summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md31
1 files changed, 30 insertions, 1 deletions
diff --git a/README.md b/README.md
index 48a2c52..8e7ea59 100644
--- a/README.md
+++ b/README.md
@@ -11,10 +11,16 @@ Pull requests are welcome.
11 11
12## Workshops 12## Workshops
13 13
14[2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop]
15
14[2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop] 16[2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop]
15 17
16## Exploitation Techniques 18## Exploitation Techniques
17 19
20[2020: "Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers"](https://www.usenix.org/system/files/woot20-paper1-slides-cho.pdf) [slides] [[paper](https://www.usenix.org/system/files/woot20-paper-cho.pdf)] [[video](https://www.youtube.com/watch?v=uI377m9S0qs)]
21
22[2020: "BlindSide: Speculative Probing: Hacking Blind in the Spectre Era"](https://www.vusec.net/projects/blindside/) [paper]
23
18[2020: "Structures that can be used with Kernel Exploit"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article] 24[2020: "Structures that can be used with Kernel Exploit"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article]
19 25
20[2020: "Linux Kernel Stack Smashing" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/02/linux-kernel-stack-smashing.html?m=1) [article] 26[2020: "Linux Kernel Stack Smashing" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/02/linux-kernel-stack-smashing.html?m=1) [article]
@@ -161,6 +167,10 @@ Pull requests are welcome.
161 167
162### LPE 168### LPE
163 169
170[2020: "CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel" by Or Cohen](https://unit42.paloaltonetworks.com/cve-2020-14386/) [article, CVE-2020-14386]
171
172[2020: "Attacking the Qualcomm Adreno GPU" by Ben Hawkes](https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html) [article, CVE-2020-11179]
173
164[2020, Black Hat USA: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides, CVE-2019-10567] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)] 174[2020, Black Hat USA: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides, CVE-2019-10567] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)]
165 175
166[2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article, CVE-2020-0041] 176[2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article, CVE-2020-0041]
@@ -380,6 +390,8 @@ Pull requests are welcome.
380 390
381### RCE 391### RCE
382 392
3932020: BleedingTooth vulnarabilities by Andy Nguyen: [BadChoice](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq), [BadKarma](https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq), [BadVibes](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) [article, CVE-2020-12352, CVE-2020-12351, CVE-2020-24490]
394
383[2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) [article, CVE-2017-0569] 395[2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) [article, CVE-2017-0569]
384 396
385[2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks"](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963) [whitepaper, CVE-2017-1000251] 397[2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks"](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963) [whitepaper, CVE-2017-1000251]
@@ -395,6 +407,8 @@ Pull requests are welcome.
395 407
396### Other 408### Other
397 409
410[2020: "The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)" by Adam Zabrocki](http://blog.pi3.com.pl/?p=720) [article, CVE-2020-14356, CVE-2020-25220]
411
398[2020: "Curiosity around 'exec_id' and some problems associated with it" by Adam Zabrocki](https://www.openwall.com/lists/kernel-hardening/2020/03/25/1) [article] 412[2020: "Curiosity around 'exec_id' and some problems associated with it" by Adam Zabrocki](https://www.openwall.com/lists/kernel-hardening/2020/03/25/1) [article]
399 413
400[2020: "The never ending problems of local ASLR holes in Linux"](https://blog.blazeinfosec.com/the-never-ending-problems-of-local-aslr-holes-in-linux/) [article, CVE-2019-11190] 414[2020: "The never ending problems of local ASLR holes in Linux"](https://blog.blazeinfosec.com/the-never-ending-problems-of-local-aslr-holes-in-linux/) [article, CVE-2019-11190]
@@ -418,6 +432,8 @@ Pull requests are welcome.
418 432
419## Protection Bypass Techniques 433## Protection Bypass Techniques
420 434
435[2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro](https://www.youtube.com/watch?v=p1HUpSkHcZ0) [video]
436
421[2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article] 437[2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article]
422 438
423[2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper] 439[2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper]
@@ -465,6 +481,8 @@ Pull requests are welcome.
465 481
466## Defensive 482## Defensive
467 483
484[2020: "State of Linux kernel security" by Dmitry Vyukov](https://github.com/ossf/wg-securing-critical-projects/blob/main/presentations/The_state_of_the_Linux_kernel_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=PGwFyzh2KTA&t=1233)]
485
468[2020, OSTconf: "LKRG IN A NUTSHELL" by Adam Zabrocki](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides] 486[2020, OSTconf: "LKRG IN A NUTSHELL" by Adam Zabrocki](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides]
469 487
470[2020, Linux Plumbers: "syzkaller / sanitizers: status update" by Dmitry Vyukov](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)] 488[2020, Linux Plumbers: "syzkaller / sanitizers: status update" by Dmitry Vyukov](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)]
@@ -481,7 +499,7 @@ Pull requests are welcome.
481 499
482[2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video] 500[2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video]
483 501
484[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/) [articles] 502[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/) [articles]
485 503
486[2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis] 504[2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis]
487 505
@@ -556,6 +574,8 @@ Pull requests are welcome.
556 574
557## Vulnerability Discovery 575## Vulnerability Discovery
558 576
577[2020: "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel"](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) [paper]
578
559[2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-1-of-3) [article] 579[2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-1-of-3) [article]
560 580
561[2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-2-of-3) [article] 581[2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-2-of-3) [article]
@@ -777,6 +797,8 @@ https://github.com/chompie1337/s8_2019_2215_poc/
777 797
778https://github.com/c3r34lk1ll3r/CVE-2017-5123 798https://github.com/c3r34lk1ll3r/CVE-2017-5123
779 799
800https://github.com/QuestEscape/exploit/tree/master/CVE-2018-9568_WrongZone
801
780 802
781## Tools 803## Tools
782 804
@@ -886,6 +908,11 @@ DEF CON CTF Qualifier 2020 (fungez): [source](https://github.com/o-o-overflow/dc
886 908
887ASIS CTF 2020 (Shared House): [writeup](https://ptr-yudai.hatenablog.com/entry/2020/07/06/000622#354pts-Shared-House-7-solves) 909ASIS CTF 2020 (Shared House): [writeup](https://ptr-yudai.hatenablog.com/entry/2020/07/06/000622#354pts-Shared-House-7-solves)
888 910
911r2con CTF 2020: [source](https://github.com/esanfelix/r2con2020-ctf-kernel), [exploit](https://github.com/dialluvioso/box/blob/master/r2con2020-ctf-kernel/exploit.c)
912
913Seccon Online 2020 (Kstack): [source, exploit and writeup](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/kstack)
914
915N1 CTF 2020 (W2L): [writeup](https://github.com/Nu1LCTF/n1ctf-2020/blob/main/N1CTF2020%20Writeup%20By%20Nu1L.pdf)
889 916
890## Misc 917## Misc
891 918
@@ -936,3 +963,5 @@ https://www.twitch.tv/dayzerosec/videos?filter=all&sort=time
936https://github.com/pr0cf5/kernel-exploit-practice 963https://github.com/pr0cf5/kernel-exploit-practice
937 964
938https://github.com/milabs/lkrg-bypass 965https://github.com/milabs/lkrg-bypass
966
967https://github.com/V4bel/kernel-exploit-technique