From 1dce3eccf81e163220f154358b93b4e5d1e64653 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Sat, 13 Mar 2021 21:01:54 +0100 Subject: January/February updates --- README.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 55 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 029adc7..ffc7a04 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,12 @@ Pull requests are welcome. ## Exploitation Techniques +[2021: "Linux Kernel Exploitation Technique: Overwriting modprobe_path"](https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/) [article] + +[2021: "Learning Linux Kernel Exploitation"](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/) [article] [[part 2](https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/)] [[part 3](https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/)] + +[2020: "Exploiting Kernel Races Through Taming Thread Interleaving"](https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf) [slides] [[video](https://www.youtube.com/watch?v=5M3WhLVLCzs)] + [2020: "Locating the kernel PGD on Android/aarch64" by Vitaly Nikolenko](https://duasynt.com/blog/android-pgd-page-tables) [article] [2020: "A Systematic Study of Elastic Objects in Kernel Exploitation"](https://zplin.me/papers/ELOISE.pdf) [paper] [[video](https://www.youtube.com/watch?v=yXhH0IJAxkE)] @@ -143,6 +149,10 @@ Pull requests are welcome. ### Information Leaks +[2021: "Spectre exploits in the "wild""](https://dustri.org/b/spectre-exploits-in-the-wild.html) [article] + +[2021: "VDSO As A Potential KASLR Oracle" by Philip Pettersson and Alex Radocea](https://www.longterm.io/vdso_sidechannel.html) [article] + [2020: "PLATYPUS: Software-based Power Side-Channel Attacks on x86"](https://platypusattack.com/platypus.pdf) [paper] [2019: "CVE-2018-3639 / CVE-2019-7308 - Analysis of Spectre Attacking Linux Kernel ebpf"](https://xz.aliyun.com/t/4230) [article, CVE-2018-3639, CVE-2019-7308] @@ -170,6 +180,14 @@ Pull requests are welcome. ### LPE +[2021: "The curious case of CVE-2020-14381"](https://blog.frizn.fr/linux-kernel/cve-2020-14381) [article, CVE-2020-14381] + +[2021: "Galaxy's Meltdown - Exploiting SVE-2020-18610"](https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md) [article, CVE-2020-28343, SVE-2020-18610] + +[2021: "In-the-Wild Series: Android Exploits" by Mark Brand](https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html) [article] + +[2021: "Exploiting CVE-2014-3153 (Towelroot)" by Elon Gliksberg](https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html) [article, CVE-2014-3153] + [2020: "An iOS hacker tries Android" by Brandon Azad](https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html) [article, CVE-2020-28343, SVE-2020-18610] [2020: "Exploiting a Single Instruction Race Condition in Binder"](https://blog.longterm.io/cve-2020-0423.html) [article, CVE-2020-0423] @@ -214,7 +232,9 @@ Pull requests are welcome. [2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez](https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/) [article, CVE-2019-2215] -[2019: "From Zero to Root: Building Universal Android Rooting with a Type Confusion Vulnerability" by Wang Yong](https://github.com/ThomasKing2014/slides/blob/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf) [slides, CVE-2018-9568] +[2019: "From Zero to Root: Building Universal Android Rooting with a Type Confusion Vulnerability" by Wang Yong](https://github.com/ThomasKing2014/slides/blob/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf) [slides, CVE-2018-9568, WrongZone] + +[2019: "KARMA takes a look at offense and defense: WrongZone from exploitation to repair"](https://mp.weixin.qq.com/s?