From 80d541e519e9f4b14394697259906b7a721b6dd5 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Thu, 5 Mar 2026 00:23:45 +0100 Subject: January/February updates --- README.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b11f826..987c458 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2026: "DIRTYFREE: Simplified Data-Oriented Programming in the Linux Kernel"](https://leeyoochan.github.io/assets/pdf/DirtyFree_NDSS_2026.pdf) [paper] + +[2026: "Table Manners: Diving into Linux pagetables exp techniques" by Lau](https://github.com/Notselwyn/blogpost-files/blob/main/talk_pagetables.pdf) [slides] + +[2025: "BRIDGEROUTER: Automated Capability Upgrading of Out-Of-Bounds Write Vulnerabilities to Arbitrary Memory Write Primitives in the Linux Kernel"](https://www.youwei.site/papers/SP2025b.pdf) [paper] + [2025: "Extending Kernel Race Windows Using '/dev/shm'" by Faith](https://faith2dxy.xyz/2025-11-28/extending_race_window_fallocate/) [article] [2025: "System Register Hijacking: Compromising Kernel Integrity By Turning System Registers Against the System"](https://kylebot.net/papers/ret2entry.pdf) [paper] @@ -313,6 +319,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Protection Bypasses +[2026: "Revisiting Two-Shot Kernel Shellcode Execution From Control Flow Hijacking" by Jennifer Miller](https://blog.zolutal.io/two-shot-kernel-shellcode/) [article] + [2025: "Defeating KASLR by Doing Nothing at All" by Seth Jenkins](https://googleprojectzero.blogspot.com/2025/11/defeating-kaslr-by-doing-nothing-at-all.html) [article] [2025: "The Journey of Bypassing Ubuntu’s Unprivileged Namespace Restriction" by Pumpkin Chang](https://u1f383.github.io/linux/2025/06/26/the-journey-of-bypassing-ubuntus-unprivileged-namespace-restriction.html) [article] @@ -478,6 +486,16 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE +[2026: "A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets"](https://blog.calif.io/p/a-race-within-a-race-exploiting-cve) [article] [CVE-2025-38617] + +[2026: "Linux Kernel net/sched CAKE Qdisc Use-After-Free LPE" by Noamr](https://ssd-disclosure.com/linux-kernel-net-sched-cake-qdisc-use-after-free-lpe/) [article] [CVE-UNKNOWN] + +[2026: "[Cryptodev-linux] Page-level UAF exploitation" by nasm](https://nasm.re/posts/cryptodev-linux-vuln/) [article] [NO-CVE] + +[2026: "A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave" by Seth Jenkins](https://projectzero.google/2026/01/pixel-0-click-part-2.html) [article] [CVE-2025-36934] + +[2026: "Translator/Mali Utgard Hacking"](https://luke-m.xyz/translator) [articles] [[exploits](https://github.com/lr-m/RIPMaliUtgard)] [CVE-UNKNOWN] + [2025: "A tale of challenging MTE: Rooting Google Pixel with kernel MTE enabled in one shot" by Yong Wang](https://github.com/ThomasKing2014/slides/blob/master/2025/poc2025.pdf) [slides] [CVE-UNKNOWN] [2025: "CVE-2025-38352 (Part 1) - In-the-wild Android Kernel Vulnerability Analysis + PoC" by Faith](https://faith2dxy.xyz/2025-12-22/cve_2025_38352_analysis/) [article] [CVE-2025-38352] @@ -488,7 +506,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2025: "Dangling pointers, fragile memory—from an undisclosed vulnerability to Pixel 9 Pro privilege escalation"](https://dawnslab.jd.com/Pixel_9_Pro_EoP/) [article] [CVE-2025-6349] [CVE-2025-8045] -[2025: "Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers" by Xingyu Jin and Martijn Bogaard](https://powerofcommunity.net/2025/slide/x-84592.pdf) [slides] [CVE-2024-44068] [CVE‑2025‑23244] [CVE-2025-8109] [CVE-2024-49739] +[2025: "Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers" by Xingyu Jin and Martijn Bogaard](https://powerofcommunity.net/2025/slide/x-84592.pdf) [slides] [[video](https://www.youtube.com/watch?v=yAUJFrPjfCI)] [CVE-2024-44068] [CVE‑2025‑23244] [CVE-2025-8109] [CVE-2024-49739] [2025: "Déjà Vu in Linux io_uring: Breaking Memory Sharing Again After Generations of Fixes" by Pumpkin Chang](https://u1f383.github.io/slides/talks/2025_Hexacon-Deja_Vu_in_Linux_io_uring_Breaking_Memory_Sharing_Again_After_Generations_of_Fixes.pdf) [slides] [[video](https://www.youtube.com/watch?v=Ry4eOgLCo90)] [CVE-2025-21836] @@ -1100,6 +1118,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2026: "TTLM Parsing in WiFi/mac8021 one‑byte look past (over-the-air)" by Ruikai Peng](https://bugs.pwno.io/0032) [article] [CVE-UNKNOWN] + +[2025: "Glitching Google's TV Streamer From Adb To Root" by Niek Timmers](https://hardwear.io/netherlands-2025/presentation/Glitching-Googles-TV-Streamer-from-adb-to-root.pdf) [slides] [[video](https://www.youtube.com/watch?v=-w5mpXTnNJA)] [NO-CVE] + [2025: "mediatek? more like media-rekt, amirite." by hypr](https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html) [article] [2025: "Dissecting a 1-Day Vulnerability in Linux's XFRM Subsystem" by Shreyas Penkar](https://streypaws.github.io/posts/Dissecting-a-1-Day-Vulnerability-in-Linux-XFRM-Subsystem/) [article] [CVE-2025-39965] [[trigger](https://github.com/Shreyas-Penkar/CVE-2025-39965)] @@ -1242,6 +1264,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2020: "The never ending problems of local ASLR holes in Linux"](https://blog.blazeinfosec.com/the-never-ending-problems-of-local-aslr-holes-in-linux/) [article] [CVE-2019-11190] +[2019: "Binder Secctx Patch Analysis" by Jean-Baptiste Cayrou](https://www.synacktiv.com/publications/binder-secctx-patch-analysis.html) [article] [CVE-2019-2023] + [2019: "Reverse-engineering Broadcom wireless chipsets" by Hugues Anguelkov](https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html) [article] [CVE-2019-9503, CVE-2019-9500] [2019: "CVE-2019-2000 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/4494) [article] [CVE-2019-2000] @@ -1261,6 +1285,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2026: "Reproducing a syzbot Bug in 5 Minutes — Now with virtme-ng!" by Roman Storozhenko](https://fosdem.org/2026/events/attachments/99ULYW-repro-linux-kernel-bug-5-min-virtme-ng/slides/267615/syzboot_flzqxsg.pdf) [slides] [[video](https://fosdem.org/2026/schedule/event/99ULYW-repro-linux-kernel-bug-5-min-virtme-ng/)] + +[2025: "Head First Reporting of Linux Kernel CVEs: Practical Use of the Kernel Fuzzer" by Yunseong Kim](https://static.sched.com/hosted_files/sosscdjapan2024/7a/Head%20First%20Reporting%20of%20Linux%20Kernel%20CVEs%20-%20sosscj24.pdf) [slides] [[video](https://www.youtube.com/watch?v=DHpHvV7wYdA)] + [2025: "Build a Fake Phone, Find Real Bugs" by Romain