A Nerve-Racking Bug Collision in Samsung's NPU Driver
An exploit write-up by Gyorgy Miru for another bug in the Samsung NPU driver. Unlike the vmalloc-based exploits published by P0 and others, this one relies on a race condition leading to a slab-out-of-bounds write.
https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/
An exploit write-up by Gyorgy Miru for another bug in the Samsung NPU driver. Unlike the vmalloc-based exploits published by P0 and others, this one relies on a race condition leading to a slab-out-of-bounds write.
https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/
labs.taszk.io
[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver
Last summer I have discovered several vulnerabilities in the implementation of Samsung's NPU device driver. While I was working on completing my proof of concept exploit
CVE-2021–20226: a reference counting bug which leads to local privilege escalation in io_uring
An article describing a bug in the io_uring subsystem. Improper handling of files_struct references leading to a use-after-free.
https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a
An article describing a bug in the io_uring subsystem. Improper handling of files_struct references leading to a use-after-free.
https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a
Medium
CVE-2021–20226 a reference counting bug which leads to local privilege escalation in io_uring.
Hello, I’m Shiga( @Ga_ryo_ ), a security engineer at Flatt Security Inc.
An EPYC escape: Case-study of a KVM breakout by Felix Wilhelm
KVM guest-to-host breakout via access to the host MSRs.
https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html?m=1
KVM guest-to-host breakout via access to the host MSRs.
https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html?m=1
Blogspot
An EPYC escape: Case-study of a KVM breakout
Posted by Felix Wilhelm, Project Zero Introduction KVM (for Kernel-based Virtual Machine) is the de-facto standard hypervisor for Linux-...
Linux Kernel Heap Out-Of-Bounds Write in xt_compat_target_from_user()
Very old vulnerability, it can be exploited for LPE. Kernels starting from v2.6.19 are affected.
https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528
Very old vulnerability, it can be exploited for LPE. Kernels starting from v2.6.19 are affected.
https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528
KMSAN, a look under the hood
A talk about the internals of KernelMemorySanitizer — a tool that finds uses of uninitialized memory and information leaks. By Alexander Potapenko.
Recording: https://www.youtube.com/watch?v=LNs2U-3m3yg
Slides: https://github.com/ramosian-glider/talks-and-presentations/blob/master/2021/KernelMemorySanitizer_a_look_under_the_hood.pdf
A talk about the internals of KernelMemorySanitizer — a tool that finds uses of uninitialized memory and information leaks. By Alexander Potapenko.
Recording: https://www.youtube.com/watch?v=LNs2U-3m3yg
Slides: https://github.com/ramosian-glider/talks-and-presentations/blob/master/2021/KernelMemorySanitizer_a_look_under_the_hood.pdf
YouTube
KMSAN, a look under the hood
Alexander Potapenko from Google Munich give a talk at FaMAF-UNC in Argentina about his new huge-patchset to detect uninitialized memory in the Linux kernel, KMSAN.
Alexander was invited by Eclypsium and the low-level subjects of the CS degree in FaMAF-UNC.…
Alexander was invited by Eclypsium and the low-level subjects of the CS degree in FaMAF-UNC.…
Exploitation of a double free vulnerability in Ubuntu shiftfs driver
A very detailed article by Vincent Dehors. The author describes his exploit for Pwn2Own Vancouver, where he got LPE on Ubuntu Groovy 20.10.
https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html
A very detailed article by Vincent Dehors. The author describes his exploit for Pwn2Own Vancouver, where he got LPE on Ubuntu Groovy 20.10.
https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html
Synacktiv
Exploitation of a double free vulnerability in Ubuntu shiftfs driver
CVE-2021-22555: Turning \x00\x00 into 10000$ by Andy Nguyen
CVE-2021-22555 is a 15 years old heap out-of-bounds write vulnerability in Linux Netfilter that is powerful enough to bypass all modern security mitigations and achieve kernel code execution. It was used to break the kubernetes pod isolation of the kCTF cluster and won 10000$.
