Gregory](https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/) [article] [CVE-2022-25636] 302[2022: "The Discovery and Exploitation of CVE-2022-25636" by Nick Gregory](https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/) [article] [CVE-2022-25636]
@@ -301,6 +319,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
301 319
302[2022: "exploiting CVE-2019-2215" by cutesmilee](https://cutesmilee.github.io/kernel/linux/android/2022/02/17/cve-2019-2215_writeup.html) [article] [CVE-2019-2215] 320[2022: "exploiting CVE-2019-2215" by cutesmilee](https://cutesmilee.github.io/kernel/linux/android/2022/02/17/cve-2019-2215_writeup.html) [article] [CVE-2019-2215]
303 321
322[2021: "Your Trash Kernel Bug, My Precious 0-day" by Zhenpeng Lin](https://zplin.me/talks/BHEU21_trash_kernel_bug.pdf) [slides] [CVE-2021-3715]
323
304[2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008] 324[2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008]
305 325
306[2021: "PWN2OWN Local Escalation of Privilege Category, Ubuntu Desktop Exploit"](https://flatt.tech/assets/reports/210401_pwn2own/whitepaper.pdf) [article] [CVE-TBD] 326[2021: "PWN2OWN Local Escalation of Privilege Category, Ubuntu Desktop Exploit"](https://flatt.tech/assets/reports/210401_pwn2own/whitepaper.pdf) [article] [CVE-TBD]
@@ -359,6 +379,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
359 379
360[2021: "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG" by Alexander Popov](https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf)] [[video](https://www.youtube.com/watch?v=n6YLiYiCIMA)] 380[2021: "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG" by Alexander Popov](https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf)] [[video](https://www.youtube.com/watch?v=n6YLiYiCIMA)]
361 381
382[2021: "Gaining root access in Linux using the CVE-2021-26708 vulnerability" by Markel Azpeitia Loiti](https://addi.ehu.es/bitstream/handle/10810/53355/GrAL_MAzpeitia.pdf) [paper]
383
362[2021: "CVE-2014-3153" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2014-3153) [article] [CVE-2014-3153] 384[2021: "CVE-2014-3153" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2014-3153) [article] [CVE-2014-3153]
363 385
364[2021: "The curious case of CVE-2020-14381"](https://blog.frizn.fr/linux-kernel/cve-2020-14381) [article] [CVE-2020-14381] 386[2021: "The curious case of CVE-2020-14381"](https://blog.frizn.fr/linux-kernel/cve-2020-14381) [article] [CVE-2020-14381]
@@ -666,6 +688,10 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
666 688
667## Finding Bugs 689## Finding Bugs
668 690
691[2022: "GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs"](https://zplin.me/papers/GREBE.pdf) [paper]
692
693[2022: "An In-depth Analysis of Duplicated Linux Kernel Bug Reports"](https://zplin.me/papers/bug_analysis.pdf) [paper]
694
669[2022: "Looking for Remote Code Execution bugs in the Linux kernel" by Andrey Konovalov](https://xairy.io/articles/syzkaller-external-network) [article] 695[2022: "Looking for Remote Code Execution bugs in the Linux kernel" by Andrey Konovalov](https://xairy.io/articles/syzkaller-external-network) [article]
670 696
671[2022: "Demystifying the Dependency Challenge in Kernel Fuzzing"](https://github.com/ZHYfeng/Dependency/blob/master/Paper.pdf) [paper] 697[2022: "Demystifying the Dependency Challenge in Kernel Fuzzing"](https://github.com/ZHYfeng/Dependency/blob/master/Paper.pdf) [paper]
@@ -792,7 +818,7 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
792 818
793[2019: "Razzer: Finding Kernel Race Bugs through Fuzzing"](https://www.youtube.com/watch?v=9UszCIxc0r0) [video] [[paper](https://lifeasageek.github.io/papers/jeong:razzer.pdf)] 819[2019: "Razzer: Finding Kernel Race Bugs through Fuzzing"](https://www.youtube.com/watch?v=9UszCIxc0r0) [video] [[paper](https://lifeasageek.github.io/papers/jeong:razzer.pdf)]
794 820
795[2019: "Fuzzing File Systems via Two-Dimensional Input Space Exploration"](https://taesoo.kim/pubs/2019/xu:janus.pdf) [paper] 821[2019: "Fuzzing File Systems via Two-Dimensional Input Space Exploration"](https://taesoo.kim/pubs/2019/xu:janus.pdf) [paper] [[fuzzer](https://github.com/sslab-gatech/janus)]
796 822
797[2019: "PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary"](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf) [paper] 823[2019: "PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary"](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf) [paper]
798 824
@@ -867,6 +893,8 @@ Subscribe to @linkersec on [Telegram](https://t.me/linkersec), [Twitter](https:/
867 893
868["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map) 894["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
869 895
896[2022: "Meaningful Bounds Checking in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2022/lss-na/) [slides]
897
870[2022: "Compilers: The Old New Security Frontier" by Brad Spengler](https://grsecurity.net/Compilers_The_Old_New_Security_Frontier_BlueHat_IL_2022.pdf) [slides] 898[2022: "Compilers: The Old New Security Frontier" by Brad Spengler](https://grsecurity.net/Compilers_The_Old_New_Security_Frontier_BlueHat_IL_2022.pdf) [slides]
871 899
872[2022: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication"](https://www.usenix.org/system/files/sec22fall_yoo.pdf) [paper] 900[2022: "In-Kernel Control-Flow Integrity on Commodity OSes using ARM Pointer Authentication"](https://www.usenix.org/system/files/sec22fall_yoo.pdf) [paper]
@@ -1096,6 +1124,10 @@ https://github.com/Bonfee/CVE-2022-25636
1096 1124
1097https://github.com/Bonfee/CVE-2022-0995 1125https://github.com/Bonfee/CVE-2022-0995
1098 1126
1127https://github.com/tr3ee/CVE-2022-23222
1128
1129https://github.com/tr3ee/CVE-2021-4204
1130
1099 1131
1100## Tools 1132## Tools
1101 1133
@@ -1133,6 +1165,8 @@ https://github.com/snorez/ebpf-fuzzer
1133 1165
1134https://github.com/SmoothHacker/LateRegistration 1166https://github.com/SmoothHacker/LateRegistration
1135 1167
1168https://github.com/sslab-gatech/janus
1169
1136 1170
1137### Assorted 1171### Assorted
1138 1172