From 70fe788174bc67b7b742bbbf929297d9b6748353 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Mon, 9 Sep 2024 19:57:25 +0200 Subject: July/August updates --- README.md | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 82 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6ec5d57..f39fd67 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2024: "PageJack: A Powerful Exploit Technique With Page-Level UAF" by Zhiyun Qian et. al](https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf) [slides] [[code](https://github.com/Lotuhu/Page-UAF)] [[summary](https://phrack.org/issues/71/13.html#article)] + +[2024: "SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel" by Lukas Maar et. al](https://stefangast.eu/papers/slubstick.pdf) [paper] + +[2024: "Linux Kernel Exploitation - ret2usr" by Sascha Schirra](https://scoding.de/linux-kernel-exploitation-buffer_overflow) [article] + [2024: "Binary Exploitation Notes: Kernel" by Andrej Ljubic](https://ir0nstone.gitbook.io/notes/types/kernel) [articles] [2024: "Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation"](https://arxiv.org/pdf/2406.02624) [paper] @@ -62,6 +68,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems"](https://arxiv.org/pdf/2401.17618.pdf) [paper] +[2023: "Deep-Kernel Treasure Hunt: Finding exploitable structures in the Linux kernel" by Yudai Fujiwara](https://codeblue.jp/2023/result/pdf/cb23-deep-kernel-treasure-hunt-finding-exploitable-structures-in-the-linux-kernel-by-yudai-fujiwara.pdf) [slides] [[video](https://www.youtube.com/watch?v=mamm_23fHD4)] + [2023: "D^ 3CTF2023 d3kcache: From null-byte cross-cache overflow to infinite arbitrary read & write."](https://blog.arttnba3.cn/2023/05/02/CTF-0X08_D3CTF2023_D3KCACHE/) [article] [2023: "No Tux Given: Diving Into Contemporary Linux Kernel Exploitation" by sam4k](https://sam4k.com/content/files/2024/01/no_tux_given.pdf) [slides] @@ -273,6 +281,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Protection Bypasses +[2024: "Leaking Host KASLR from Guest VMs Using Tagged TLB" by Reno Robert](https://pagedout.institute/download/PagedOut_004_beta1.pdf#page=58) [article] + [2024: "TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution" by Juhee Kim et al.](https://arxiv.org/pdf/2406.08719) [paper] [[code](https://github.com/compsec-snu/tiktag)] [2023: "Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation"](https://download.vusec.net/papers/slam_sp24.pdf) [paper] @@ -406,6 +416,30 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE +[2024: "Google: Security Research: CVE-2024-26581](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs) [article] [CVE-2024-26581] + +[2024: "Race conditions in Linux Kernel perf events"](https://binarygecko.com/race-conditions-in-linux-kernel-perf-events/) [[code](https://github.com/Binary-Gecko/perf_PoC)] [CVE-UNKNOWN] + +[2024: "CVE-2020-27786 (Race Condition + Use-After-Free)" by ii4gsp](https://ii4gsp.github.io/cve-2020-27786/) [article] [CVE-2020-27786] + +[2024: "GPUAF Using a general GPU exploit tech to attack Pixel8" by Pan Zhenpeng and Jheng Bing Jhong](https://www.youtube.com/watch?v=Mw6iCqjOV9Q) [video] [CVE-UNKNOWN] + +[2024: "Linux Kernel taprio OOB"](https://ssd-disclosure.com/ssd-advisory-linux-kernel-taprio-oob/) [article] [CVE-2024-36974] + +[2024: "CVE-2022-22265 Samsung npu driver" by Javier P Rufo](https://soez.github.io/posts/CVE-2022-22265-Samsung-npu-driver/) [article] [CVE-2022-22265] + +[2024: "The Way to Android Root: Exploiting Your GPU On Smartphone" by Xiling Gong, Xuan Xing, and Eugene Rodionov](https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24-Gong-The-Way-to-Android-Root-Wednesday.pdf) [slides] [CVE-2024-23380] + +[2024: "A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability" by Juan Jose Lopez Jaimez and Meador Inge](https://bughunters.google.com/blog/6303226026131456/a-deep-dive-into-cve-2023-2163-how-we-found-and-fixed-an-ebpf-linux-kernel-vulnerability) [article] [CVE-2023-2163] + +[2024: "Vulnerability in the eBPF verifier register limit tracking" by Juan Jose Lopez Jaimez](https://github.com/google/security-research/security/advisories/GHSA-hfqc-63c7-rj9f) [CVE-2024-41003] + +[2024: "Android Binder Attack Matrix" by Utkarsh](https://utkarshcodes.medium.com/android-binder-attack-matrix-introduction-450d31d1d951) [article] +[[part 2](https://utkarshcodes.medium.com/android-binder-attack-matrix-cve-2023-20938-cve-2023-21255-uaf-details-article-1-4cc2eb3919f9)] +[[part 