From 50a2069ad60db578ff24828dd821b19ccbddcdeb Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Tue, 27 Jan 2026 00:06:11 +0100 Subject: November/December updates --- README.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 66 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 185901c..a4c9503 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2025: "Extending Kernel Race Windows Using '/dev/shm'" by Faith](https://faith2dxy.xyz/2025-11-28/extending_race_window_fallocate/) [article] + [2025: "System Register Hijacking: Compromising Kernel Integrity By Turning System Registers Against the System"](https://kylebot.net/papers/ret2entry.pdf) [paper] [2025: "Linux Kernel Exploitation for Beginners" by Kevin Massey](https://rvasec.com/slides/2025/Massey_Linux_Kernel_Exploitation_For_Beginners.pdf) [slides] [[video](https://www.youtube.com/watch?v=YfjHCt4SzQc)] @@ -415,6 +417,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Info-leaks +[2025: "Vulnerabilities in the /proc Component of the CAN BCM Protocol in the Linux kernel" by Anderson Nascimento](https://allelesecurity.com/wp-content/uploads/2025/12/Presentation_307.pdf) [slides] [CVE-2023-52922] [CVE-2025-38003] [CVE-2025-38004] + [2025: "Use-after-free in CAN BCM subsystem leading to information disclosure (CVE-2023-52922)"](https://allelesecurity.com/use-after-free-vulnerability-in-can-bcm-subsystem-leading-to-information-disclosure-cve-2023-52922/) [article] [CVE-2023-52922] [2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper] [[slides](https://i.blackhat.com/Asia-25/Asia-25-Maar-KernelSnitch.pdf)] @@ -474,6 +478,26 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE +[2025: "A tale of challenging MTE: Rooting Google Pixel with kernel MTE enabled in one shot" by Yong Wang](https://github.com/ThomasKing2014/slides/blob/master/2025/poc2025.pdf) [slides] [CVE-UNKNOWN] + +[2025: "CVE-2025-38352 (Part 1) - In-the-wild Android Kernel Vulnerability Analysis + PoC" by Faith](https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/) [article] [CVE-2025-38352] + +[2025: "CVE-2025-38352 (Part 2) - Extending The Race Window Without a Kernel Patch" by Faith](https://faith2dxy.xyz/2025-12-24/cve_2025_38352_analysis_part_2/) [article] [CVE-2025-38352] + +[2025: "CVE-2025-38352 (Part 3) - Uncovering Chronomaly" by Faith](https://faith2dxy.xyz/2026-01-03/cve_2025_38352_analysis_part_3/) [article] [exploit](https://github.com/farazsth98/chronomaly) [CVE-2025-38352] + +[2025: "Dangling pointers, fragile memory—from an undisclosed vulnerability to Pixel 9 Pro privilege escalation"](https://dawnslab.jd.com/Pixel_9_Pro_EoP/) [article] [CVE-2025-6349] [CVE-2025-8045] + +[2025: "Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers" by Xingyu Jin and Martijn Bogaard](https://powerofcommunity.net/2025/slide/x-84592.pdf) [slides] [CVE-2024-44068] [CVE‑2025‑23244] [CVE-2025-8109] [CVE-2024-49739] + +[2025: "Déjà Vu in Linux io_uring: Breaking Memory Sharing Again After Generations of Fixes" by Pumpkin Chang](https://u1f383.github.io/slides/talks/2025_Hexacon-Deja_Vu_in_Linux_io_uring_Breaking_Memory_Sharing_Again_After_Generations_of_Fixes.pdf) [slides] [[video](https://www.youtube.com/watch?v=Ry4eOgLCo90)] [CVE-2025-21836] + +[2025: "CUDA de Grâce" by Valentina Palmiotti and Samuel Lovejoy](https://docs.google.com/presentation/d/1FgfURpMyHhnflGWtxeq8ClPPaB5ZDCzT/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=Lvz2_ZHj3lo)] [CVE-UNKNOWN] + +[2025: "An RbTree Family Drama: Exploiting a Linux Kernel 0-day Through Red-Black Tree Transformations" by Savino Dicanosa and William Liu](https://storage.googleapis.com/static.cor.team/assets/rbtree_family_drama_hexacon_2025.pdf) [slides] [[video](https://www.youtube.com/watch?v=C-52Gwmce3w)] [CVE-2025-38001] + +[2025: "Race Condition Symphony: From Tiny Idea to Pwnie" by Hyunwoo Kim and Wongi Lee](https://powerofcommunity.net/2025/slide/h-3938a.pdf) [slides] [CVE-2024-50264] + [2025: "Exploiting CVE-2025-21479 on a Samsung S23" by XploitBengineer](https://xploitbengineer.github.io/CVE-2025-21479) [article] [CVE-2025-21479] [2025: "LPE via refcount imbalance in the af_unix of Ubuntu's Kernel" by kylebot](https://ssd-disclosure.com/lpe-via-refcount-imbalance-in-the-af_unix-of-ubuntus-kernel/) [article] [CVE-UNKNOWN] @@ -520,7 +544,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2025: "Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-Kernel_Hack_Drill-Zer0Con.pdf) [slides] [CVE-2024-50264] -[2025: "Linux kernel hfsplus slab-out-of-bounds Write" by Attila Szasz](https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/) [article] [CVE-2025-0927] +[2025: "Linux kernel hfsplus slab-out-of-bounds Write" by Attila Szasz](https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/) [article] [slides](https://drive.google.com/file/d/1Z_0jgLpGmcC3VO-jGxR-vwAAc9F9Ovcu/view) [CVE-2025-0927] [2025: "CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/07/cve-2024-53141-an-oob-write-vulnerability-in-netfilter-ipset.html) [article] [CVE-2024-53141] @@ -656,6 +680,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2023: "CVE-2023-0386 analysis and exploitation" by chenaotian](https://github.com/chenaotian/CVE-2023-0386) [article] [CVE-2023-0386] +[2022: "How we use Dirty Pipe to get reverse root shell on Android Emulator and Pixel 6" by LiN and YingMuo](https://hitcon.org/2022/slides/How%20we%20use%20Dirty%20Pipe%20to%20get%20reverse%20root%20shell%20on%20Android%20Emulator%20and%20Pixel%206.pdf) [slides] [[video](https://www.youtube.com/watch?v=gyku4QyV5eM)] [CVE-2022-0847] + [2022: "Linux kernel io_uring module pbuf_ring vulnerability and privilege escalation 0day"](https://dawnslab.jd.com/linux-5.19-rc2_pbuf_ring_0day/) [article [CVE-UNKNOWN] [2022: "CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation" by Yordan Stoychev](https://anatomic.rip/cve-2022-1015/) [article] [CVE-2022-1015] @@ -738,6 +764,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2022: "Linux Kernel PWN | 02 CVE-2009-1897"](https://blog.wohin.me/posts/linux-kernel-pwn-02/) [article] [CVE-2009-1897] +[2021: "Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities"](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Typhoon-Mangkhut-One-Click-Remote-Universal-Root-Formed-With-Two-Vulnerabilities.pdf) [slides] [[video](https://www.youtube.com/watch?v=a1vyt6iWmS4)] [CVE-2020-0423] + +[2021: "Analysis and Exploitation of CVE-2021-28664 for Android Privilege Escalation" by Bernard Lampe](https://www.bernardlampe.com/pub/Grayshift-CVE-2021-28664.pdf) [slides] [CVE-2021-28664] + [2021: "Your Trash Kernel Bug, My Precious 0-day" by Zhenpeng Lin](https://zplin.me/talks/BHEU21_trash_kernel_bug.pdf) [slides] [CVE-2021-3715] [2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008] @@ -1070,6 +1100,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2025: "mediatek? more like media-rekt, amirite." by hypr](https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html) [article] + [2025: "Dissecting a 1-Day Vulnerability in Linux's XFRM Subsystem" by Shreyas Penkar](https://streypaws.github.io/posts/Dissecting-a-1-Day-Vulnerability-in-Linux-XFRM-Subsystem/) [article] [CVE-2025-39965] [[trigger](https://github.com/Shreyas-Penkar/CVE-2025-39965)] [2025: "A Quick Note on CVE-2025-38617" by Pumpkin Chang](https://u1f383.github.io/linux/2025/08/27/a-quick-note-on-CVE-2025-38617.html) [article] [CVE-2025-38617] @@ -1229,6 +1261,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2025: "Build a Fake Phone, Find Real Bugs" by Romain Malmain](https://media.ccc.de/v/39c3-build-a-fake-phone-find-real-bugs-qualcomm-gpu-emulation-and-fuzzing-with-libafl-qemu) [video] [[code](https://github.com/rmalmain/39C3-build-a-fake-phone-find-real-bugs)] + +[2025: "A Modular Approach To Power Management Fuzzing"](https://lpc.events/event/19/contributions/2087/attachments/1897/4063/PM_USB_LPC_25.pdf) [slides] [[video](https://www.youtube.com/watch?v=TNMcqQsqgr4)] + +[2025: "KFuzzTest: Targeted Fuzzing of Internal Kernel Functions" by Ethan Graham](https://lpc.events/event/19/contributions/2196/attachments/1929/4123/KFuzzTest%20LPC%2012.12.2025.pdf) [slides] [[video](https://www.youtube.com/watch?v=B7plrw_5w4Q)] + +[2025: "SYZOS: Practical KVM fuzzing" by Alexander Potapenko](https://lpc.events/event/19/contributions/2217/attachments/1889/4069/SYZOS%20for%20LPC%202025.pdf) [slides] [[video](https://www.youtube.com/watch?v=sY27jwn9bLY)] + +[2025: "DNAFuzz: Descriptor-Aware Fuzzing for USB Drivers"](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/DNAFuzz_Camera_Ready.pdf) [paper] + +[2025: "Slice: SAST + LLM Interprocedural Context