From 5e443a886dfa9fb385190e9593a58bd80e804cca Mon Sep 17 00:00:00 2001
From: Andrey Konovalov
Date: Wed, 10 Jan 2024 05:32:50 +0100
Subject: November/December updates

---
 README.md | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 70 insertions(+), 2 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 7686700..84da56f 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Exploitation
 
+[2023: "RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections"](https://kylebot.net/papers/retspill.pdf) [paper]
+
+[2023: "Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup"](https://ptr-yudai.hatenablog.com/entry/2023/12/08/093606) [article]
+
+[2023: "Abusing RCU callbacks with a Use-After-Free read to defeat KASLR"](https://anatomic.rip/abusing_rcu_callbacks_to_defeat_kaslr/) [article]
+
+[2023: "Evils in the Sparse Texture Memory: Exploit Kernel Based on Undefined Behaviors of Graphic APIs"](https://i.blackhat.com/EU-23/Presentations/EU-23-Jin-Evils-in-the-Sparse-Texture.pdf) [slides] [[abstract](https://www.blackhat.com/eu-23/briefings/schedule/index.html#evils-in-the-sparse-texture-memory-exploit-kernel-based-on-undefined-behaviors-of-graphic-apis-35059)]
+
 [2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han](https://i.blackhat.com/BH-US-23/Presentations/US-23-Han-Lost-Control-Breaking-Hardware-Assisted-Kernel.pdf) [slides]
 
 [2023: "Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features" by Yong Wang](https://i.blackhat.com/BH-US-23/Presentations/US-23-WANG-The-Art-of-Rooting-Android-devices-by-GPU-MMU-features.pdf) [slides]
@@ -72,6 +80,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper] [[video](https://www.youtube.com/watch?v=C3ta-uUthfA)]
 
+[2023: "Linux Kernel PWN | 06 DirtyCred"](https://blog.wohin.me/posts/linux-kernel-pwn-06/) [article]
+
+[2023: "Linux Kernel PWN | 05 ret2dir"](https://blog.wohin.me/posts/linux-kernel-pwn-05/) [article]
+
 [2022: "Devils Are in the File Descriptors: It Is Time To Catch Them All" by Le Wu](https://i.blackhat.com/USA-22/Wednesday/US-22-Wu-Devils-Are-in-the-File.pdf) [slides] [[video](https://www.youtube.com/watch?v=dIVjQrqpKC0)]
 
 [2022: "FUSE for Linux Exploitation 101"](https://exploiter.dev/blog/2022/FUSE-exploit.html) [article]
@@ -112,6 +124,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2021: "Learning Linux Kernel Exploitation"](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/) [article] [[part 2](https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/)] [[part 3](https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/)]
 
+[2020: "PTMA (Page Table Manipulation Attack): Attacking the core of memory permission"](https://www.slideshare.net/JungseungLee2/page-table-manipulation-attack) [slides]
+
 [2020: "Exploiting Kernel Races Through Taming Thread Interleaving"](https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf) [slides] [[video](https://www.youtube.com/watch?v=5M3WhLVLCzs)]
 
 [2020: "Locating the kernel PGD on Android/aarch64" by Vitaly Nikolenko](https://duasynt.com/blog/android-pgd-page-tables) [article]
@@ -160,6 +174,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2018: "Use of timer_list structure in linux kernel exploit"](https://xz.aliyun.com/t/3455) [article]
 
+[2018: "Entering God Mode — The Kernel Space Mirroring Attack"](https://medium.com/hackernoon/entering-god-mode-the-kernel-space-mirroring-attack-8a86b749545f) [article]
+
 [2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/escalating-privileges-in-linux-using-fi-presentation-fdtc-2017.pdf) [slides] [[video](https://www.youtube.com/watch?v=nqF_IjXg_uM)] [[paper](https://www.riscure.com/uploads/2017/10/Riscure_Whitepaper_Escalating_Privileges_in_Linux_using_Fault_Injection.pdf)]
 
 [2017: "Kernel Driver mmap Handler Exploitation" by Mateusz Fruba](https://labs.withsecure.com/content/dam/labs/docs/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf) [paper]
@@ -239,6 +255,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Protection Bypasses
 
