From 52104bc60aa98b665db4ac03055aab190d191b1e Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Fri, 10 Aug 2018 20:39:44 +0200 Subject: Update README.md --- README.md | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 57a66ea..b8278e3 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ Pull requests are welcome. [2018: "Still Hammerable and Exploitable: on the Effectiveness of Software-only Physical Kernel Isolation"](https://arxiv.org/pdf/1802.07060.pdf) [paper] +[2018: "linux kernel pwn notes"](http://blog.hac425.top/2018/04/29/linux_kernel_pwn_notes.html) [article] + [2017: "KERNELFAULT: Pwning Linux using Hardware Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.youtube.com/watch?v=nqF_IjXg_uM) [video] [2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/escalating-privileges-in-linux-using-fi-presentation-fdtc-2017.pdf) [slides] @@ -38,6 +40,8 @@ Pull requests are welcome. [2017: "Breaking KASLR with perf" by Lizzie Dixon](https://blog.lizzie.io/kaslr-and-perf.html) [article] +[2017: "Linux kernel exploit cheetsheet"](https://github.com/verctor/MyNotes/blob/master/linux/linux_kernel_exploit_cheetsheet.md) [article] + [2016: "Getting Physical Extreme abuse of Intel based Paging Systems" by Nicolas Economou and Enrique Nissim](https://www.coresecurity.com/system/files/publications/2016/05/CSW2016%20-%20Getting%20Physical%20-%20Extended%20Version.pdf) [slides] [2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko](https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/) [article] @@ -97,7 +101,7 @@ Pull requests are welcome. [2005: "The story of exploiting kmalloc() overflows"](https://argp.github.io/public/kmalloc_exploitation.pdf) [article] -## Writeups +## Vulnerabilities ### Information leak @@ -122,6 +126,10 @@ Pull requests are welcome. [2018: "eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995"](https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html) [article, CVE-2017-16695] +[2017: "Linux kernel: CVE-2017-1000112: Exploitable memory corruption due to UFO to non-UFO path switch" by Andrey Konovalov](http://seclists.org/oss-sec/2017/q3/286) [announcement, CVE-2017-1000112] + +[2017: "Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112" by Krishs Patil](https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/) [article, CVE-2017-1000112] + [2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels"](https://ricklarabee.blogspot.de/2017/12/adapting-poc-for-cve-2017-1000112-to.html) [article, CVE-2017-1000112] [2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) [slides, CVE-2017-0403, CVE-2016-6787] @@ -132,6 +140,8 @@ Pull requests are welcome. [2017: "Escaping Docker container using waitid() – CVE-2017-5123" by Daniel Shapira](https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/) [article, CVE-2017-5123] +[2017: "LKE v4.13.x - waitid() LPE" by HyeongChan Kim](http://kozistr.tech/2017/10/29/LKE-CVE-2017-5123.html) [article, CVE-2017-5123] + [2017: "Exploiting on CVE-2016-6787"](https://hardenedlinux.github.io/system-security/2017/10/16/Exploiting-on-CVE-2016-6787.html) [article, CVE-2016-6787] [2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov](https://www.youtube.com/watch?v=g7Qm0NpPAz4) [video, CVE-2017-2636] @@ -278,6 +288,8 @@ Pull requests are welcome. [2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass"](https://alephsecurity.com/vulns/aleph-2017011) [article, CVE-2016-10277] +[2015: "Vulnerability in the Linux Crypto API that allows unprivileged users to load arbitrary kernel modules" by Mathias Krause](https://plus.google.com/+MathiasKrause/posts/PqFCo4bfrWu) [annnouncement] + ## Protection bypass techniques @@ -322,6 +334,10 @@ Pull requests are welcome. [2018, Linux Conf AU: "The State of Kernel Self Protection" by