From ad1e9403d688fb4a8193fff156ac8ee3a0fb54fb Mon Sep 17 00:00:00 2001
From: Andrey Konovalov
Date: Wed, 1 Nov 2023 16:39:59 +0100
Subject: September/October updates

---
 README.md | 42 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 37 insertions(+), 5 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index fa1ce44..7686700 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "Exploiting null-dereferences in the Linux kernel" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html)
 
-[2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper]
+[2023: "PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"](https://www.usenix.org/system/files/sec23summer_79-lee-prepub.pdf) [paper] [[video](https://www.youtube.com/watch?v=C3ta-uUthfA)]
 
 [2022: "Devils Are in the File Descriptors: It Is Time To Catch Them All" by Le Wu](https://i.blackhat.com/USA-22/Wednesday/US-22-Wu-Devils-Are-in-the-File.pdf) [slides] [[video](https://www.youtube.com/watch?v=dIVjQrqpKC0)]
 
@@ -84,8 +84,6 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2022: "An exploit primitive in the Linux kernel inspired by DirtyPipe"](https://github.com/veritas501/pipe-primitive) [article]
 
-[2022: "Pawnyable: Linux Kernel Exploitation" by ptr-yudai](https://pawnyable.cafe/linux-kernel/index.html) [articles]
-
 [2022: "DirtyCred: Escalating Privilege in Linux Kernel"](https://zplin.me/papers/DirtyCred.pdf) [paper] [[slides](https://zplin.me/papers/DirtyCred_CCS_slides.pdf)] [[artifacts](https://github.com/Markakd/DirtyCred)]
 
 [2022: "DirtyCred: Cautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe"](https://i.blackhat.com/USA-22/Thursday/US-22-Lin-Cautious-A-New-Exploitation-Method.pdf) [slides] [[artifacts](https://github.com/Markakd/DirtyCred)]
@@ -128,6 +126,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2020: "Structures that can be used in kernel exploits"](https://ptr-yudai.hatenablog.com/entry/2020/03/16/165628) [article]
 
+[2019: "The Route to Root: Container Escape Using Kernel Exploitation" by Nimrod Stoler](https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation) [article]
+
 [2019: "Linux Kernel: the ROP Exploit of Stack Overflow in Android Kernel"](https://medium.com/@knownsec404team/linux-kernel-the-rop-exploit-of-stack-overflow-in-android-kernel-87aa8eda770d) [article]
 
 [2019: "Hands Off and Putting SLAB/SLUB Feng Shui in Blackbox" by Yueqi (Lewis) Chen at Black Hat Europe](https://i.blackhat.com/eu-19/Wednesday/eu-19-Chen-Hands-Off-And-Putting-SLAB-SLUB-Feng-Shui-In-A-Blackbox.pdf) [slides] [[code](https://www.dropbox.com/sh/2kwcwqb8rjro80j/AAC8QBCIhcCylNUDLUd1OZCZa?dl=0)]
@@ -257,6 +257,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler](https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals) [article]
 
+[2021: "Characterizing, Exploiting, and Detecting DMA Code Injection Vulnerabilities in the Presence of an IOMMU"](https://www.cs.tau.ac.il/~mad/publications/eurosys2021-dma.pdf) [paper]
+
 [2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen](https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Chen-A-General-Approach-To-Bypassing-Many-Kernel-Protections-And-Its-Mitigation.pdf) [slides] [[video](https://www.youtube.com/watch?v=EIwEF3tCtg4)]
 
 [2021: "Attacking Samsung RKP" by Alexandre Adamski](https://blog.impalabs.com/2111_attacking-samsung-rkp.html) [article]
@@ -360,6 +362,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### LPE
 
+[2023: "Escaping the Google kCTF Container with a Data-Only Exploit" by h0mbre](https://h0mbre.github.io/kCTF_Data_Only_Exploit/) [article] [CVE-2022-3910]
+
+[2023: "Analyzing a Modern In-the-wild Android Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html) [article] [CVE-2023-0266] [CVE-2023-26083]
+
 [2023: "Google: Security Research: CVE-2023-3390](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf/CVE-2023-3390_lts_cos_mitigation/docs) [article] [CVE-2023-3390]
 
