From 97121099c5c6b47f99620674ea2691e2d4beff96 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Sun, 4 Jul 2021 19:41:56 +0200 Subject: May/June updates --- README.md | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 25314a2..3fb2d7b 100644 --- a/README.md +++ b/README.md @@ -217,6 +217,8 @@ Pull requests are welcome. ### Info-leaks +[2021: "Linux Kernel /proc/pid/syscall information disclosure vulnerability"](https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211) [article] [CVE-2020-28588] + [2021: "Spectre exploits in the "wild""](https://dustri.org/b/spectre-exploits-in-the-wild.html) [article] [2021: "VDSO As A Potential KASLR Oracle" by Philip Pettersson and Alex Radocea](https://www.longterm.io/vdso_sidechannel.html) [article] @@ -248,6 +250,14 @@ Pull requests are welcome. ### LPE +[2021: "CVE-2021-20226 a reference counting bug which leads to local privilege escalation in io_uring"](https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a) [article] [CVE-2021–20226] + +[2021: "CVE-2021-32606: CAN ISOTP local privilege escalation"](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md) [article] [CVE-2021-32606] + +[2021: "CVE-2021-3609: CAN BCM local privilege escalation"](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md) [article] [[announcement](https://www.openwall.com/lists/oss-security/2021/06/19/1)] [CVE-2021-3609] + +[2021: "SSD Advisory – OverlayFS PE"](https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/) [article] [CVE-2021-3493] + [2021: "[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver" by Gyorgy Miru](https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/) [article] [CVE-2020-28343, SVE-2020-18610] [2021: "CVE-2021-20226: A Reference-Counting Bug in the Linux Kernel io_uring Subsystem" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/4/22/cve-2021-20226-a-reference-counting-bug-in-the-linux-kernel-iouring-subsystem) [article] [CVE-2021-20226] @@ -256,7 +266,7 @@ Pull requests are welcome. [2021: "New Old Bugs in the Linux Kernel"](https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html) [article] [CVE-2021-27365, CVE-2021-27363, CVE-2021-27364] -[2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel"](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708.pdf)] [CVE-2021-26708] +[2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel"](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708.pdf)] [[video](https://www.youtube.com/watch?v=EMcjHfceX44)] [CVE-2021-26708] [2021: "The curious case of CVE-2020-14381"](https://blog.frizn.fr/linux-kernel/cve-2020-14381) [article] [CVE-2020-14381] @@ -266,6 +276,8 @@ Pull requests are welcome. [2021: "Exploiting CVE-2014-3153 (Towelroot)" by Elon Gliksberg](https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html) [article] [CVE-2014-3153] +[2021: "CVE-2014-3153" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2014-3153) [article] [CVE-2014-3153] + [2020: "An iOS hacker tries Android" by Brandon Azad](https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html) [article] [CVE-2020-28343, SVE-2020-18610] [2020: "Exploiting a Single Instruction Race Condition in Binder"](https://blog.longterm.io/cve-2020-0423.html) [article] [CVE-2020-0423] @@ -506,6 +518,10 @@ Pull requests are welcome. ### Other +[2021: "An EPYC escape: Case-study of a KVM breakout" by Felix Wilhelm](https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html) [article] [CVE-2021-29657] + +[2021: "CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free" by Ben Hawkes](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html) [article] [CVE-2021-1905] + [2021: "A foray into Linux kernel exploitation on Android" by Ayaz Mammadov](https://mcyoloswagham.github.io/linux/) [article] [2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier) [article] @@ -635,6 +651,8 @@ Pull requests are welcome. [2018: "Concolic Testing for Kernel Fuzzing and Vulnerability Discovery" by Vitaly Nikolenko at OffensiveCon](https://www.youtube.com/watch?v=mpfKN1URqdQ) [video] +[2018: "K-Miner: Uncovering Memory Corruption in Linux"](http://lib.21h.io/library/XHEQU6AX/download/SLDEJFQG/2018_K-Miner_-_Uncovering_Memory_Corruption_in_Linux_Internet_Society.pdf) [paper] + [2017: "KernelMemorySanitizer (KMSAN)" by Alexander Potapenko](https://blog.linuxplumbersconf.org/2017/ocw/system/presentations/4825/original/KMSAN%20presentation%20for%20LPC%202017.pdf) [slides] [2017: "The android vulnerability discovery in SoC" by Yu Pan and Yang Dai](http://powerofcommunity.net/poc2017/yu.pdf) [slides] @@ -953,8 +971,16 @@ https://github.com/evdenis/cvehound [github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs) +3kCTF 2021 (echo): [source and exploit](https://github.com/MaherAzzouzi/3k21-pwn/tree/main/echo) + +3kCTF 2021 (klibrary): [source](https://github.com/MaherAzzouzi/3k21-pwn/tree/main/klibrary), [writeup](https://meowmeowxw.gitlab.io/ctf/3k-2021-klibrary/) + DiceCTF 2021 (HashBrown): [writeup](https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html) +CUCTF 2020 (Hotrod): [writeup](https://syst3mfailure.io/hotrod) + +SpamAndFlags 2020 (Secstore): [writeup](https://pwnfirstsear.ch/2020/05/10/spamandhexctf2020-secstore.html#secstore-1) + BSidesTLV CTF 2020 (Kapara): [writeup and exploit](https://jctf.team/BSidesTLV-2020/Kapara/), [video writeup](https://media.handmade-seattle.com/linux-kernel-adventures/) HITCON CTF 2020 (spark): [source and exploit #1](https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020/spark), [writeup and exploit #2](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/spark), [exploit #3](https://gist.github.com/sampritipanda/9fb8f1f92aef6591246e74ed5847c910) @@ -1061,6 +1087,8 @@ https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting ## Misc +[2021: "The Complicated History of a Simple Linux Kernel API"](https://www.grsecurity.net/complicated_history_simple_linux_kernel_api) [article] + [2021: "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commit"](https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf) [paper] [2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko](https://www.youtube.com/watch?v=5-eRsA0l8Pg) [video] -- cgit v1.3