From 5e83aa512c646cd1db21032743401818b64ab8f5 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Sun, 5 Jan 2025 02:02:10 +0100 Subject: November/December updates --- README.md | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 85 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d58570c..ccca064 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2025: "Cross Cache Attack CheetSheet" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/03/cross-cache-attack-cheatsheet.html) [article] + +[2024: "Linux Kernel Use Pipe Object to Do Data-Only Attack" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/16/linux-kernel-use-pipe-object-to-do-data-only-attack.html) [article] + +[2024: "CTF-style Tricks of Linux Kernel Exploitation" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/04/ctf-style-tricks-of-linux-kernel-exploitation-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/08/07/ctf-style-tricks-of-linux-kernel-exploitation-part-2.html)] + +[2024: "Linux Kernel exploitation cheatsheet" by Pumpkin Chang](https://u1f383.github.io/cheatsheet/1970/01/01/welcome-to-jekyll.html) [article] + [2024: "SLUB Internals for Exploit Developers" by Andrey Konovalov](https://static.sched.com/hosted_files/lsseu2024/37/2024%2C%20LSS%20EU_%20SLUB%20Internals%20for%20Exploit%20Developers.pdf) [slides] [[video](https://www.youtube.com/watch?v=XulsBDV4n3w)] [2024: "SCAVY: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"](https://www.usenix.org/system/files/usenixsecurity24-avllazagaj.pdf) [paper] @@ -287,6 +295,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "SELinux bypasses"](https://klecko.github.io/posts/selinux-bypasses/) [article] +[2024: "Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages" by Seunghun Han et al.](https://www.usenix.org/system/files/usenixsecurity24-han-seunghun.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-han-seunghun.pdf)] [[video](https://www.youtube.com/watch?v=wSMByLg-ibs)] + [2024: "Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels" by Lukas Maar et. al](https://www.usenix.org/system/files/usenixsecurity24-maar-defects.pdf) [paper] [[artifacts](https://www.usenix.org/system/files/usenixsecurity24-appendix-maar-defects.pdf)] [2024: "Leaking Host KASLR from Guest VMs Using Tagged TLB" by Reno Robert](https://pagedout.institute/download/PagedOut_004_beta1.pdf#page=58) [article] @@ -375,6 +385,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Info-leaks +[2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper] + +[2024: "Linux vDSO & VVAR" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/11/linux-vdso-and-vvar.html) [article] [CVE-2023-23586] + +[2024: "CPU Speculation Vulnerabilities And Mitigations in the Linux Kernel" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/09/cpu-speculation-vulnerabilities-and-mitigations-in-the-linux-kernel.html) [article] [Spectre V1] [Spectre V2] + +[2024: "Linux Kernel Meltdown Mitigation Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/01/linux-kernel-meltdown-mitigation-analysis.html) [article] [Meltdown] + [2024: "Out of the kernel, into the tokens" by Max Ammann and Emilio Lopez](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/) [article] [2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/) [article] [CVE-2022-25664] @@ -424,9 +442,19 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE -[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [CVE-2024-41010] +[2024: "The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html) [article] [CVE-2024-38402] [CVE-2024-21455] [CVE-2024-33060] [CVE-2024-49848] [CVE-2024-43047] + +[2024: "OtterRoot: Netfilter Universal Root 1-day" by Pedro Pinto](https://osec.io/blog/2024-11-25-netfilter-universal-root-1-day) [article] [CVE-2024-26809] + +[2024: "How I use a novel approach to exploit a limited OOB on Ubuntu at Pwn2Own Vancouver 2024" by Pumpkin Chang](https://u1f383.github.io/slides/talks/2024_POC-How_I_use_a_novel_approach_to_exploit_a_limited_OOB_on_Ubuntu_at_Pwn2Own_Vancouver_2024.pdf) [slides] [CVE-UNKNOWN] -[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [CVE-2024-36978] +[2024: "GPUAF - Two ways of Rooting All Qualcomm based Android phones" by Pan Zhenpeng and Jheng Bing Jhong](https://powerofcommunity.net/poc2024/Pan%20Zhenpeng%20&%20Jheng%20Bing%20Jhong,%20GPUAF%20-%20Two%20ways%20of%20rooting%20All%20Qualcomm%20based%20Android%20phones.pdf) [slides] [CVE-2024-23380] [CVE-2024-23373] + +[2024: "Breaking through the cage: Get Android universal root by B-PUAF" by Lu Yutao and Ling Hanqin](https://powerofcommunity.net/poc2024/Hanqin%20Ling%20&%20Yutao%20Lu,%20Breaking%20through%20the%20cage%20-%20Get%20Android%20Universal%20Root%20by%20B-PUAF.pdf) [slides] [CVE-2024-46740] + +[2024: "Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel" by Pedro Pinto](https://www.figma.com/deck/GyXCgKKy6rMuY7NVZtInjY/Unleadhing-a-Oday---Osec?node-id=13-225) [slides] [[video](https://www.youtube.com/watch?v=bxJhlwGjwWQ)] [CVE-2024-41010] + +[2024: "Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel" by Mingi Cho and Wongi Lee](https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf) [slides] [CVE-2023-31248] [[video](https://www.youtube.com/watch?v=dUdU0lp35xU)] [CVE-2024-36978] [2024: "1day vuln dev: DirtyCOW"](https://www.youtube.com/watch?v=lQOiH-43zOc) [video] [CVE-2016-5195] @@ -440,7 +468,9 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "CVE-2022-22265 Samsung npu driver" by Javier P Rufo](https://soez.github.io/posts/CVE-2022-22265-Samsung-npu-driver/) [article] [CVE-2022-22265] -[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [CVE-2024-23380] +[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [[video](https://www.youtube.com/watch?v=BN07rjaNqXk)] [CVE-2024-23380] + +[2024: "Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF" by HexRabbit](https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20HexRabbit%20Chen%20-%20Clash%2C%20Burn%2C%20and%20Exploit%20-%20Manipulate%20Filters%20to%20Pwn%20kernelCTF.pdf) [slides] [[video](https://www.youtube.com/watch?v=_1DTkkaNqfM)] [CVE-2024-26925] [2024: "A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability" by Juan Jose Lopez Jaimez and Meador Inge](https://bughunters.google.com/blog/6303226026131456/a-deep-dive-into-cve-2023-2163-how-we-found-and-fixed-an-ebpf-linux-kernel-vulnerability) [article] [CVE-2023-2163] @@ -942,6 +972,28 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2025: "Some Casual Notes for CVE-2024-26921" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/04/some-casual-notes-for-cve-2024-26921.html) [article] [CVE-2024-26921] + +[2024: "Linux Kernel ICMPv6 & CVE-2023-6200" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/04/linux-kernel-icmpv6-and-cve-2023-6200.html) [article] [CVE-2023-6200] + +[2024: "Linux Kernel Perf CVE-2023-5717 Quick Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/17/linux-kernel-perf-cve-2023-5717-quick-analysis.html) [article] [CVE-2023-5717] + +[2024: "A Quick Note for Perf CVE-2024-46713" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/15/a-quick-note-for-perf-cve-2024-46713.html) [article] [CVE-2024-46713] + +[2024: "Linux Kernel Perf CVE-2023-6931 Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/14/linux-kernel-perf-cve-2023-6931-analysis.html) [article] [CVE-2023-6931] + +[2024: "Linux Kernel Vsock 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/11/12/linux-kernel-vsock-1-day-analysis.html) [article] [CVE-UNKNOWN] + +[2024: "Three Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/09/05/three-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36974] [CVE-2023-0590] + +[2024: "Two Linux net/sched 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/31/two-linux-net_sched-1-day-analysis.html) [article] [CVE-2024-36978] + +[2024: "CVE-2024-41010 - Linux net/sched UAF 1-day Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/29/cve-2024-41010-linux-net_sched-uaf-1-day-analysis.html) [article] [CVE-2024-41010] + +[2024: "Linux eBPF Design and Vulnerability Case Study" by Pumpkin Chang](https://u1f383.github.io/linux/2024/07/12/linux-eBPF-design-and-vulnerability-case-study-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/07/20/linux-eBPF-design-and-vulnerability-case-study-part-2.html)] [CVE-2024-41009] [CVE-2022-23222] [CVE-2023-52447] + +[2024: "Linux Kernel: TOCTOU in Exec System" by Marco Vanotti](https://github.com/google/security-research/security/advisories/GHSA-c45w-xwww-rfgg) [article] [CVE-2024-43882] + [2024: "CVE-2024-26926 Analysis" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernel-nday/blob/main/CVE-2024-26926/CVE_2024_26926_Analysis.pdf) [article] [CVE-2024-26926] [2024: "CVE-2024-44068: Samsung m2m1shot_scaler0 device driver page use-after-free in