3](https://utkarshcodes.medium.com/android-binder-attack-matrix-exploitation-of-cve-2023-20938-article-2-6215160e3373)] +[[part 4](https://utkarshcodes.medium.com/android-binder-attack-matrix-fuzzing-binder-with-linux-kernel-library-lkl-article-3-62e931161eb5)] +[[part 5](https://utkarshcodes.medium.com/android-binder-attack-matrix-results-conclusion-d7143057408f)] + [2024: "Driving forward in Android drivers" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html) [article] [[video](https://archive.org/details/shmoocon2024/Shmoocon2024-SethJenkins-Driving_Forward_in_Android_Drivers.mp4)] [CVE-2023-32837] [CVE-2023-32832] [2024: "Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938" by Eugene Rodionov, Zi Fan Tan, and Gulshan Singh](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/) [article] [CVE-2023-20938] @@ -414,7 +448,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "Linux Kernel nft_validate_register_store Integer Overflow Privilege Escalation"](https://ssd-disclosure.com/ssd-advisory-linux-kernel-nft_validate_register_store-integer-overflow-privilege-escalation/) [article] [CVE-UNKNOWN] -[2024: "Game of Cross Cache: Let's win it in a more effective way!" by Le Wu](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Wu-Game-of-Cross-Cache.pdf) [slides] [CVE-2023-21400] +[2024: "Game of Cross Cache: Let's win it in a more effective way!" by Le Wu](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Wu-Game-of-Cross-Cache.pdf) [slides] [[video](https://www.youtube.com/watch?v=em9qgHm3uIk)] [CVE-2023-21400] [2024: "LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules" by Chao Ma et al.](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Ma-LinkDoor-A-Hidden-Attack.pdf) [slides] [CVE-2023-32878] [CVE-2023-32882] @@ -877,6 +911,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### RCE +[2024: "Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap" by Robert Herrera and Alex Plaskett](https://www.nccgroup.com/media/uzbp3ttw/bhus24_sonos_whitepaper.pdf) [article] [[slides](https://i.blackhat.com/BH-US-24/Presentations/US-24-Herrera-Listen-Up-Sonos-Over-The-Air-Exploitation-and-Covert-Wiretap-Thursday.pdf)] [CVE-2023-50809] [CVE-2024-20018] + [2023: "Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution" by Guillaume Teissier and Quentin Minster](https://www.youtube.com/watch?v=XT6jLBbzwFM) [video] [CVE-2022-47943] [CVE-2023-2593] [2022: "Writing a Linux Kernel Remote in 2022" by Samuel Page](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/) [article] [[slides](https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20Erybody%20Gettin%20TIPC%20-%20Demystifying%20Remote%20Linux%20Kernel%20Exploitation%20-%20Sam%20Page.pdf)] [CVE-2022-0435] @@ -898,6 +934,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2024: "Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394)"](https://blog.theori.io/deep-dive-into-rcu-race-condition-analysis-of-tcp-ao-uaf-cve-2024-27394-f40508b84c42) [article] [CVE-2024–27394] + +[2024: "ZDI-24-821: A Remote UAF in The Kernel's net/tipc" by Sam Page](https://sam4k.com/zdi-24-821-a-remote-use-after-free-in-the-kernels-net-tipc/) [article] [ZDI-24-821] [CVE-2024-36886] + [2024: "Race condition in 9p file system"](https://r00tkitsmm.github.io/fuzzing/2024/05/29/Race-into-9p.html) [article] [2024: "Notes about ZDI-24-195 in ksmbd"](https://twitter.com/Shiftreduce/status/1773385937893896206) [thread] [ZDI-24-195] @@ -979,6 +1019,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2024: "StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing" by Bodong Zhao et. al](https://github.com/vul337/StateFuzz/blob/main/statefuzz.pdf) [paper] [[code](https://github.com/vul337/StateFuzz)] + +[2024: "BRF: eBPF Runtime Fuzzer" by Hsin-Wei Hung and Ardalan Amiri Sani](https://arxiv.org/pdf/2305.08782) [paper] + [2024: "So You Wanna Find Bugs In The Linux Kernel?" by Sam Page](https://github.com/sam4k/talk-slides/blob/main/so_you_wanna_find_bugs_in_the_linux_kernel.pdf) [slides] [2024: "A bug hunter's reflections on fuzzing" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-Reflections_on_Fuzzing.pdf) [slides] [[video](https://www.youtube.com/watch?v=wTbFmdx7wG8)] @@ -997,6 +1041,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "SyzRetrospector: A Large-Scale Retrospective Study of Syzbot"](https://arxiv.org/pdf/2401.11642.pdf) [paper] +[2023: "ReUSB: Replay-Guided USB Driver Fuzzing" by Jisoo Jang, Minsuk Kang, and Dokyung Song](https://www.usenix.org/system/files/usenixsecurity23-jang.