From dbead8e8bac3d5387593a547ea2c6f516847defc Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Mon, 3 Mar 2025 18:23:51 +0100 Subject: January/February updates --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) (limited to 'README.md') diff --git a/README.md b/README.md index ccca064..4774a7a 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Exploitation +[2025: "WHEN GOOD KERNEL DEFENSES GO BAD: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks" by Lukas Maar et al.](https://lukasmaar.github.io/papers/usenix25-tlbsidechannel.pdf) [paper] [[artifacts](https://zenodo.org/records/14736361)] [[github](https://github.com/isec-tugraz/TLBSideChannel)] + [2025: "Cross Cache Attack CheetSheet" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/03/cross-cache-attack-cheatsheet.html) [article] [2024: "Linux Kernel Use Pipe Object to Do Data-Only Attack" by Pumpkin Chang](https://u1f383.github.io/linux/2024/08/16/linux-kernel-use-pipe-object-to-do-data-only-attack.html) [article] @@ -442,6 +444,12 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### LPE +[2025: "CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/07/cve-2024-53141-an-oob-write-vulnerability-in-netfilter-ipset.html) [article] [CVE-2024-53141] + +[2025: "Patch-Gapping the Google Container-Optimized OS for $0" by h0mbre](https://h0mbre.github.io/Patch_Gapping_Google_COS/) [article] [CVE-UNKNOWN] + +[2025: "Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)" by Ng Zhi Yang](https://starlabs.sg/blog/2025/12-mali-cious-intent-exploiting-gpu-vulnerabilities-cve-2022-22706/) [article] [CVE-2022-22706] [CVE-2021-39793] + [2024: "The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit" by Seth Jenkins](https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html) [article] [CVE-2024-38402] [CVE-2024-21455] [CVE-2024-33060] [CVE-2024-49848] [CVE-2024-43047] [2024: "OtterRoot: Netfilter Universal Root 1-day" by Pedro Pinto](https://osec.io/blog/2024-11-25-netfilter-universal-root-1-day) [article] [CVE-2024-26809] @@ -510,6 +518,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). [2024: "Mali GPU Kernel LPE: Android 14 kernel exploit for Pixel7/8 Pro" by Mohamed Ghannam](https://github.com/0x36/Pixel_GPU_Exploit) [article] [CVE-2023-26083] +[2024: "CVE-2023-5178: exploiting Linux kernel NVMe-oF-TCP driver on Ubuntu 23.10" by rockrid3r](https://rockrid3r.github.io/2024/02/07/CVE-2023-5178.html) [article] [CVE-2023-5178] [[exploit](https://github.com/rockrid3r/CVE-2023-5178)] + [2023: "Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability (CVE-2023-6546)" by Nassim Asrir](https://github.com/Nassim-Asrir/ZDI-24-020/) [CVE-2023-6546] [2023: "Conquering the memory through io_uring - Analysis of CVE-2023-2598"](https://anatomic.rip/cve-2023-2598/) [article] [[exploit](https://github.com/ysanatomic/io_uring_LPE-CVE-2023-2598)] [CVE-2023-2598] @@ -949,7 +959,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### RCE -[2024: "Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap" by Robert Herrera and Alex Plaskett](https://www.nccgroup.com/media/uzbp3ttw/bhus24_sonos_whitepaper.pdf) [article] [[slides](https://i.blackhat.com/BH-US-24/Presentations/US-24-Herrera-Listen-Up-Sonos-Over-The-Air-Exploitation-and-Covert-Wiretap-Thursday.pdf)] [CVE-2023-50809] [CVE-2024-20018] +[2024: "Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap" by Robert Herrera and Alex Plaskett](https://www.nccgroup.com/media/uzbp3ttw/bhus24_sonos_whitepaper.pdf) [article] [[slides](https://i.blackhat.com/BH-US-24/Presentations/US-24-Herrera-Listen-Up-Sonos-Over-The-Air-Exploitation-and-Covert-Wiretap-Thursday.pdf)] [[video](https://www.youtube.com/watch?v=piw0CZ46-Q0)] [CVE-2023-50809] [CVE-2024-20018] [2023: "Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution" by Guillaume Teissier and Quentin Minster](https://www.youtube.com/watch?v=XT6jLBbzwFM) [video] [CVE-2022-47943] [CVE-2023-2593] @@ -972,6 +982,32 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ### Other +[2025: "A Series of io_uring pbuf Vulnerabilities" by Pumpkin Chang](https://u1f383.github.io/linux/2025/03/02/a-series-of-io_uring-pbuf-vulnerabilities.html) [article] [CVE-2024-0582] [CVE-2024-35880] [CVE-UNKNOWN] + +[2025: The io_uring Promotion in kernelCTF And Two Vulnerabilities Analysis](https://u1f383.github.io/linux/2025/02/28/the-io_uring-promotion-in-kernelCTF-and-two-vulnerabilities-analysis.html) [article] [CVE-UNKNOWN] [CVE-2023-52926] + +[2025: "Linux Kernel Some Vsock Vulnerabilities Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2025/02/24/linux-kernel-some-vsock-vulnerabilities-analysis.html) [article] [CVE-2025-21669] [CVE-2025-21670] [CVE-2025-21666] + +[2025: "From Zero to Emo – My Journey of Many Failures in kernelCTF" by Pumpkin Chang](https://u1f383.github.io/linux/2025/02/21/from-zero-to-emo-my-journey-of-many-failures-in-kernelCTF.html) [article] [CVE-2024-56770] [CVE-2025-21703] [CVE-2025-21700] + +[2025: "A 1-day