From a93ac0b2430a565d59974ac364b3b97177247bf9 Mon Sep 17 00:00:00 2001
From: Andrey Konovalov
Date: Mon, 3 Jul 2023 20:00:13 +0200
Subject: May/June updates

---
 README.md | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/README.md b/README.md
index 24aab2d..31e4390 100644
--- a/README.md
+++ b/README.md
@@ -52,12 +52,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Exploitation
 
+[2023: "Exploit Engineering – Attacking the Linux Kernel" by Alex Plaskett and Cedric Halbronn](https://research.nccgroup.com/wp-content/uploads/2023/05/exploit-engineering-linux-kernel.pdf) [slides] [[video](https://www.youtube.com/watch?v=9wgHENj_YNk)]
+
+[2023: "Algorithmic Heap Layout Manipulation in the Linux Kernel" by Max Ufer and Daniel Baier](https://escholarship.org/content/qt8ss3f7w1/qt8ss3f7w1.pdf) [paper] [[artifacts](https://github.com/fkie-cad/Algorithmic-Heap-Layout-Manipulation-in-the-Linux-Kernel)]
+
 [2023: "The Return of Stack Overflows in the Linux Kernel" by Davide Ornaghi](https://conference.hitb.org/hitbsecconf2023ams/materials/D2%20COMMSEC%20-%20The%20Return%20of%20Stack%20Overflows%20in%20the%20Linux%20Kernel%20-%20Davide%20Ornaghi.pdf) [slides]
 
 [2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html)
 
 [2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper]
 
+[2022: "Devils Are in the File Descriptors: It Is Time To Catch Them All" by Le Wu](https://i.blackhat.com/USA-22/Wednesday/US-22-Wu-Devils-Are-in-the-File.pdf) [slides] [[video](https://www.youtube.com/watch?v=dIVjQrqpKC0)]
+
 [2022: "FUSE for Linux Exploitation 101"](https://exploiter.dev/blog/2022/FUSE-exploit.html) [article]
 
 [2022: "Kernel Exploit Recipes"](https://drive.google.com/file/d/1kRHgQ9qDr4vgxJ4rVL-UNKvCamva_TRB/view) [brochure]
@@ -223,6 +229,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Protection Bypasses
 
+[2023: "EPF: Evil Packet Filter" by Di Jin, Vaggelis Atlidakis, and Vasileios P. Kemerlis](https://cs.brown.edu/~vpk/papers/epf.atc23.pdf) [paper]
+
+[2023: "Bypassing SELinux with init_module" by Sean Pesce](https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html) [article]
+
+[2023: "Finding Gadgets for CPU Side-Channels with Static Analysis Tools" by Jordy Zomer and Alexandra Sandulescu](https://github.com/google/security-research/tree/master/pocs/cpus/spectre-gadgets) [article]
+
+[2023: "Linux Kernel: Spectre-v1 gadgets" by Jordy Zomer and Alexandra Sandulescu](https://github.com/google/security-research/security/advisories/GHSA-m7j5-797w-vmrh) [article]
+
 [2023: "Linux Kernel: Spectre v2 SMT mitigations problem" by Eduardo Vela](https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx) [article]
 
 [2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data"](https://i.blackhat.com/USA-22/Thursday/US-22-Frigo-A-Dirty-Little-History.pdf) [slides]
@@ -332,6 +346,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### LPE
 
+[2023: "Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability" by Vu Thi Lan](https://starlabs.sg/blog/2023/06-breaking-the-code-exploiting-and-examining-cve-2023-1829-in-cls_tcindex-classifier-vulnerability/) [article] [CVE-2023-1829]
+
+[2023: "CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver"](https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html) [article] [CVE-2023-2008]
+
+[2023: "Rooting with root cause: finding a variant of a Project Zero bug" by Man Yue Mo](https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/) [article] [CVE-2022-46395]
+
+[2023: "Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel" by Moshe Kol](https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf) [article] [[slides](https://0xkol.github.io/assets/files/OffensiveCon23_Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf)] [[video](https://www.youtube.com/watch?v=E3CVDOlcHC4)] [[exploit](https://github.com/0xkol/badspin)] [CVE-2022-20421]
+
+[2023: "Two bugs with one PoC: Roo2ng Pixel 6 from Android 12 to Android 1" by Yong Wang](https://i.blackhat.com/Asia-23/AS-23-WANG-Two-bugs-with-one-PoC-Rooting-Pixel-6-from-Android-12-to-Android-13.pdf) [slides] [CVE-2021-28664]
+
+[2023: "The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation"](https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/) [article] [CVE-2023-0386]
+
 [2023: "Pwning Pixel 6 with a leftover patch" by Man Yue Mo](https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/) [article] [GHSL-2023-005]
 
 [2023: "Revisiting CVE-2017-11176" by Nils Ole Timm](https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176) [article] [CVE-2017-11176]
@@ -723,6 +749,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### RCE
 