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_jang-jisoo.pdf)] [[video](https://www.youtube.com/watch?v=DjD2-gbuXBo)] + [2023: "KernelGPT: Enhanced Kernel Fuzzing via Large Language Models"](https://arxiv.org/pdf/2401.00563.pdf) [paper] [2023: "SyzDirect: Directed Greybox Fuzzing for Linux Kernel"](https://yuanxzhang.github.io/paper/syzdirect-ccs23.pdf) [paper] @@ -1256,6 +1302,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map) +[2024: "Reducing Maintenance Burden by Bending C" by Mathias Krause](https://grsecurity.net/reducing_maintenance_burden_by_bending_c) [article] + +[2024: "BeeBox: Hardening BPF against Transient Execution Attacks" by Di Jin, Alexander J. Gaidis, and Vasileios P. Kemerlis](https://cs.brown.edu/~vpk/papers/beebox.sec24.pdf) [paper] [[code](https://gitlab.com/brown-ssl/beebox)] + +[2024: "Validating the eBPF Verifier via State Embedding" by Hao Sun and Zhendong Su](https://www.usenix.org/system/files/osdi24-sun-hao.pdf) [paper] + +[2024: "Beyond the Edges of Kernel Control-Flow Hijacking Protection with HEK-CFI" by Lukas Maar et. al](https://dl.acm.org/doi/pdf/10.1145/3634737.3661135) [paper] + [2024: "On Kernel's Safety in the Spectre Era (And KASLR is Formally Dead)" by Davide Davoli et al.](https://arxiv.org/pdf/2406.07278) [paper] [2024: "Challenges and innovations towards safer flexible arrays in the Linux Kernel" by Gustavo A. R. Silva](https://embeddedor.com/slides/2024/llc/llc2024.pdf) [slides] @@ -1447,6 +1501,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [Project Zero bug reports](https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=linux%20kernel&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids&sort=-id) +[Google kernelCTF writeups and exploits](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf) + https://github.com/bsauce/kernel-exploit-factory https://www.exploit-db.com/search/?action=search&description=linux+kernel @@ -1567,6 +1623,10 @@ https://github.com/roddux/germy https://github.com/renorobert/tagbleedvmm +https://github.com/roddux/ixode + +https://github.com/b17fr13nds/kernel-exploits + ## Tools @@ -1610,6 +1670,8 @@ https://github.com/google/buzzer https://github.com/h0mbre/Lucid +https://github.com/b17fr13nds/lxfuzz [[notes](https://b17fr13nds.github.io/posts/kernel_fuzzer_lxfuzz/)] + ### Assorted @@ -1683,6 +1745,7 @@ https://github.com/gsingh93/linux-exploit-dev-env https://github.com/NUS-Curiosity/KernJC + ## Practice ### Workshops @@ -1702,8 +1765,16 @@ https://github.com/NUS-Curiosity/KernJC [github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs) +[FrancescoLucarini/Linux-Kernel-CTF-exploits](https://github.com/FrancescoLucarini/Linux-Kernel-CTF-exploits) + +[mephi42/ctf](https://github.com/mephi42/ctf) + HackTheBox (knote): [writeup](https://pwning.tech/knote/) +HITCON CTF QUAL 2024 (Halloween): [writeup](https://u1f383.github.io/ctf/2024/07/16/hitcon-ctf-qual-2024-pwn-challenge-part-1-halloween-and-v8sbx.html) + +EuskalHack 2024 Gau-Hack: [writeup](https://gum3t.xyz/posts/a-gau-hack-from-euskalhack/) + RWCTF 2024 (RIPTC): [source](https://github.com/chaitin/Real-World-CTF-6th-Challenges/tree/main/RIPTC), [writeup](https://aslr.io/2024/02/04/rwctf-6th-riptc-write-up/), [writeup 2](https://github.com/N1ghtu/RWCTF6th-RIPTC) D^3CTF 2023 (d3kcache): [writeup](https://blog.arttnba3.cn/2023/05/02/CTF-0X08_D3CTF2023_D3KCACHE/), [source](https://github.com/arttnba3/D3CTF2023_d3kcache) @@ -1889,6 +1960,14 @@ https://github.com/0xor0ne/awesome-list/ ## Misc +[2024: "Love and hate - The cyber tale between fuzzer and exploits in Linux kernel" by Zou Xiaochen](https://www.youtube.com/watch?v=cDcMlMH-XjU) [video] + +[2024: "Reflections on RANDSTRUCT in GrapheneOS" by Julien Voisin](https://dustri.org/b/reflections-on-randstruct-in-grapheneos.html) [article] + +[2024: "Linux Kernel Security Process or Why are there so many kernel CVEs now?” by Greg Kroah-Hartman](https://static.sched.com/hosted_files/kccncossaidevchn2024/17/security-stuff.pdf) [slides] + +[2024: "Who opened this big hole in the Linux kernel?"](https://mp.weixin.qq.com/s/Sr4qIy-AdLhpkus6q1su9w) [article] + [2024: "KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities"](https://arxiv.org/pdf/2404.11107) [paper] [2024: "silent syscall hooking on arm64 linux via patching svc handler"](https://tmpout.sh/3/23.html) [article] @@ -1984,3 +2063,5 @@ https://twitter.com/sirdarckcat/status/1681924752800366592 https://github.com/hardenedvault/ved-ebpf https://github.com/thebabush/linux-russian-roulette + +https://kspp.github.io/ -- cgit v1.3