Malmain](https://media.ccc.de/v/39c3-build-a-fake-phone-find-real-bugs-qualcomm-gpu-emulation-and-fuzzing-with-libafl-qemu) [video] [[code](https://github.com/rmalmain/39C3-build-a-fake-phone-find-real-bugs)] [2025: "A Modular Approach To Power Management Fuzzing"](https://lpc.events/event/19/contributions/2087/attachments/1897/4063/PM_USB_LPC_25.pdf) [slides] [[video](https://www.youtube.com/watch?v=TNMcqQsqgr4)] @@ -2015,6 +2043,8 @@ https://github.com/polygraphene/DirtyPipe-Android [CVE-2022-0847] https://github.com/SpiralBL0CK/CVE-2023-1206-CVE-2025-40040-CVE-2024-49882 +https://github.com/kuzeyardabulut/CVE-2024-0582 + ## Tools @@ -2064,6 +2094,8 @@ https://github.com/worthdoingbadly/hid-parser-harness https://github.com/lkl/linux/pull/564 +https://github.com/n132/slow-syzkall-locator [[article](https://n132.github.io/2025/12/20/Slow-Syzkalls-Locator.html)] + ### Assorted @@ -2147,6 +2179,14 @@ https://github.com/bcoles/rootkit-signal-hunter https://github.com/mellow-hype/mt7622-qemu-vm +https://github.com/angr/angrop/blob/master/examples/linux_escape_chain/solve.py + +https://github.com/quic/crash-plugins + +https://github.com/zolutal/kropr + +https://github.com/MatheuZSecurity/ksentinel + ## Practice @@ -2175,6 +2215,8 @@ https://github.com/mellow-hype/mt7622-qemu-vm HackTheBox (knote): [writeup](https://pwning.tech/knote/) +backdoor CTF 2025 (vibe-kode): [writeup](https://kqx.io/writeups/vibe_kode/) + WMCTF 2025 (wm_easyker): [writeup](https://blog.xmcve.com/2025/09/22/WMCTF2025-Writeup/#title-5) STAR Labs Summer Pwnables 2025 (paradox_engine): [writeup](https://u1f383.github.io/linux/2025/09/01/starlabs-summer-pwnables-linux-kernel-challenge-writeup.html) @@ -2199,16 +2241,22 @@ EuskalHack 2024 Gau-Hack: [writeup](https://gum3t.xyz/posts/a-gau-hack-from-eusk RWCTF 2024 (RIPTC): [source](https://github.com/chaitin/Real-World-CTF-6th-Challenges/tree/main/RIPTC), [writeup](https://aslr.io/2024/02/04/rwctf-6th-riptc-write-up/), [writeup 2](https://github.com/N1ghtu/RWCTF6th-RIPTC) +DownUnderCTF 2024 (Faulty Kernel): [writeup](https://n132.github.io/2024/07/18/Faulty-Kernel.html) + D^3CTF 2023 (d3kcache): [writeup](https://blog.arttnba3.cn/2023/05/02/CTF-0X08_D3CTF2023_D3KCACHE/), [source](https://github.com/arttnba3/D3CTF2023_d3kcache) Imaginary CTF 2023 (Windows of Opportunity): [writeup 1](https://francescolucarini.github.io/Windows-of-Opportunity/), [writeup 2](https://ctftime.org/writeup/37670) -corCTF 2023 (sysruption): [writeup](https://www.willsroot.io/2023/08/sysruption.html) +HITCON CTF 2023 (wall-rose): [writeup](https://n132.github.io/2024/09/29/rose.html) + +corCTF 2023 (sysruption): [writeup](https://www.willsroot.io/2023/08/sysruption.html), [writeup 2](https://n132.github.io/2024/09/28/sysruption.html) corCTF 2023 (zeroday, kcipher): [writeup](https://blog.libh0ps.so/2023/08/02/corCTF2023.html) corCTF 2023 (kcipher): [writeup](https://rockrid3r.github.io/2023/09/26/kcipher-writeup-corctf-2023.html) +corCTF 2022 (cache-of-castaways): [writeup](https://n132.github.io/2024/06/28/Castaways.html) + hxp CTF 2022 (one_byte): [writeup](https://hxp.io/blog/99/hxp-CTF-2022-one_byte-writeup/) BFS Ekoparty 2022 (blunder): [writeup](https://klecko.github.io/posts/bfs-ekoparty-2022/) @@ -2219,7 +2267,7 @@ zer0pts CTF 2022 (kRCE): [writeup](https://www.willsroot.io/2022/03/zer0pts-ctf- HITCON