+[2023: "Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation"](https://download.vusec.net/papers/slam_sp24.pdf) [paper]
+
+[2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand](https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html) [article]
+
 [2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han](https://i.blackhat.com/BH-US-23/Presentations/US-23-Han-Lost-Control-Breaking-Hardware-Assisted-Kernel.pdf) [slides]
 
 [2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand](https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html) [article]
@@ -319,6 +339,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/) [article] [CVE-2022-25664]
 
+[2023: "EntryBleed: A Universal KASLR Bypass against KPTI on Linux"](https://dl.acm.org/doi/pdf/10.1145/3623652.3623669) [paper] [CVE-2022-4543]
+
 [2022: "EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)"](https://www.willsroot.io/2022/12/entrybleed.html) [article] [CVE-2022-4543]
 
 [2022: "Yet another bug into Netfilter" by Arthur Mongodin](https://www.randorisec.fr/yet-another-bug-netfilter/) [article] [CVE-2022-1972]
@@ -362,6 +384,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### LPE
 
+[2023: "Conquering the memory through io_uring - Analysis of CVE-2023-2598"](https://anatomic.rip/cve-2023-2598/) [article] [CVE-2023-2598]
+
+[2023: "Conquering a Use-After-Free in nf_tables: Detailed Analysis and Exploitation of CVE-2022-32250" by Yordan Stoychev](https://anatomic.rip/cve-2022-32250/) [article] [CVE-2022-32250]
+
+[2023: "One shot, Triple kill: Pwning all three Google kernelCTF instances with a single 1-day Linux vulnerability"](https://kaist-hacking.github.io/pubs/2023/kim:kernel-ctf-slides.pdf) [slides] [[abstract](https://kaist-hacking.github.io/publication/kim-kernel-ctf/)] [CVE-2023-3390]
+
+[2023: "Exploiting a bug in the Linux kernel with Zig" by Richard Palethorpe](https://richiejp.com/linux-kernel-exploit-tls_context-uaf) [article] [[video](https://www.youtube.com/watch?v=g7ATRgat0v4)] [CVE-2023-0461]
+
 [2023: "Escaping the Google kCTF Container with a Data-Only Exploit" by h0mbre](https://h0mbre.github.io/kCTF_Data_Only_Exploit/) [article] [CVE-2022-3910]
 
 [2023: "Analyzing a Modern In-the-wild Android Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html) [article] [CVE-2023-0266] [CVE-2023-26083]
@@ -408,6 +438,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "Pwning the all Google phone with a non-Google bug"](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/) [article] [CVE-2022-38181]
 
+[2022: "CVE-2022-1015: A validation flaw in Netfilter leading to Local Privilege Escalation" by Yordan Stoychev](https://anatomic.rip/cve-2022-1015/) [article] [CVE-2022-1015]
+
 [2022: "CVE-2022-22265: Samsung NPU device driver double free in Android" by Xingyu Jin](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-22265.html) [article] [CVE-2022-22265]
 
 [2022: "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg" by Sergi Martinez](https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/) [article] [CVE-2022-32250]
@@ -484,6 +516,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2022: "exploiting CVE-2019-2215" by cutesmilee](https://cutesmilee.github.io/kernel/linux/android/2022/02/17/cve-2019-2215_writeup.html) [article] [CVE-2019-2215]
 
+[2022: "https://blog.wohin.me/posts/linux-kernel-pwn-02/"](https://blog.wohin.me/posts/linux-kernel-pwn-02/) [article] [CVE-2009-1897]
+
 [2021: "Your Trash Kernel Bug, My Precious 0-day" by Zhenpeng Lin](https://zplin.me/talks/BHEU21_trash_kernel_bug.pdf) [slides] [CVE-2021-3715]
 
 [2021: "[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"](https://syst3mfailure.io/sixpack-slab-out-of-bounds) [article] [CVE-2021-42008]
@@ -812,6 +846,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Other
 