a Day in the Lunar New Year" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/27/a-1-day-a-day-in-the-lunar-new-year.html) [article] [CVE-UNKNOWN] + +[2025: "Memory-related CVEs Exploited in kernelCTF" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/12/memory-related-cves-exploited-in-kernelctf.html) [article] [CVE-2024-50066] [CVE-2023-3269] + +[2025: "Two Network-related vunlnerabilities Analysis" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/08/two-network-related-vulnerabilities-analysis.html) [article] [CVE-2023-6932] [CVE-2023-0461] + +[2025: "Cellebrite zero-day exploit used to target phone of Serbian student activist"](https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/) [article] [CVE-2024-53104] [CVE-2024-53197] [CVE-2024-50302] + +[2025: "Accidentally uncovering a seven years old vulnerability in the Linux kernel" by Anderson Nascimento](https://allelesecurity.com/accidentally-uncovering-a-seven-years-old-vulnerability-in-the-linux-kernel/) [article] [CVE-2024-36904] + +[2025: "Linux Kernel: Out of bounds Write in ksmbd_vfs_stream_write" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-qmm2-xfcw-4r29) [article] [CVE-2024-56626] + +[2025: "Linux Kernel: Out of bounds Read in ksmbd_vfs_stream_read" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-gqrv-6fcf-hvv8) [article] [CVE-2024-56627] + +[2025: "Linux Kernel: Integer Overflow in eBPF XSK map_delete_elem Leads to Out-of-Bounds" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-cqc2-6j63-6qrx) [article] [CVE-2024-56614] + +[2025: "Integer Overflow in eBPF DEVMAP map_delete_elem Leads to Out-of-Bounds" by Jordy Zomer](https://github.com/google/security-research/security/advisories/GHSA-fphp-6498-x998) [article] [CVE-2024-56615] + [2025: "Some Casual Notes for CVE-2024-26921" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/04/some-casual-notes-for-cve-2024-26921.html) [article] [CVE-2024-26921] [2024: "Linux Kernel ICMPv6 & CVE-2023-6200" by Pumpkin Chang](https://u1f383.github.io/linux/2024/12/04/linux-kernel-icmpv6-and-cve-2023-6200.html) [article] [CVE-2023-6200] @@ -1083,6 +1119,16 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ## Finding Bugs +[2025: "A Survey of Fuzzing Open-Source Operating Systems"](https://arxiv.org/pdf/2502.13163) [paper] + +[2025: "SoK: Unraveling the Veil of OS Kernel Fuzzing"](https://arxiv.org/pdf/2501.16165) [paper] + +[2025: "SyzParam: Incorporating Runtime Parameters into Kernel Driver Fuzzing"](https://arxiv.org/pdf/2501.10002) [paper] + +[2025: "ksmbd vulnerability research" by Norbert Szetei](https://blog.doyensec.com/2025/01/07/ksmbd-1.html) [article] + +[2025: "Uncovering New Classes of Kernel Vulnerabilities" by Jakob Koschel](https://research.vu.nl/ws/portalfiles/portal/380101013/thesis%20-%20674c5b8426eb2.pdf) [thesis] + [2024: "CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel" by Shuangpeng Bai et al.](https://huhong789.github.io/papers/bai:countdown.pdf) [paper] [2024: "A Little Goes a Long Way: Tuning Configuration Selection for Continuous Kernel Fuzzing" by Sanan Hasanov et al.](https://paulgazzillo.com/papers/icse25.pdf) [paper] @@ -1396,6 +1442,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/). ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map) +[2025: "Enhancing spatial safety: fixing thousands of -Wflex-array-member-not-at-end warnings" by Gustavo A. R. Silva](https://embeddedor.com/slides/2025/eo/eo2025.pdf) [slides] + [2024: "Diving into Linux kernel security" by Alexander Popov](https://a13xp0p0v.github.io/img/Alexander_Popov-H2HC-2024.pdf) [slides] [2024: "A Decade of Low-hanging Fruit in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2024/bsidespdx/decade.pdf) [slides] @@ -1909,6 +1957,8 @@ corCTF 2023 (sysruption): [writeup](https://www.willsroot.io/2023/08/sysruption. corCTF 2023 (zeroday, kcipher): [writeup](https://blog.libh0ps.so/2023/08/02/corCTF2023.html) +corCTF 2023 (kcipher): [writeup](https://rockrid3r.github.io/2023/09/26/kcipher-writeup-corctf-2023.html) + hxp CTF 2022 (one_byte): [writeup](https://hxp.io/blog/99/hxp-CTF-2022-one_byte-writeup/) BFS Ekoparty 2022 (blunder): [writeup](https://klecko.github.io/posts/bfs-ekoparty-2022/) @@ -2084,6 +2134,10 @@ https://github.com/0xor0ne/awesome-list/ ## Misc +[2025: "How Does Linux Direct Mapping Work?" by Pumpkin Chang](https://u1f383.github.io/linux/2025/02/27/how-does-linux-direct-mapping-work.html) [article] + +[2025: "Linux Kernel TLS" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/20/linux-kernel-tls-part-1.html) [article] [[part 2](https://u1f383.github.io/linux/2025/01/21/linux-kernel-tls-part-2.html)] + [2025: "Linux KASLR Entropy" by Pumpkin Chang](https://u1f383.github.io/linux/2025/01/02/linux-kaslr-entropy.html) [article] [2024: "Approaches to determining the attack surface for fuzzing the Linux kernel" by Pavel Teplyuk and Aleksey Yakunin](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) [paper] -- cgit v1.3