 [2023: "Google: Security Research: CVE-2023-0461](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf/CVE-2023-0461_mitigation/docs) [article] [CVE-2023-0461]
@@ -396,7 +402,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "Revisiting CVE-2017-11176" by Nils Ole Timm](https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176) [article] [CVE-2017-11176]
 
-[2023: "Rooting the FiiO M6" by Jack Maginnes](https://stigward.github.io/posts/fiio-m6-kernel-bug/) [article] [[part 2](https://stigward.github.io/posts/fiio-m6-exploit/)]
+[2023: "Rooting the FiiO M6" by Jack Maginnes](https://stigward.github.io/posts/fiio-m6-kernel-bug/) [article] [[part 2](https://stigward.github.io/posts/fiio-m6-exploit/)] [[video](https://www.youtube.com/watch?v=Cd_CAYe4M_M&t=3s)]
 
 [2023: "Exploiting CVE-2021-3490 for Container Escapes" by Karsten Kyonig](https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/) [article] [CVE-2021-3490]
 
@@ -678,6 +684,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2017: "Exploiting the Linux kernel via packet sockets" by Andrey Konovalov](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html) [article] [CVE-2017-7308]
 
+[2017: "Solving a post exploitation issue with CVE-2017-7308"](https://www.coresecurity.com/core-labs/articles/solving-post-exploitation-issue-cve-2017-7308) [article] [CVE-2017-7308]
+
 [2017: "NDAY-2017-0105: Elevation of Privilege Vulnerability in MSM Thermal Drive" by Zuk Avraham](https://blog.zimperium.com/nday-2017-0105-elevation-of-privilege-vulnerability-in-msm-thermal-driver/) [article] [CVE-2016-2411]
 
 [2017: "NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver" by Zuk Avraham](https://blog.zimperium.com/nday-2017-0102-elevation-of-privilege-vulnerability-in-nvidia-video-driver/) [article] [CVE-2016-2435]
@@ -804,6 +812,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Other
 
+[2023: "Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)" by notselwyn](https://pwning.tech/ksmbd/) [article] [CVE-2023-3866] [CVE-2023-3865] [[exploits](https://github.com/Notselwyn/exploits)]
+
 [2023: "CVE-2023-4273: a vulnerability in the Linux exFAT driver" by Maxim Suhanov](https://dfir.ru/2023/08/23/cve-2023-4273-a-vulnerability-in-the-linux-exfat-driver/) [article] [CVE-2023-4273]
 
 [2023: "Linux IPv6 'Route of Death' 0day" by Max VA](https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death) [article] [CVE-2023-2156]
@@ -869,6 +879,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ## Finding Bugs
 
+[2023: "Tickling ksmbd: fuzzing SMB in the Linux kernel" by notselwyn](https://pwning.tech/ksmbd-syzkaller/) [article]
+
 [2023: "DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing"](https://www.usenix.org/system/files/usenixsecurity23-yuan-ming.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_yuan.pdf)]
 
 [2023: "BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing"](https://www.usenix.org/system/files/usenixsecurity23-cho.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_cho-mingi.pdf)] [[artifacts](https://github.com/seclab-yonsei/BoKASAN)]
@@ -1118,6 +1130,10 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
 
+[2023: "Gaining bounds-checking on trailing arrays in the Upstream Linux Kernel" by Gustavo A. R. Silva](https://speakerdeck.com/ennael/gaining-bounds-checking-on-trailing-arrays-in-the-upstream-linux-kernel) [slides] [[video](https://www.youtube.com/watch?v=bfKrLH7pLBQ)]
+
+[2023: "CONSTIFY: Fast Defenses for New Exploits" by Mathias Krause](https://grsecurity.net/constify_fast_defenses_for_new_exploits) [article]
+
 [2023: "Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness"](https://www.usenix.org/system/files/usenixsecurity23-wu-yuhang.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec23_slides_wu-yuhang.pdf)]
 
 [2023: "Progress On Bounds Checking in C and the Linux Kernel" by Kees Cook & Gustavo A. R. Silva](https://outflux.net/slides/2023/lss-na/bounds-checking.pdf) [slides] [[video](https://www.youtube.com/watch?v=V2kzptQG5_A)]
@@ -1495,6 +1511,10 @@ https://github.com/marin-m/vmlinux-to-elf
 
 https://github.com/nccgroup/libslub
 
+https://github.com/a13xp0p0v/kernel-hardening-checker
+
+https://github.com/marin-m/vmlinux-to-elf
+
 
