From 7c1b77cbefc614017c11a87fde46eb2bd887f6b7 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Wed, 7 May 2025 23:44:53 +0200 Subject: March/April updates --- README.md | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 69 insertions(+), 7 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 4774a7a..14a81a5 100644 --- a/README.md +++ b/README.md @@ -52,10 +52,18 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2025: "Kernel Exploitation Techniques: Turning The (Page) Tables" by Samuel Page](https://sam4k.com/page-table-kernel-exploitation/) [article] + +[2025: "Linux Kernel Exploitation series" by r1ru](https://r1ru.github.io/categories/linux-kernel-exploitation/) [articles] [[code](https://github.com/r1ru/linux-kernel-exploitation)] + +[2025: "Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch"](https://theori.io/blog/reviving-the-modprobe-path-technique-overcoming-search-binary-handler-patch) [article] + [2025: "WHEN GOOD KERNEL DEFENSES GO BAD: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks" by Lukas Maar et al.](https://lukasmaar.github.io/papers/usenix25-tlbsidechannel.pdf) [paper] [[artifacts](https://zenodo.org/records/14736361)] [[github](https://github.com/isec-tugraz/TLBSideChannel)] [2025: "Cross Cache Attack CheetSheet" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/03/cross-cache-attack-cheatsheet.html) [article] +[2024: "Cross Cache for Lazy People -- The Padding Spray Method"](https://kaligulaarmblessed.github.io/post/cross-cache-for-lazy-people/) [article] + [2024: "Linux Kernel Use Pipe Object to Do Data-Only Attack" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/16/linux-kernel-use-pipe-object-to-do-data-only-attack.html) [article] [2024: "CTF-style Tricks of Linux Kernel Exploitation" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/04/ctf-style-tricks-of-linux-kernel-exploitation-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2024/08/07/ctf-style-tricks-of-linux-kernel-exploitation-part-2.html)] @@ -295,6 +303,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Protection Bypasses +[2025: "Three bypasses of Ubuntu's unprivileged user namespace restrictions"](https://www.qualys.com/2025/three-bypasses-of-Ubuntu-unprivileged-user-namespace-restrictions.txt) [article] + +[2025: "A hole in FineIBT protection" by Jonathan Corbet](https://lwn.net/Articles/1011680/) [article] + [2024: "SELinux bypasses"](https://klecko.github.io/posts/selinux-bypasses/) [article] [2024: "Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages" by Seunghun Han et al.](https://www.usenix.org/system/files/usenixsecurity24-han-seunghun.pdf) [paper] [[slides](https://www.usenix.org/system/files/usenixsecurity24_slides-han-seunghun.pdf)] [[video](https://www.youtube.com/watch?v=wSMByLg-ibs)] @@ -305,6 +317,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution" by Juhee Kim et al.](https://arxiv.org/pdf/2406.08719) [paper] [[code](https://github.com/compsec-snu/tiktag)] +[2023: "A Closer Look At Freelist Hardening" by Matt Yurkewych](https://drive.google.com/file/d/1FnydWAv86tHMB0iuCHSLqXLWpgCZ02c4/view) [article] [[slides](https://drive.google.com/file/d/122upcJEto-N8XdjnFOxab_8J2PDALLO0/view)] + [2023: "Leaky Address Masking: Exploiting Unmasked Spectre Gadgets with Noncanonical Address Translation"](https://download.vusec.net/papers/slam_sp24.pdf) [paper] [2023: "MTE As Implemented, Part 3: The Kernel" by Mark Brand](https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html) [article] @@ -387,7 +401,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Info-leaks -[2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper] +[2025: "KernelSnitch: Side-Channel Attacks on Kernel Data Structures" by Lukas Maar et al.](https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf) [paper] [[slides](https://i.blackhat.com/Asia-25/Asia-25-Maar-KernelSnitch.pdf)] [2024: "Linux vDSO & VVAR" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/11/linux-vdso-and-vvar.html) [article] [CVE-2023-23586] @@ -444,6 +458,16 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE +[2025: "[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds" by D3vil](https://syst3mfailure.io/two-bytes-of-madness/) [article] [CVE-2025-37752] + +[2025: "Linux Kernel Exploitation: CVE-2025-21756: Attack of the Vsock" by Michael Hoefler](https://hoefler.dev/articles/vsock.html) [article] [CVE-2025-21756] + +[2025: "Exploiting CVE-2024-0582 via the Dirty Pagetable Method" by Kuzey Arda Bulut](https://kuzey.rs/posts/Dirty_Page_Table/) [article] [CVE-2024-0582] + +[2025: "Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-Kernel_Hack_Drill-Zer0Con.pdf) [slides] [CVE-2024-50264] + +[2025: "Linux kernel hfsplus slab-out-of-bounds Write" by Attila Szasz](https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/) [article] [CVE-2025-0927] + [2025: "CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/07/cve-2024-53141-an-oob-write-vulnerability-in-netfilter-ipset.html) [article] [CVE-2024-53141] [2025: "Patch-Gapping the Google Container-Optimized OS for $0" by h0mbre](https://h0mbre.github.io/Patch_Gapping_Google_COS/) [article] [CVE-UNKNOWN] @@ -982,6 +1006,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2025: "CVE-2024-36904 - Use-after-free vulnerability in the TCP subsystem of the Linux kernel"](https://github.com/alleleintel/research/tree/master/CVE-2024-36904/) [article] [CVE-2024-36904] + +[2025: "A Quick Note On Two mempolicy Vulnerabilities" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/30/a-quick-note-on-two-mempolicy-vulnerabilites.html) [article] [CVE-2022-49080] [CVE-2023-4611] + +[2025: "The Evolution of Dirty COW" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/27/the-evolution-of-COW-1.html) [article] [[part 2](https://u1f383.github.io/linux/2025/03/29/the-evolution-of-COW-2.html)] [CVE-2016-5195] [CVE-2017-1000405] [CVE-2022-2590] + +[2025: "A Quick Note on CVE-2024-53104" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/23/a-quick-note-on-CVE-2024-53104.html) [article] [CVE-2024-53104] + [2025: "A Series of io_uring pbuf Vulnerabilities" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/02/a-series-of-io_uring-pbuf-vulnerabilities.html) [article] [CVE-2024-0582] [CVE-2024-35880] [CVE-UNKNOWN] [2025: The io_uring Promotion in kernelCTF And Two Vulnerabilities Analysis](https://u1f383.github.io/linux/2025/02/28/the-io_uring-promotion-in-kernelCTF-and-two-vulnerabilities-analysis.html) [article] [CVE-UNKNOWN] [CVE-2023-52926] @@ -996,7 +1028,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2025: "Two Network-related vunlnerabilities Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/08/two-network-related-vulnerabilities-analysis.html) [article] [CVE-2023-6932] [CVE-2023-0461] -[2025: "Cellebrite zero-day exploit used to target phone of Serbian student activist"](https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/) [article] [CVE-2024-53104] [CVE-2024-53197] [CVE-2024-50302] +[2025: "Cellebrite zero-day exploit used to target phone of Serbian student activist"](https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/) [article] [CVE-2024-53104] [CVE-2024-53197] [CVE-2024-50302] [[note 1](https://infosec.exchange/@zhuowei@notnow.dev/114130367739741197)] [[note 