+[2023: "Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt" by Jean-Baptiste Cayrou](https://www.synacktiv.com/sites/default/files/2023-11/ubuntu_shiftfs.pdf) [slides] [CVE-2023-2612]
+
+[2023: "Attacking NPUs of Multiple Platforms"](https://i.blackhat.com/EU-23/Presentations/EU-23-Zhang-Attacking-NPUs-of-Multiple-Platforms.pdf) [slides] [CVE-2022-22265] [CVE-2020-28343] [SVE-2021-20204] [CVE-2023-42483] [CVE-2023-45864]
+
+[2023: "Deep Dive: Qualcomm MSM Linux Kernel & ARM Mali GPU 0-day Exploit Attacks of October 2023" by Alisa Esage](https://zerodayengineering.com/insights/qualcomm-msm-arm-mali-0days.html) [article] [CVE-2023-33063] [CVE-2023-33106] [CVE-2023-33107] [CVE-2022-22071] [CVE-2023-4211]
+
 [2023: "Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)" by notselwyn](https://pwning.tech/ksmbd/) [article] [CVE-2023-3866] [CVE-2023-3865] [[exploits](https://github.com/Notselwyn/exploits)]
 
 [2023: "CVE-2023-4273: a vulnerability in the Linux exFAT driver" by Maxim Suhanov](https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver/) [article] [CVE-2023-4273]
@@ -879,6 +919,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ## Finding Bugs
 
+[2023: "SyzDirect: Directed Greybox Fuzzing for Linux Kernel"](https://yuanxzhang.github.io/paper/syzdirect-ccs23.pdf) [paper]
+
+[2023: "Using ASAN and KASAN and then Interpreting their shadow memory reports" by Kaiwan N Billimoria](https://kernelmeetup.files.wordpress.com/2023/11/lt_1_using_asan_and_kasan_and_then_interpreting_their_shadow_memory_repo.pdf) [article]
+
+[2023: "GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production"](https://arxiv.org/pdf/2311.09394.pdf) [paper]
+
 [2023: "Tickling ksmbd: fuzzing SMB in the Linux kernel" by notselwyn](https://pwning.tech/ksmbd-syzkaller/) [article]
 
 [2023: "DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing"](https://www.usenix.org/system/files/usenixsecurity23-yuan-ming.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_yuan.pdf)]
@@ -1130,6 +1176,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
 
+[2023: "Exploring Linux's New Random Kmalloc Caches" by sam4k](https://sam4k.com/exploring-linux-random-kmalloc-caches/) [article]
+
+[2023: "Toolchain security features status update"](https://outflux.net/slides/2023/lpc/features.pdf) [slides] [[video](https://www.youtube.com/watch?v=OEFFqhP5sts)]
+
+[2023: "Enable MTE on Pixel 8" by Kees Cook](https://outflux.net/blog/archives/2023/10/26/enable-mte-on-pixel-8/) [article]
+
 [2023: "Gaining bounds-checking on trailing arrays in the Upstream Linux Kernel" by Gustavo A. R. Silva](https://speakerdeck.com/ennael/gaining-bounds-checking-on-trailing-arrays-in-the-upstream-linux-kernel) [slides] [[video](https://www.youtube.com/watch?v=bfKrLH7pLBQ)]
 
 [2023: "CONSTIFY: Fast Defenses for New Exploits" by Mathias Krause](https://grsecurity.net/constify_fast_defenses_for_new_exploits) [article]
@@ -1266,7 +1318,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2017: "Linux Kernel Self Protection Project" by Kees Cook](https://outflux.net/slides/2017/lss/kspp.pdf) [slides]
 
-[2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables"](https://www.internetsociety.org/sites/default/files/ndss2017_05B-4_Davi_paper.pdf) [paper]
+[2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables"](https://www.internetsociety.org/sites/default/files/ndss2017_05B-4_Davi_paper.pdf) [paper] [[slides](https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss2017-05B-4-liebchen_slides.pdf)] [[video](https://www.youtube.com/watch?v=l-ou5LqOOy4)]
 
 [2017: "KASLR is Dead: Long Live KASLR"](https://gruss.cc/files/kaiser.pdf) [paper]
 