 ## Practice
 
@@ -1527,6 +1547,8 @@ D^3CTF 2022 (d3bpf): [writeup](https://stdnoerr.github.io/writeup/2022/08/21/eBP
 
 zer0pts CTF 2022 (kRCE): [writeup](https://www.willsroot.io/2022/03/zer0pts-ctf-2022-krce-writeup.html)
 
+HITCON CTF 2022 (fourchain-kernel): [writeup and exploit](https://org.anize.rs/HITCON-2022/pwn/fourchain-kernel)
+
 VULNCON CTF 2021 (IPS): [writeup](https://kileak.github.io/ctf/2021/vulncon-ips/), [writeup 2](https://blog.kylebot.net/2022/01/10/VULNCON-2021-IPS/)
 
 N1 CTF 2021 (baby-guess): [source](https://github.com/sajjadium/ctf-archives/tree/main/N1CTF/2021/pwn/baby_guess), [writeup](https://kileak.github.io/ctf/2021/n1ctf21-babyguess/)
@@ -1642,13 +1664,17 @@ CSAW CTF 2010: [writeup](https://jon.oberheide.org/blog/2010/11/02/csaw-ctf-kern
 
 ### Other tasks
 
+["Pawnyable: Linux Kernel Exploitation" by ptr-yudai](https://pawnyable.cafe/linux-kernel/index.html) [articles] [[Holstein v3 writeup](https://h0mbre.github.io/PAWNYABLE_UAF_Walkthrough/)]
+
 [pwnable.kr tasks](http://pwnable.kr/play.php) (syscall, rootkit, softmmu, towelroot, kcrc, exynos)
 
 https://github.com/ReverseLab/kernel-pwn-challenge
 
 https://github.com/R3x/How2Kernel
 
-https://static.bluefrostsecurity.de/files/lab/bfsmatrix_offensivecon2023.tgz
+[OffensiveCon 2023: bfsmatrix](https://static.bluefrostsecurity.de/files/lab/bfsmatrix_offensivecon2023.tgz) [task] [[exploit](https://gist.github.com/arget13/d4006af981356cdfb0316a722a0c90e3)]
+
+[Ekoparty 2022: blunder](https://static.bluefrostsecurity.de/files/lab/module.tar.gz) [task] [[writeup 1](https://klecko.github.io/posts/bfs-ekoparty-2022/)] [[writeup 2](https://soez.github.io/posts/Bluefrost-challenge-EKOPARTY_2022/)]
 
 
 ### Playgrounds
@@ -1682,6 +1708,10 @@ https://github.com/NetKingJ/awesome-android-security
 
 ## Misc
 
+[2023: "Demystifying the Linux kernel security process" by Greg Kroah-Hartman](https://speakerdeck.com/ennael/demystifying-the-linux-kernel-security-process) [slides] [[video](https://www.youtube.com/watch?v=2TZe5EROFhE)]
+
+[2023: "Rustproofing Linux" by Domen Puncer Kugler](https://research.nccgroup.com/2023/02/06/rustproofing-linux-part-1-4-leaking-addresses/) [article] [[part 2](https://research.nccgroup.com/2023/02/08/rustproofing-linux-part-2-4-race-conditions/)] [[part 3](https://research.nccgroup.com/2023/02/14/rustproofing-linux-part-3-4-integer-overflows/)] [[part 4](https://research.nccgroup.com/2023/02/16/rustproofing-linux-part-4-4-shared-memory/)]
+
 [2023: "What is a 'good' Linux Kernel bug?" by Ben Hawkes](https://blog.isosceles.com/what-is-a-good-linux-kernel-bug/) [article]
 
 [2023: "Analysing Linux Kernel Commits"](https://sam4k.com/analysing-linux-kernel-commits/) [article]
@@ -1749,3 +1779,5 @@ https://github.com/heki-linux
 https://twitter.com/sirdarckcat/status/1681924752800366592
 
 https://github.com/hardenedvault/ved-ebpf
+
+https://github.com/thebabush/linux-russian-roulette
-- 
cgit v1.3