+[2023: "Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution" by Guillaume Teissier and Quentin Minster](https://www.youtube.com/watch?v=XT6jLBbzwFM) [video] [CVE-2022-47943] [CVE-2023-2593]
+
 [2022: "Writing a Linux Kernel Remote in 2022" by Samuel Page](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/) [article] [[slides](https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20Erybody%20Gettin%20TIPC%20-%20Demystifying%20Remote%20Linux%20Kernel%20Exploitation%20-%20Sam%20Page.pdf)] [CVE-2022-0435]
 
 [2022: "Zenith: Pwn2Own TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability" by Axel Souchet](https://github.com/0vercl0k/zenith) [article] [CVE-2022-24354]
@@ -742,6 +770,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Other
 
+[2023: "Linux IPv6 'Route of Death' 0day" by Max VA](https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death) [article] [CVE-2023-2156]
+
 [2022: "Linux Kernel: Infoleak in Bluetooth L2CAP Handling"](https://github.com/google/security-research/security/advisories/GHSA-vccx-8h74-2357) [advisory] [CVE-2022-42895]
 
 [2022: "Linux Kernel: UAF in Bluetooth L2CAP Handshake"](https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4) [advisory] [CVE-2022-42896]
@@ -803,6 +833,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ## Finding Bugs
 
+[2023: "UNCONTAINED: Uncovering Container Confusion in the Linux Kernel" by Jakob Koschel, Pietro Borrello, et al.](https://download.vusec.net/papers/uncontained_sec23.pdf) [paper]
+
+[2023: "KIT: Testing OS-Level Virtualization for Functional Interference Bugs"](https://dl.acm.org/doi/pdf/10.1145/3575693.3575731) [paper]
+
+[2023: "SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers"](https://www.cs.ucr.edu/~zhiyunq/pub/oakland23_syzdescribe.pdf) [paper] [[slides](https://static.sched.com/hosted_files/lssna2023/94/LSS-NA-23-SyzDescribe.pdf)]
+
 [2023: "Precise Detection of Kernel Data Races with Probabilistic Lockset Analysis"](https://www.cs.columbia.edu/~gabe/files/oakland2023_pla.pdf) [paper]
 
 [2023: "No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions"](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f688_paper.pdf) [paper]
@@ -1038,6 +1074,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
 
+[2023: "Progress On Bounds Checking in C and the Linux Kernel" by Kees Cook & Gustavo A. R. Silva](https://outflux.net/slides/2023/lss-na/bounds-checking.pdf) [slides] [[video](https://www.youtube.com/watch?v=V2kzptQG5_A)]
+
 [2023: "Mobile Exploitation - The past, present, and the future" by Ki Chan Ahn](https://github.com/externalist/presentations/blob/master/2023%20Zer0con/Mobile%20Exploitation%2C%20the%20past%2C%20present%2C%20and%20future.pdf) [slides]
 
 [2023: "Bounded Flexible Arrays in C" by Kees Cook](https://people.kernel.org/kees/bounded-flexible-arrays-in-c) [article]
@@ -1299,6 +1337,20 @@ https://github.com/tr3ee/CVE-2021-4204
 
 [Linux Kernel SCTP FORWARD-TSN Chunk Memory Corruption Remote Exploit](https://subreption.com/offensive-security/exploits/sctp_thermite/) [CVE-2009-0065]
 
+https://github.com/xkaneiki/CVE-2023-0386
+
+https://www.openwall.com/lists/oss-security/2023/05/08/3 [CVE-2023-2598]
+
+https://www.openwall.com/lists/oss-security/2023/05/15/5 [CVE-2023-32233]
+
+https://github.com/Liuk3r/CVE-2023-32233
+
+https://github.com/TurtleARM/CVE-2023-0179-PoC
+
+https://github.com/lanleft/CVE2023-1829
+
+https://github.com/TurtleARM/CVE-2023-3338
+
 
 ## Tools
 
@@ -1393,6 +1445,8 @@ https://github.com/chompie1337/kernel_obj_finder
 
 https://github.com/marin-m/vmlinux-to-elf
 
+https://github.com/nccgroup/libslub
+
 
 ## Practice
 
@@ -1542,6 +1596,8 @@ https://github.com/ReverseLab/kernel-pwn-challenge
 
 https://github.com/R3x/How2Kernel
 
+https://static.bluefrostsecurity.de/files/lab/bfsmatrix_offensivecon2023.tgz
+
 
 ### Playgrounds
 
@@ -1622,3 +1678,5 @@ https://github.com/0xricksanchez/like-dbg
 https://github.com/ameetsaahu/Kernel-exploitation
 
 https://github.com/cmu-pasta/linux-kernel-enriched-corpus
+
+https://github.com/niveb/NoCrypt
-- 
cgit v1.3