Android"](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2024/CVE-2024-44068.html) [article] [CVE-2024-44068] @@ -1031,6 +1083,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2024: "CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel" by Shuangpeng Bai et al.](https://huhong789.github.io/papers/bai:countdown.pdf) [paper] + +[2024: "A Little Goes a Long Way: Tuning Configuration Selection for Continuous Kernel Fuzzing" by Sanan Hasanov et al.](https://paulgazzillo.com/papers/icse25.pdf) [paper] + +[2024: "Hunting Bugs in Linux Kernel With KASAN: How to Use it & What's the Benefit?" by Slava Moskvin](https://slavamoskvin.com/hunting-bugs-in-linux-kernel-with-kasan-how-to-use-it-whats-the-benefit/) [article] + +[2024: "Finding Bugs in Kernel" by Slava Moskvin](https://slavamoskvin.com/finding-bugs-in-kernel.-part-1-crashing-a-vulnerable-driver-with-syzkaller/) [article] [[part 2](https://slavamoskvin.com/finding-bugs-in-kernel.-part-2-fuzzing-the-actual-kernel/)] + +[2024: "OZZ: Identifying Kernel Out-of-Order Concurrency Bugs with In-Vivo Memory Access Reordering" by Dae R. Jeong et al.](https://dl.acm.org/doi/pdf/10.1145/3694715.3695944) [paper] + +[2024: "Fuzzing the EBPF Subsystem" by Zac Ecob](https://www.youtube.com/watch?v=bww1HkBiYpA) [video] + [2024: "Head First Reporting of Linux Kernel CVEs: Practical Use of the Kernel Fuzzer" by Yunseong Kim](https://static.sched.com/hosted_files/sosscdjapan2024/7a/Head%20First%20Reporting%20of%20Linux%20Kernel%20CVEs%20-%20sosscj24.pdf) [slides] [2024: "Finding Bugs in Kernel. Part 1: Crashing a Vulnerable Driver with Syzkaller" by Vyacheslav Moskvin](https://www.linkedin.com/pulse/finding-bugs-kernel-part-1-crashing-vulnerable-driver-moskvin-4vwje/) [article] @@ -1332,6 +1396,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map) +[2024: "Diving into Linux kernel security" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-H2HC-2024.pdf) [slides] + +[2024: "A Decade of Low-hanging Fruit in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2024/bsidespdx/decade.pdf) [slides] + +[2024: "An adventure with formal verification of Linux kernel code" by Julia Lawall](https://drive.google.com/file/d/1EWDPz9vUZF7qjk-f8fCP7lUMu4iSfstz/view) [slides] [[video](https://www.youtube.com/watch?v=n1Wqz1pQsY0)] + [2024: "Diving into the kernel mitigations" by Breno Leitao](https://www.youtube.com/watch?v=srPeMl9FZI8) [video] [2024: "Security Features status update" by Kees Cook](https://lpc.events/event/18/contributions/1920/attachments/1547/3228/Security%20Features%20status%20update.pdf) [slides] [[video](https://www.youtube.com/watch?v=68PZz_9cPms)] @@ -2014,6 +2084,18 @@ https://github.com/0xor0ne/awesome-list/ ## Misc +[2025: "Linux KASLR Entropy" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/02/linux-kaslr-entropy.html) [article] + +[2024: "Approaches to determining the attack surface for fuzzing the Linux kernel" by Pavel Teplyuk and Aleksey Yakunin](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) [paper] + +[2024: "The Feasibility of Using Hardware Breakpoints To Extend the Race Window" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/29/the-feasibility-of-using-hardware-breakpoints-to-extend-the-race-window.html) [article] + +[2024: "Linux Kernel Heap Spraying Over A Network Connection" by Pumpkin Chang](https://u1f383.github.io/linux/2024/06/20/linux-kernel-heap-spraying-over-a-network-connection.html) [article] + +[2024: "Dashing Kernel Exploitation" by Eduardo Vela and Jordy Zomer](https://github.com/google/security-research/blob/master/analysis/kernel/slides/Dashing%20Kernel%20Exploitation-H2HC-2024.pdf) [slides] [[code](https://github.com/google/security-research/tree/master/analysis/kernel/dashboard)] + +[2024: "Linux Kernel Attack Surface: beyond IOCTL. DMA-BUF" by Slava Moskvin](https://slavamoskvin.com/linux-kernel-attack-surface-beyond-ioctl.-dma-buf/) [article] + [2024: "More Bang for Your Bug!" by Eduardo Vela and Space Meyer](https://docs.google.com/presentation/d/163DiKhThCTEb4Udv9FWfBQOiDtOXQHiCZ61pE-srBOw/present) [slides] [[video](https://www.youtube.com/watch?v=S0Wzy0Knw0M)] [2024: "Linux Kernel CVEs, What Has Caused So Many to Suddenly Show Up?" by Greg Kroah-Hartman](https://git.sr.ht/~gregkh/presentation-security/blob/main/security-stuff.pdf) [slides] [[video](https://www.youtube.com/watch?v=Rg_VPMT0XXw)] -- cgit v1.3