@@ -1411,7 +1463,7 @@ https://github.com/TurtleARM/CVE-2023-0179-PoC
 
 https://github.com/lanleft/CVE2023-1829
 
-https://github.com/TurtleARM/CVE-2023-3338
+https://github.com/TurtleARM/CVE-2023-3338-DECPwn
 
 https://github.com/kungfulon/nf-tables-lpe
 
@@ -1515,6 +1567,10 @@ https://github.com/a13xp0p0v/kernel-hardening-checker
 
 https://github.com/marin-m/vmlinux-to-elf
 
+https://github.com/heki-linux
+
+https://github.com/oswalpalash/linux-kernel-regression-tests
+
 
 ## Practice
 
@@ -1537,6 +1593,8 @@ https://github.com/marin-m/vmlinux-to-elf
 
 HackTheBox (knote): [writeup](https://pwning.tech/knote/)
 
+Imaginary CTF 2023 (Windows of Opportunity): [writeup 1](https://francescolucarini.github.io/Windows-of-Opportunity/), [writeup 2](https://ctftime.org/writeup/37670)
+
 corCTF 2023 (sysruption): [writeup](https://www.willsroot.io/2023/08/sysruption.html)
 
 corCTF 2023 (zeroday, kcipher): [writeup](https://blog.libh0ps.so/2023/08/02/corCTF2023.html)
@@ -1579,6 +1637,8 @@ DiceCTF 2021 (HashBrown): [writeup](https://www.willsroot.io/2021/02/dicectf-202
 
 hxp CTF 2020 (pfoten): [source](https://github.com/BrieflyX/ctf-pwns/blob/master/kernel/pfoten/pfoten-c3c4a46948257e62.tar.xz), [writeup](https://mem2019.github.io/jekyll/update/2020/12/21/hxp2020-pfoten.html)
 
+hxp CTF 2020 (kernel-rop): [writeup](https://blog.wohin.me/posts/linux-kernel-pwn-01/)
+
 CUCTF 2020 (Hotrod): [writeup](https://syst3mfailure.io/hotrod)
 
 SpamAndFlags 2020 (Secstore): [writeup](https://pwnfirstsear.ch/2020/05/10/spamandhexctf2020-secstore.html#secstore-1)
@@ -1689,6 +1749,8 @@ https://github.com/pr0cf5/kernel-exploit-practice
 
 https://github.com/hardik05/Damn_Vulnerable_Kernel_Module
 
+[Kernel Read Write eXecute (KRWX)](https://github.com/hacktivesec/KRWX) [[slides](https://www.nohat.it/presentations/KRWX_agroppo.pdf)] [[playground](https://github.com/hacktivesec/beginner-kernel-exploitation-setup)]
+
 
 ### Infrastructure
 
@@ -1705,9 +1767,15 @@ https://github.com/0xricksanchez/paper_collection
 
 https://github.com/NetKingJ/awesome-android-security
 
+https://github.com/0xor0ne/awesome-list/
+
 
 ## Misc
 
+[2023: "Syzbot: 7 years of continuous kernel fuzzing" by Aleksandr Nogikh](https://lpc.events/event/17/contributions/1521/attachments/1272/2698/LPC'23_%20Syzbot_%207%20years%20of%20continuous%20kernel%20fuzzing.pdf) [slides] [[video](https://www.youtube.com/watch?v=sDMNEBoTtrI)]
+
+[2023: "Operating system security: how to get into the subject" by Alexander Popov](https://www.youtube.com/watch?v=pq-0JKKNZVQ) [video]
+
 [2023: "Demystifying the Linux kernel security process" by Greg Kroah-Hartman](https://speakerdeck.com/ennael/demystifying-the-linux-kernel-security-process) [slides] [[video](https://www.youtube.com/watch?v=2TZe5EROFhE)]
 
 [2023: "Rustproofing Linux" by Domen Puncer Kugler](https://research.nccgroup.com/2023/02/06/rustproofing-linux-part-1-4-leaking-addresses/) [article] [[part 2](https://research.nccgroup.com/2023/02/08/rustproofing-linux-part-2-4-race-conditions/)] [[part 3](https://research.nccgroup.com/2023/02/14/rustproofing-linux-part-3-4-integer-overflows/)] [[part 4](https://research.nccgroup.com/2023/02/16/rustproofing-linux-part-4-4-shared-memory/)]
-- 
cgit v1.3