From 55f545330431663927eea62b054eecc3369b8e23 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Wed, 18 Mar 2020 19:51:59 +0100 Subject: Update README.md --- README.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'README.md') diff --git a/README.md b/README.md index bfcd25e..ac20e7b 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,10 @@ Pull requests are welcome. ## Exploitation techniques +[2020: "Linux Kernel Stack Smashing" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/02/linux-kernel-stack-smashing.html?m=1) [article] + +[2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article] + [2019, Black Hat Europe: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)] [2019: "SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel" by Yueqi (Lewis) Chen and Xinyu Xing](http://personal.psu.edu/yxc431/publications/SLAKE_Slides.pdf) [slides] [[paper](http://personal.psu.edu/yxc431/publications/SLAKE.pdf)] @@ -151,6 +155,10 @@ Pull requests are welcome. ### LPE +[2020: "Mitigations are attack surface, too" by Jann Horn](https://googleprojectzero.blogspot.com/2020/02/mitigations-are-attack-surface-too.html) [article] + +[2020: "CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem" by Alexander Popov](https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html) [article, CVE-2019-18683] [[slides](https://a13xp0p0v.github.io/img/CVE-2019-18683.pdf)] + [2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html) [article, CVE-2019-2215] [2019: "Analyzing Android's CVE-2019-2215 (/dev/binder UAF)"](https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/) [article, CVE-2019-2215] @@ -177,6 +185,14 @@ Pull requests are welcome. [2019: "CVE-2018-18281 - Analysis of TLB Vulnerabilities in Linux Kernel"](https://xz.aliyun.com/t/4005) [article] +[2019: "Analysis of Linux xfrm Module Cross-Border Read-Write Escalation Vulnerability (CVE-2017-7184)"](http://p4nda.top/2019/02/16/CVE-2017-7184/) [article, CVE-2017-7184] + +[2019: "Analysis of Escalation Vulnerability Caused by Integer Extension of Linux ebpf Module (CVE-2017-16995)"](http://p4nda.top/2019/01/18/CVE-2017-16995/) [article, CVE-2017-16995] + +[2019: "Linux kernel 4.20 BPF integer overflow vulnerability analysis"](http://p4nda.top/2019/01/02/kernel-bpf-overflow/) [article] + +[2018: "Linux kernel 4.20 BPF integer overflow-heap overflow vulnerability and its exploitation"](https://www.anquanke.com/post/id/166819) [article] + [2018: "CVE-2017-11176: A step-by-step Linux Kernel exploitation](https://blog.lexfo.fr/) [article, CVE-2017-11176] [2018: "A cache invalidation bug in Linux memory management" by Jann Horn](https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html) [article, CVE-2018-17182] @@ -359,6 +375,10 @@ Pull requests are welcome. ### Other +[2020: "BINDER - ANALYSIS AND EXPLOITATION OF CVE-2020-0041" by Jean-Baptiste Cayrou](https://www.synacktiv.com/posts/exploit/binder-analysis-and-exploitation-of-cve-2020-0041.html) [article, CVE-2020-0041] [[slides](https://www.synacktiv.com/ressources/thcon2020_binder.pdf])] + +[2020: "The never ending problems of local ASLR holes in Linux"](https://blog.blazeinfosec.com/the-never-ending-problems-of-local-aslr-holes-in-linux/) [article, CVE-2019-11190] + [2019: "Reverse-engineering Broadcom wireless chipsets" by Hugues Anguelkov](https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html) [article, CVE-2019-9503, CVE-2019-9500] [2019: "CVE-2019-2000 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/4494) [article, CVE-2019-2000] @@ -367,6 +387,8 @@ Pull requests are welcome. [2019: "CVE-2019-9213 - Analysis of Linux Kernel User Space 0 Virtual Address Mapping Vulnerability"](https://cert.360.cn/report/detail?id=58e8387ec4c79693354d4797871536ea) [article, CVE-2019-9213] +[2018: "IOMMU-resistant DMA attacks" by Gil Kupfer](http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2018/MSC/MSC-2018-21.pdf) [thesis] + [2017: "initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection"](https://alephsecurity.com/2017/05/23/nexus6-initroot/#anecdote-a-linux-kernel-out-of-bounds-write-cve-2017-1000363) [article, CVE-2017-1000363] [2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass"](https://alephsecurity.com/vulns/aleph-2017011) [article, CVE-2016-10277] @@ -376,10 +398,14 @@ Pull requests are welcome. ## Protection bypass techniques +[2020: "Weaknesses in Linux Kernel Heap Hardening" by Silvio Cesare](https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html) [article] + [2020: "PAN: Another day, another broken mitigation" by Siguza](https://siguza.github.io/PAN/) [article] [2019, POC: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You](http://powerofcommunity.net/poc2019/x82.pdf) [slides] +[2017: "Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection" by Gal Beniamini](https://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing-samsungs.html) [article] + [2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article] [2016, KIWICON: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko](https://cyseclabs.com/slides/smep_bypass.pdf) [slides] @@ -415,6 +441,8 @@ Pull requests are welcome. [2020, linux.conf.au: "Control Flow Integrity in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2020/lca/cfi.pdf) [slides] [[video](https://www.youtube.com/watch?v=0Bj6W7qrOOI)] +[2019: "Camouflage: Hardware-assisted CFI for the ARM Linux kernel"](https://arxiv.org/pdf/1912.04145v1.pdf) [paper] + [2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video] [2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/) [articles] @@ -492,6 +520,12 @@ Pull requests are welcome. ## Vulnerability discovery +[2020: "HFL: Hybrid Fuzzing on the Linux Kernel"](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24018.pdf) [paper] + +[2020: "KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities"](https://www.usenix.org/system/files/sec20summer_chen-weiteng_prepub.pdf) [paper] + +[2020: "Analyzing the Linux Kernel in Userland with AFL and KLEE"](https://blog.grimm-co.com/post/analyzing-the-linux-kernel-in-userland-with-afl-and-klee/) [article] + [2019: "Effective Static Analysis of Concurrency Use-After-Free Bugs in Linux Device Drivers"](https://hal.inria.fr/hal-02182516/document) [paper] [2019: "A gentle introduction to Linux Kernel fuzzing" by @@ -665,6 +699,10 @@ https://github.com/kangtastic/cve-2019-2215 https://github.com/QuestEscape/exploit +https://github.com/duasynt/xfrm_poc + +https://github.com/saelo/cve-2014-0038 + ## Tools @@ -760,6 +798,10 @@ HITCON CTF Quals 2019 (PoE): [source and exploit](https://github.com/david942j/c r2con CTF 2019: [source, exploit and writeup](https://github.com/esanfelix/r2con2019-ctf-kernel) +De1CTF 2019 (Race): [writeup and exploit](https://github.com/De1ta-team/De1CTF2019/tree/master/writeup/pwn/Race) + +zer0pts CTF 2020 (meow): [writeup](https://pr0cf5.github.io/ctf/2020/03/09/the-plight-of-tty-in-the-linux-kernel.html) + ## Misc -- cgit v1.3