CTF 2022 (fourchain-kernel): [writeup and exploit](https://org.anize.rs/HITCON-2022/pwn/fourchain-kernel) -VULNCON CTF 2021 (IPS): [writeup](https://kileak.github.io/ctf/2021/vulncon-ips/), [writeup 2](https://blog.kylebot.net/2022/01/10/VULNCON-2021-IPS/) +VULNCON CTF 2021 (IPS): [writeup](https://kileak.github.io/ctf/2021/vulncon-ips/), [writeup 2](https://blog.kylebot.net/2022/01/10/VULNCON-2021-IPS/), [writeup 3](https://n132.github.io/2024/02/09/IPS.html), [writeup 4](https://n132.github.io/2024/02/28/IPS-Freelist.html) N1 CTF 2021 (baby-guess): [source](https://github.com/sajjadium/ctf-archives/tree/main/N1CTF/2021/pwn/baby_guess), [writeup](https://kileak.github.io/ctf/2021/n1ctf21-babyguess/) @@ -2233,7 +2281,7 @@ Midnightsun Quals 2021 (BroHammer): [writeup](https://www.willsroot.io/2021/04/m corCTF 2021 (fire-of-salvation): [source](https://github.com/Crusaders-of-Rust/corCTF-2021-public-challenge-archive/tree/main/pwn/fire-of-salvation), [writeup](https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html) -corCTF 2021 (wall-of-perdition): [source](https://github.com/Crusaders-of-Rust/corCTF-2021-public-challenge-archive/tree/main/pwn/wall-of-perdition), [writeup](https://syst3mfailure.io/wall-of-perdition) +corCTF 2021 (wall-of-perdition): [source](https://github.com/Crusaders-of-Rust/corCTF-2021-public-challenge-archive/tree/main/pwn/wall-of-perdition), [writeup](https://syst3mfailure.io/wall-of-perdition), [writeup 2](https://n132.github.io/2024/05/27/Wall-of-Perdition.html) Google CTF 2021 (pwn-fullchain): [source](https://github.com/google/google-ctf/tree/master/2021/quals/pwn-fullchain), [writeup](https://ptr-yudai.hatenablog.com/entry/2021/07/26/225308) @@ -2386,6 +2434,14 @@ https://github.com/0xor0ne/awesome-list/ ## Misc +[2026: "Hiding from the Panic Button: Singularity SysRq Hook" by MatheuZ](https://blog.kyntra.io/Hiding-from-the-Panic-Button-Singularity-SysRq-Hook) [article] + +[2026: "Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools" by MatheuZ](https://matheuzsecurity.github.io/hacking/ebpf-security-tools-hacking/) [article] + +[2026: "Crushing Pwn2Own & H1 with Kernel Driver Exploits"](https://www.youtube.com/watch?v=pcAdNDK-lrs) [video] + +[2025: "The Joys of Linux Kernel ROP Gadget Scanning" by Jennifer Miller](https://blog.zolutal.io/joys-of-kernel-rop/) [article] + [2025: "Singularity: Deep Dive into a Modern Stealth Linux Kernel Rootkit" by MatheuZSec](https://blog.kyntra.io/Singularity-A-final-boss-linux-kernel-rootkit) [article] [2025: "Exploiting a 13-years old bug on QEMU"](https://kqx.io/post/qemu-nday/) [article] @@ -2496,6 +2552,8 @@ https://github.com/0xor0ne/awesome-list/ [2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko](https://www.youtube.com/watch?v=5-eRsA0l8Pg) [video] +[2018: "Binder transactions in the bowels of the Linux Kernel" by Jean-Baptiste Cayrou](https://www.synacktiv.com/en/publications/binder-transactions-in-the-bowels-of-the-linux-kernel) [article] + [grsecurity CVE-Dataset](https://docs.google.com/spreadsheets/u/0/d/1JO43UfT7Vjun9ytSWNdI17xmnzZMg19Tii-rKw94Rvw/htmlview#gid=0) [spreadsheet] [Syzkaller Coverage Dashboard](https://lookerstudio.google.com/reporting/41ae4a20-9826-4f7f-be14-a934a04686fe/page/4EOpD) -- cgit v1.3