From bedc708384015c8c5535d6ee947363659fbf4227 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Thu, 5 Nov 2020 16:35:38 +0100 Subject: September/October updates --- README.md | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 48a2c52..8e7ea59 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,16 @@ Pull requests are welcome. ## Workshops +[2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop] + [2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop] ## Exploitation Techniques +[2020: "Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers"](https://www.usenix.org/system/files/woot20-paper1-slides-cho.pdf) [slides] [[paper](https://www.usenix.org/system/files/woot20-paper-cho.pdf)] [[video](https://www.youtube.com/watch?v=uI377m9S0qs)] + +[2020: "BlindSide: Speculative Probing: Hacking Blind in the Spectre Era"](https://www.vusec.net/projects/blindside/) [paper] + [2020: "Structures that can be used with Kernel Exploit"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article] [2020: "Linux Kernel Stack Smashing" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/02/linux-kernel-stack-smashing.html?m=1) [article] @@ -161,6 +167,10 @@ Pull requests are welcome. ### LPE +[2020: "CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel" by Or Cohen](https://unit42.paloaltonetworks.com/cve-2020-14386/) [article, CVE-2020-14386] + +[2020: "Attacking the Qualcomm Adreno GPU" by Ben Hawkes](https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html) [article, CVE-2020-11179] + [2020, Black Hat USA: "TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices" by Guang Gong](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf) [slides, CVE-2019-10567] [[paper](https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf)] [2020: "Binder - Analysis and exploitation of CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article, CVE-2020-0041] @@ -380,6 +390,8 @@ Pull requests are welcome. ### RCE +2020: BleedingTooth vulnarabilities by Andy Nguyen: [BadChoice](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq), [BadKarma](https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq), [BadVibes](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649) [article, CVE-2020-12352, CVE-2020-12351, CVE-2020-24490] + [2017: "Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) [article, CVE-2017-0569] [2017: "BlueBorn: The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks"](http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf?t=1505222709963) [whitepaper, CVE-2017-1000251] @@ -395,6 +407,8 @@ Pull requests are welcome. ### Other +[2020: "The short story of 1 Linux Kernel Use-After-Free bug and 2 CVEs (CVE-2020-14356 and CVE-2020-25220)" by Adam Zabrocki](http://blog.pi3.com.pl/?p=720) [article, CVE-2020-14356, CVE-2020-25220] + [2020: "Curiosity around 'exec_id' and some problems associated with it" by Adam Zabrocki](https://www.openwall.com/lists/kernel-hardening/2020/03/25/1) [article] [2020: "The never ending problems of local ASLR holes in Linux"](https://blog.blazeinfosec.com/the-never-ending-problems-of-local-aslr-holes-in-linux/) [article, CVE-2019-11190] @@ -418,6 +432,8 @@ Pull requests are welcome. ## Protection Bypass Techniques +[2020: "Things not to do when using an IOMMU" by Ilja van Sprundel and Joseph Tartaro](https://www.youtube.com/watch?v=p1HUpSkHcZ0) [video] + [2020: "SELinux RKP misconfiguration on Samsung S20 devices" by Vitaly Nikolenko](https://duasynt.com/blog/samsung-s20-rkp-selinux-disable) [article] [2020: "TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs"](https://download.vusec.net/papers/tagbleed_eurosp20.pdf) [paper] @@ -465,6 +481,8 @@ Pull requests are welcome. ## Defensive +[2020: "State of Linux kernel security" by Dmitry Vyukov](https://github.com/ossf/wg-securing-critical-projects/blob/main/presentations/The_state_of_the_Linux_kernel_security.pdf) [slides] [[video](https://www.youtube.com/watch?v=PGwFyzh2KTA&t=1233)] + [2020, OSTconf: "LKRG IN A NUTSHELL" by Adam Zabrocki](https://www.openwall.com/presentations/OSTconf2020-LKRG-In-A-Nutshell/OSTconf2020-LKRG-In-A-Nutshell.pdf) [slides] [2020, Linux Plumbers: "syzkaller / sanitizers: status update" by Dmitry Vyukov](https://linuxplumbersconf.org/event/7/contributions/716/attachments/645/1181/syzkaller_LPC2020.pdf) [slides] [[video](https://www.youtube.com/watch?v=y9Glc90WUN0&t=234)] @@ -481,7 +499,7 @@ Pull requests are welcome. [2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video] -[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/) [articles] +[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2020/09/21/security-things-in-linux-v5-7/) [articles] [2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis] @@ -556,6 +574,8 @@ Pull requests are welcome. ## Vulnerability Discovery +[2020: "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel"](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) [paper] + [2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-1-of-3) [article] [2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-2-of-3) [article] @@ -777,6 +797,8 @@ https://github.com/chompie1337/s8_2019_2215_poc/ https://github.com/c3r34lk1ll3r/CVE-2017-5123 +https://github.com/QuestEscape/exploit/tree/master/CVE-2018-9568_WrongZone + ## Tools @@ -886,6 +908,11 @@ DEF CON CTF Qualifier 2020 (fungez): [source](https://github.com/o-o-overflow/dc ASIS CTF 2020 (Shared House): [writeup](https://ptr-yudai.hatenablog.com/entry/2020/07/06/000622#354pts-Shared-House-7-solves) +r2con CTF 2020: [source](https://github.com/esanfelix/r2con2020-ctf-kernel), [exploit](https://github.com/dialluvioso/box/blob/master/r2con2020-ctf-kernel/exploit.c) + +Seccon Online 2020 (Kstack): [source, exploit and writeup](https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/kstack) + +N1 CTF 2020 (W2L): [writeup](https://github.com/Nu1LCTF/n1ctf-2020/blob/main/N1CTF2020%20Writeup%20By%20Nu1L.pdf) ## Misc @@ -936,3 +963,5 @@ https://www.twitch.tv/dayzerosec/videos?filter=all&sort=time https://github.com/pr0cf5/kernel-exploit-practice https://github.com/milabs/lkrg-bypass + +https://github.com/V4bel/kernel-exploit-technique -- cgit v1.3