2](https://infosec.exchange/@zhuowei@notnow.dev/114323100736073083)] [[note 3](https://infosec.exchange/@zhuowei@notnow.dev/114329166341368428)] [[note 4](https://infosec.exchange/@zhuowei@notnow.dev/114405047904139584)] [[note 5](https://infosec.exchange/@zhuowei@notnow.dev/114453583508015434)] [2025: "Accidentally uncovering a seven years old vulnerability in the Linux kernel" by Anderson Nascimento](https://allelesecurity.com/accidentally-uncovering-a-seven-years-old-vulnerability-in-the-linux-kernel/) [article] [CVE-2024-36904] @@ -1119,6 +1151,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2025: "External fuzzing of USB drivers with syzkaller" by Andrey Konovalov](https://docs.google.com/presentation/d/1NulLxRowsHzgcL1AFzNF_w8nh3zk2BKKPfGi_1j76A8/edit?usp=sharing) [slides] [CVE-2024-53104] + +[2025: "A Little Goes a Long Way: Tuning Configuration Selection for Continuous Kernel Fuzzing"](https://paulgazzillo.com/papers/icse25.pdf) [paper] + [2025: "A Survey of Fuzzing Open-Source Operating Systems"](https://arxiv.org/pdf/2502.13163) [paper] [2025: "SoK: Unraveling the Veil of OS Kernel Fuzzing"](https://arxiv.org/pdf/2501.16165) [paper] @@ -1442,8 +1478,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map) +[2025: "Linux kernel Rust module for rootkit detection" by Antoine Doglioli](https://blog.thalium.re/posts/linux-kernel-rust-module-for-rootkit-detection/) [article] [[code](https://github.com/thalium/rkchk)] + [2025: "Enhancing spatial safety: fixing thousands of -Wflex-array-member-not-at-end warnings" by Gustavo A. R. Silva](https://embeddedor.com/slides/2025/eo/eo2025.pdf) [slides] +[2024: "KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities"] [paper] [[slides](https://i.blackhat.com/Asia-25/Asia-25-Ruan-KernJC.pdf)] [[code](https://github.com/NUS-Curiosity/KernJC)] + [2024: "Diving into Linux kernel security" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-H2HC-2024.pdf) [slides] [2024: "A Decade of Low-hanging Fruit in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2024/bsidespdx/decade.pdf) [slides] @@ -1799,6 +1839,8 @@ https://github.com/roddux/ixode https://github.com/b17fr13nds/kernel-exploits +https://github.com/LLfam/foob + ## Tools @@ -1905,8 +1947,6 @@ https://github.com/heki-linux https://github.com/oswalpalash/linux-kernel-regression-tests -https://github.com/google/security-research/blob/master/analysis/kernel/heap-exploitation/README.md [CodeQL] [[dashboard](https://lookerstudio.google.com/reporting/68b02863-4f5c-4d85-b3c1-992af89c855c/page/n92nD)] - https://github.com/milabs/kiddy https://github.com/androidoffsec/art-kernel-toolkit @@ -1917,14 +1957,18 @@ https://github.com/gsingh93/linux-exploit-dev-env https://github.com/NUS-Curiosity/KernJC +https://oracle.github.io/kconfigs/ + ## Practice ### Workshops -[2021: "Linux kernel exploit development"](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development) [workshop] +["pwn.college: Kernel Security"](https://pwn.college/system-security/kernel-security) [workshop] + +["pwn.college: Kernel Exploitation"](https://pwn.college/software-exploitation/kernel-exploitation/) [workshop] -[2020: "pwn.college: Module: Kernel Security"](https://pwn.college/modules/kernel) [workshop] +[2021: "Linux kernel exploit development"](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development) [workshop] [2020: "Android Kernel Exploitation" by Ashfaq Ansari](https://github.com/cloudfuzz/android-kernel-exploitation) [workshop] [[video](https://www.youtube.com/watch?v=8ySHpVCYcbk)] @@ -1943,6 +1987,12 @@ https://github.com/NUS-Curiosity/KernJC HackTheBox (knote): [writeup](https://pwning.tech/knote/) +MCTF 2025 (Sec Mem): [writeup](https://blog.itarow.xyz/posts/mctf_2025_sec_mem/) + +TsukuCTF 2025 (easy_kernel, xcache, new_era): [writeup](https://iwancof.github.io/about-me/writeups/TsukuCTF2025/) + +LACTF 2025 (messenger): [writeup](https://terawhiz.github.io/2025/2/oob-write-to-page-uaf-lactf-2025/) + HITCON CTF QUAL 2024 (Halloween): [writeup](https://u1f383.github.io/ctf/2024/07/16/hitcon-ctf-qual-2024-pwn-challenge-part-1-halloween-and-v8sbx.html) EuskalHack 2024 Gau-Hack: [writeup](https://gum3t.xyz/posts/a-gau-hack-from-euskalhack/) @@ -2134,19 +2184,31 @@ https://github.com/0xor0ne/awesome-list/ ## Misc +[2025: "A Quick Dive Into The Linux Kernel Page Allocator" by D3vil](https://syst3mfailure.io/linux-page-allocator/) [article] + +[2025: "Musing from Decades of Linux Kernel Security Research" by Joshua Drake](https://github.com/jduck/bs25-slides) [slides] + +[2025: "Understanding Socket Internals Through a Series of CVE Fixes" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/23/understanding-socket-internals-through-a-series-of-cve-fixes.html) [article] + +[2025: "Building a Mali GPU Debug Environment" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/22/building-a-mali-debug-environment.html) [article] + +[2025: "ENOMEM In Linux Kernel" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/04/enomem-in-linux-kernel.html) [article] + [2025: "How Does Linux Direct Mapping Work?" by Pumpkin Chang](https://u1f383.github.io/linux/2025/02/27/how-does-linux-direct-mapping-work.html) [article] [2025: "Linux Kernel TLS" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/20/linux-kernel-tls-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2025/01/21/linux-kernel-tls-part-2.html)] [2025: "Linux KASLR Entropy" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/02/linux-kaslr-entropy.html) [article] +[2024: "Linternals: Exploring The mm Subsystem via mmap" by Samuel Page](https://sam4k.com/linternals-exploring-the-mm-subsystem-part-1/) [article] [[part 2](https://sam4k.com/linternals-exploring-the-mm-subsystem-part-2/)] + [2024: "Approaches to determining the attack surface for fuzzing the Linux kernel" by Pavel Teplyuk and Aleksey Yakunin](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) [paper] [2024: "The Feasibility of Using Hardware Breakpoints To Extend the Race Window" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/29/the-feasibility-of-using-hardware-breakpoints-to-extend-the-race-window.html) [article] [2024: "Linux Kernel Heap Spraying Over A Network Connection" by Pumpkin Chang](https://u1f383.github.io/linux/2024/06/20/linux-kernel-heap-spraying-over-a-network-connection.html) [article] -[2024: "Dashing Kernel Exploitation" by Eduardo Vela and Jordy Zomer](https://github.com/google/security-research/blob/master/analysis/kernel/slides/Dashing%20Kernel%20Exploitation-H2HC-2024.pdf) [slides] [[code](https://github.com/google/security-research/tree/master/analysis/kernel/dashboard)] +[2024: "Dashing Kernel Exploitation" by Eduardo Vela and Jordy Zomer](https://github.com/google/security-research/blob/master/analysis/kernel/slides/Dashing%20Kernel%20Exploitation-H2HC-2024.pdf) [slides] [[code](https://github.com/google/security-research/tree/master/analysis/kernel)] [[dashboard](https://lookerstudio.google.com/reporting/68b02863-4f5c-4d85-b3c1-992af89c855c/page/n92nD)] [new dashboard](https://kernelctf-dash.storage.googleapis.com/processed/v6.1.111/index.html#!heap/*/msg_msg/64..128) [2024: "Linux Kernel Attack Surface: beyond IOCTL. DMA-BUF" by Slava Moskvin](https://slavamoskvin.com/linux-kernel-attack-surface-beyond-ioctl.-dma-buf/) [article] -- cgit v1.3