Extractor" by Caleb Gross](https://noperator.dev/posts/slice/) [article] + [2025: "KNighter: Transforming Static Analysis with LLM-Synthesized Checkers"](https://arxiv.org/pdf/2503.09002) [paper] [[code](https://github.com/ise-uiuc/KNighter)] [2025: "SyzSpec: Specification Generation for Linux Kernel Fuzzing via Under-Constrained Symbolic Execution"](https://www.cs.ucr.edu/~zhiyunq/pub/ccs25_syzspec.pdf) [paper] @@ -1656,6 +1700,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "Notes on the 'slab: Introduce dedicated bucket allocator' series" by Julien Voisin](https://dustri.org/b/notes-on-the-slab-introduce-dedicated-bucket-allocator-series.html) [article] +[2023: "Modern LInux Kernel Mitigations" by Ray Veldkamp and Matthew Kurz](https://www.youtube.com/watch?v=kNCtWCcixsU) [video] + +[2023: "An abridged history of Linux kernel hardening" by Russell Currey](https://www.youtube.com/watch?v=n7oUA2b15P8) [video] + [2023: "Exploring Linux's New Random Kmalloc Caches" by sam4k](https://sam4k.com/exploring-linux-random-kmalloc-caches/) [article] [2023: "Toolchain security features status update"](https://outflux.net/slides/2023/lpc/features.pdf) [slides] [[video](https://www.youtube.com/watch?v=OEFFqhP5sts)] @@ -1963,6 +2011,10 @@ https://github.com/zhuowei/cheese https://github.com/FreeXR/eureka_panther-adreno-gpu-exploit-1 [CVE-2025-21479] +https://github.com/polygraphene/DirtyPipe-Android [CVE-2022-0847] + +https://github.com/SpiralBL0CK/CVE-2023-1206-CVE-2025-40040-CVE-2024-49882 + ## Tools @@ -2093,6 +2145,8 @@ https://github.com/kzall0c/vock [[demo video](https://www.youtube.com/watch?v=Qv https://github.com/bcoles/rootkit-signal-hunter +https://github.com/mellow-hype/mt7622-qemu-vm + ## Practice @@ -2125,7 +2179,7 @@ WMCTF 2025 (wm_easyker): [writeup](https://blog.xmcve.com/2025/09/22/WMCTF2025-W STAR Labs Summer Pwnables 2025 (paradox_engine): [writeup](https://u1f383.github.io/linux/2025/09/01/starlabs-summer-pwnables-linux-kernel-challenge-writeup.html) -BlackHat MEA 2025 Quals: [writeup](https://ptr-yudai.hatenablog.com/entry/2025/09/14/180326) +BlackHat MEA 2025 Quals (Kinc): [writeup1](https://ptr-yudai.hatenablog.com/entry/2025/09/14/180326), [writeup 2](https://blog.bushwhackers.ru/blackhat-mea-ctf-qualification-kinc/) corCTF 2025 (corphone): [writeup](https://u1f383.github.io/android/2025/09/08/corCTF-2025-corphone.html) @@ -2135,6 +2189,8 @@ TsukuCTF 2025 (easy_kernel, xcache, new_era): [writeup](https://iwancof.github.i LACTF 2025 (messenger): [writeup](https://terawhiz.github.io/2025/2/oob-write-to-page-uaf-lactf-2025/) +AVSS 2024 Final: [writeups](https://blog.xmcve.com/2024/10/25/AVSS-2024-Final-Writeup) + crewCTF 2024 (kUlele): [writeup](https://n132.github.io/2024/08/14/kUlele.html) HITCON CTF QUAL 2024 (Halloween): [writeup](https://u1f383.github.io/ctf/2024/07/16/hitcon-ctf-qual-2024-pwn-challenge-part-1-halloween-and-v8sbx.html) @@ -2330,6 +2386,12 @@ https://github.com/0xor0ne/awesome-list/ ## Misc +[2025: "Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit" by MatheuZSec](https://blog.kyntra.io/Singularity-A-final-boss-linux-kernel-rootkit) [article] + +[2025: "Exploiting a 13-years old bug on QEMU"](https://kqx.io/post/qemu-nday/) [article] + +[2025: "LinkPro: eBPF rootkit analysis" by Théo Letailleur](https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis) [article] + [2025: "The anatomy of a bug: 6 Months at STAR Labs" by Gerrard Tai](https://gerrardtai.com/anatomy-of-a-bug) [article] [2025: "Qualcomm DSP Kernel Internals" by Shreyas Penkar](https://streypaws.github.io/posts/DSP-Kernel-Internals/) [article] @@ -2358,6 +2420,8 @@ https://github.com/0xor0ne/awesome-list/ [2025: "Linux KASLR Entropy" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/02/linux-kaslr-entropy.html) [article] +[2024: "Binder Internals"](https://androidoffsec.withgoogle.com/posts/binder-internals/) [article] + [2024: "Linternals: Exploring The mm Subsystem via mmap" by Samuel Page](https://sam4k.com/linternals-exploring-the-mm-subsystem-part-1/) [article] [[part 2](https://sam4k.com/linternals-exploring-the-mm-subsystem-part-2/)] [2024: "Approaches to determining the attack surface for fuzzing the Linux kernel" by Pavel Teplyuk and Aleksey Yakunin](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) [paper] -- cgit v1.3