Kees Cook](https://outflux.net/slides/2018/lca/kspp.pdf) [slides] +[2017: "kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse"](https://cs.brown.edu/~vpk/papers/krx.eurosys17.pdf) [paper] + +[2017, Linux Piter: "How STACKLEAK improves Linux kernel security" by Alexander Popov](https://linuxpiter.com/system/attachments/files/000/001/376/original/Alexander_Popov_LinuxPiter2017.pdf) [slides] + [2017, HitB: "Shadow-Box: The Practical and Omnipotent Sandbox" by Seunghun Han](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Seunghun%20Han%20-%20Shadow-Box%20-%20The%20Practical%20and%20Omnipotent%20Sandbox.pdf) [slides] [2017: "Towards Linux Kernel Memory Safety"](https://arxiv.org/pdf/1710.06175.pdf) [whitepaper] @@ -361,6 +377,10 @@ Pull requests are welcome. ## Vulnerability discovery +2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities" [slides](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities.pdf) [whitepaper](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities-wp.pdf) + +[2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation"](http://www.cs.columbia.edu/~suman/docs/moonshine.pdf) [paper] + [2018: "Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking" by Mateusz Jurczyk](https://j00ru.vexillium.org/papers/2018/bochspwn_reloaded.pdf) [whitepaper] [2018, BlackHat: "New Compat Vulnerabilities In Linux Device Drivers"](https://www.blackhat.com/docs/asia-18/asia-18-Ding-New-Compat-Vulnerabilities-In-Linux-Device-Drivers.pdf) [slides] @@ -369,6 +389,8 @@ Pull requests are welcome. [2018, OffensiveCon: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko](https://www.youtube.com/watch?v=mpfKN1URqdQ) [video] +[2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko](https://blog.linuxplumbersconf.org/2017/ocw/system/presentations/4825/original/KMSAN%20presentation%20for%20LPC%202017.pdf) [slides] + [2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai](http://powerofcommunity.net/poc2017/yu.pdf) [slides] [2017, Black Hat USA: "Evolutionary Kernel Fuzzing" by Richard Johnson](https://moflow.org/Presentations/Evolutionary%20Kernel%20Fuzzing-BH2017-rjohnson-FINAL.pdf) [slides] @@ -385,6 +407,12 @@ Pull requests are welcome. [2017, USENIX: "DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers"](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-machiry.pdf) [whitepaper] +[2016: "Using Static Checking To Find Security Vulnerabilities In The Linux Kernel" by Vaishali Thakkar](http://events17.linuxfoundation.org/sites/events/files/slides/Using%20static%20checking%20to%20find%20security%20vulnerabilities%20in%20the%20Linux%20Kernel.pdf) [slides] + +[2016: "UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages"](https://gts3.org/assets/papers/2016/lu:unisan.pdf) [paper] + +[2016: "An Analysis on the Impact and Detection of Kernel Stack Infoleaks"](https://www.researchgate.net/publication/298313650_An_Analysis_on_the_Impact_and_Detection_of_Kernel_Stack_Infoleaks) [paper] + [2016, Linux Plumbers: "Syzkaller, Future Developement" by Dmitry Vyukov](https://docs.google.com/presentation/d/1iAuTvzt_xvDzS2misXwlYko_VDvpvCmDevMOq2rXIcA/edit#slide=id.p) [slides] [2016: "Coverage-guided kernel fuzzing with syzkaller"](https://lwn.net/Articles/677764/) [article] @@ -467,6 +495,14 @@ https://github.com/brl/grlh https://github.com/externalist/exploit_playground +https://github.com/ww9210/Linux_kernel_exploits + +https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack + +https://github.com/yzimhao/godpock + +https://github.com/packetforger/localroot + ## Practice @@ -551,3 +587,5 @@ https://github.com/01org/jit-spray-poc-for-ksp https://forums.grsecurity.net/viewforum.php?f=7 https://grsecurity.net/research.php + +https://github.com/yrp604/atc-sources -- cgit v1.3