__biz=MzA3NTQ3ODI0NA==&mid=2247485060&idx=1&sn=b3773b0478f7b5ee39fa1a6527b4f3ff) [article, CVE-2018-9568, WrongZone] [2019: "Android Binder: The Bridge To Root" by Hongli Han and Mingjian Zhou](https://conference.hitb.org/hitbsecconf2019ams/materials/D2T2%20-%20Binder%20-%20The%20Bridge%20to%20Root%20-%20Hongli%20Han%20&%20Mingjian%20Zhou.pdf) [slides, CVE-2019-2025] @@ -294,7 +314,7 @@ Pull requests are welcome. [2016: "CVE-2016-8655 Linux af_packet.c race condition (local root)" by Philip Pettersson](http://seclists.org/oss-sec/2016/q4/607) [announcement, CVE-2016-8655] -[2016: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang at Black Hat](https://speakerdeck.com/retme7/rooting-every-android-from-extension-to-exploitation) [slides, CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453] +[2016: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang at Black Hat](https://speakerdeck.com/retme7/rooting-every-android-from-extension-to-exploitation) [slides, CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453] [[article](https://www.blackhat.com/docs/eu-16/materials/eu-16-Shen-Rooting-Every-Android-From-Extension-To-Exploitation-wp.pdf)] [2016: "Talk is Cheap, Show Me the Code" by James Fang, Di Shen and Wen Niu](https://speakerdeck.com/retme7/talk-is-cheap-show-me-the-code) [slides, CVE-2015-1805] @@ -406,6 +426,8 @@ Pull requests are welcome. ### Other +[2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier) [article] + [2020: "CVE-2020-16119"](https://github.com/HadarManor/Public-Vulnerabilities/blob/master/CVE-2020-16119/CVE-2020-16119.md) [article, CVE-2020-16119] [2020: "The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)" by Adam Zabrocki](http://blog.pi3.com.pl/?p=720) [article, CVE-2020-14356, CVE-2020-25220] @@ -478,6 +500,8 @@ Pull requests are welcome. ## Defensive +[2021: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/) [articles] + [2020: "Kernel Integrity Enforcement with HLAT In a Virtual Machine" by Chao Gao](https://static.sched.com/hosted_files/osseu2020/ce/LSSEU20_kernel%20integrity%20enforcement%20with%20HLAT%20in%20a%20virtual%20machine_v3.pdf) [slides] [[video](https://www.youtube.com/watch?v=N8avvE_neV0)] [2020: "Linux kernel heap quarantine versus use-after-free exploits" by Alexander Popov](https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.html) [article] @@ -486,8 +510,6 @@ Pull requests are welcome. [2020: "LKRG IN A NUTSHELL" by Adam Zabrocki at OSTconf](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides] -[2020: "syzkaller / sanitizers: status update" by Dmitry Vyukov at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)] - [2020: "Following the Linux Kernel Defence Map" by Alexander Popov at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/775/attachments/610/1096/Following_the_Linux_Kernel_Defence_Map.pdf) [slides] [[video](https://www.youtube.com/watch?v=4c01jjbQmBc&t=8555)] [2020: "Memory Tagging for the Kernel: Tag-Based KASAN" by Andrey Konovalov](https://docs.google.com/presentation/d/10V_msbtEap9dNerKvTrRAzvfzYdrQFC8e2NYHCZYJDE/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=f-Rm7JFsJGI)] @@ -500,8 +522,6 @@ Pull requests are welcome. [2019: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa at Linux Security Summit EU](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video] -[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/) [articles] - [2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis] [2019: "Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2019/lss/kspp.pdf) [slides] @@ -575,6 +595,16 @@ Pull requests are welcome. ## Vulnerability Discovery +[2021: "Fuzzing the Linux Kernel" by Andrey Konovalov](https://linuxfoundation.org/wp-content/uploads/2021-Linux-Foundation-Mentorship-Series_-Fuzzing-the-Linux-Kernel.pdf) [slides] [[video](https://www.youtube.com/watch?v=4IBWj21tg-c)] + +[2021: "Dynamic program analysis for fun and profit" by Dmitry Vyukov](https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf) [slides] [[video](https://www.youtube.com/watch?v=ufcyOkgFZ2Q)] + +[2020: "Fuzzing the Berkeley Packet Filter" by Benjamin Curt Nilsen](https://search.proquest.com/openview/feeeac2f4c7f767740986bdbf9d51785/1?pq-origsite=gscholar&cbl=44156) [thesis] + +[2020: "syzkaller: Adventures in Continuous Coverage-guided Kernel Fuzzing" by Dmitry Vyukov at BlueHat IL](https://docs.google.com/presentation/d/e/2PACX-1vRWjOOL45BclKsCPMzdWmvH12hu-Ld1cU5MbB1tqcBhjVIr1M_qxZRE-ObKcVmqpCyqRAO62Sxm0_aW/pub?start=false&loop=false&delayms=3000&slide=id.p) [[video](https://www.youtube.com/watch?v=YwX4UyXnhz0)] + +[2020: "syzkaller / sanitizers: status update" by Dmitry Vyukov at Linux Plumbers](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)] + [2020: "Fuzzing for eBPF JIT bugs in the Linux kernel" by Simon Scannell](https://scannell.me/fuzzing-for-ebpf-jit-bugs-in-the-linux-kernel/) [article] [2020: "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel"](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) [paper] @@ -589,7 +619,7 @@ Pull requests are welcome. [2020: "harbian-qa: State-based target directed fuzzer based on syzkaller"](https://github.com/hardenedlinux/harbian-qa/blob/master/syzkaller/design_inplementation_intro.md) [article] -[2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints"](https://www.usenix.org/system/files/sec20-song.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec20_slides_song.pdf)] +[2020: "Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints"](https://www.usenix.org/system/files/sec20-song.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec20_slides_song.pdf)] [[video](https://www.youtube.com/watch?v=Swo6jSkjviA)] [2020: "Using syzkaller, part 1: Fuzzing the Linux kernel" by Andre Almeida](https://www.collabora.com/news-and-blog/blog/2020/03/26/syzkaller-fuzzing-the-kernel/) [article] @@ -611,12 +641,13 @@ Pull requests are welcome. [2020: "Analyzing the Linux Kernel in Userland with AFL and KLEE"](https://blog.grimm-co.com/post/analyzing-the-linux-kernel-in-userland-with-afl-and-klee/) [article] +[2019: "perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call (2019 Update)" by Vincent M. Weaver and Dave Jones](perf fuzzer: Exposing Kernel Bugs by Detailed Fuzzing of a Specific System Call (2019 Update)) [paper] + [2019: "Industry Practice of Coverage-Guided Enterprise Linux Kernel Fuzzing"](http://wingtecher.com/themes/WingTecherResearch/assets/papers/fse19-linux-kernel.pdf) [paper] [2019: "Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers"](https://hal.inria.fr/hal-02182516/document) [paper] -[2019: "A gentle introduction to Linux Kernel fuzzing" by -Marek Majkowski](https://blog.cloudflare.com/a-gentle-introduction-to-linux-kernel-fuzzing/) [article] +[2019: "A gentle introduction to Linux Kernel fuzzing" by Marek Majkowski](https://blog.cloudflare.com/a-gentle-introduction-to-linux-kernel-fuzzing/) [article] [2019: "Unicorefuzz: On the Viability of Emulation for Kernelspace Fuzzing"](https://www.usenix.org/system/files/woot19-paper_maier.pdf) [paper] @@ -718,6 +749,8 @@ https://github.com/SunHao-0/healer https://github.com/atrosinenko/kbdysch +https://github.com/intel/kernel-fuzzer-for-xen-project + ## Exploits @@ -787,7 +820,7 @@ https://github.com/QuestEscape/exploit https://github.com/duasynt/xfrm_poc -https://github.com/snorez/exploits/blob/master/xfrm_poc_RE_challenge/lucky0_RE.c +https://github.com/snorez/exploits/ https://github.com/saelo/cve-2014-0038 @@ -799,6 +832,8 @@ https://github.com/c3r34lk1ll3r/CVE-2017-5123 https://haxx.in/blasty-vs-ebpf.c +https://github.com/scannells/exploits/tree/master/CVE-2020-27194 + ## Tools @@ -842,9 +877,19 @@ https://github.com/securesystemslab/agamotto https://github.com/duasynt/gdb_scripts/ +https://github.com/evdenis/cvehound + ## CTF Tasks +[github.com/smallkirby/kernelpwn](https://github.com/smallkirby/kernelpwn) + +[github.com/MaherAzzouzi/LinuxKernelExploitation](https://github.com/MaherAzzouzi/LinuxKernelExploitation) + +[github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs) + +DiceCTF 2021 (HashBrown): [writeup](https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html) + BSidesTLV CTF 2020 (Kapara): [writeup and exploit](https://jctf.team/BSidesTLV-2020/Kapara/), [video writeup](https://media.handmade-seattle.com/linux-kernel-adventures/) HITCON CTF 2020 (spark): [source and exploit #1](https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020/spark), [writeup and exploit #2](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/spark), [exploit #3](https://gist.github.com/sampritipanda/9fb8f1f92aef6591246e74ed5847c910) -- cgit v1.3