https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Amazingly, Andy independently reinvented the msgsnd() exploitation technique, that I created in January for my CVE-2021-26708 exploit:
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
CVE-2021-22555 is a 15 years old heap out-of-bounds write vulnerability in Linux Netfilter that is powerful enough to bypass all modern security mitigations and achieve kernel code execution. It was used to break the kubernetes pod isolation of the kCTF cluster and won 10000$.
https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Amazingly, Andy independently reinvented the msgsnd() exploitation technique, that I created in January for my CVE-2021-26708 exploit:
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
security-research
CVE-2021-22555: Turning \x00\x00 into 10000$
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)
Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.
By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Report: https://www.openwall.com/lists/oss-security/2021/07/20/1
Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.
By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Report: https://www.openwall.com/lists/oss-security/2021/07/20/1
Kernel Pwning with eBPF: a Love Story by Valentina Palmiotti
The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver by Gyorgy Miru
A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.
https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/
A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.
https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/
labs.taszk.io
[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver
A deep dive into the exploitation of Huawei's NPU kernel driver
Variant analysis of the 'Sequoia' bug
Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.
https://pwning.systems/posts/sequoia-variant-analysis/
Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.
https://pwning.systems/posts/sequoia-variant-analysis/
pwning.systems
Variant analysis of the 'Sequoia' bug
I imagine we've all heard about the recent 'Sequoia' bug discovered by the Qualys Research team. It's a fascinating bug so I decided to do variant analysis using CodeQL!
Fuzzing Linux with Xen
A DEF CON talk about fuzzing the Linux kernel over DMA-based interfaces with Xen. By Tamas K Lengyel.
Video: https://www.youtube.com/watch?v=_dXC_I2ybr4
Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf
A DEF CON talk about fuzzing the Linux kernel over DMA-based interfaces with Xen. By Tamas K Lengyel.
Video: https://www.youtube.com/watch?v=_dXC_I2ybr4
Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf
YouTube
DEF CON 29 - Tamas K Lengyel - Fuzzing Linux with Xen
Last year we've successfully upstreamed a new feature to Xen that allows high-speed fuzzing of virtual machines (VMs) using VM-forking. Recently through collaboration with the Xen community external monitoring of VMs via Intel(r) Processor Trace has also…
Linux Security Summit 2021
The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.
I'll be giving a talk about the new MTE-based KASAN mode on the last day.
The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.
I'll be giving a talk about the new MTE-based KASAN mode on the last day.
LF Events
Schedule | LF Events
All session times are listed below in Mountain Daylight Time (PDT). To view the schedule at your preferred time, please choose your location on the right-hand navigation panel under “Timezone”.
Two DEF CON talks about eBPF-based rootkits
#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan
Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan
Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
YouTube
DEF CON 29 - Guillaume Fournier, Sylvain Afchain, Sylvain Baubeau - eBPF, I thought we were friends!
Since its first appearance in Kernel 3.18, eBPF (Extended Berkley Packet Filter) has progressively become a key technology for observability in the Linux kernel. Initially dedicated to network monitoring, eBPF can now be used to monitor and trace any kind…
Big improvements in my Linux Kernel Defence Map showing:
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
https://github.com/a13xp0p0v/linux-kernel-defence-map
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
https://github.com/a13xp0p0v/linux-kernel-defence-map
GitHub
GitHub - a13xp0p0v/linux-kernel-defence-map: Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation…
Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies - a13xp0p0v/linux-kernel-defence-map
How AUTOSLAB Changes the Memory Unsafety Game
An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.
Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.
By Zhenpeng Lin.
An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.
Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.
By Zhenpeng Lin.
grsecurity.net
grsecurity - How AUTOSLAB Changes the Memory Unsafety Game
In this guest blog, Zhenpeng Lin details the three-month evaluation he performed of AUTOSLAB during a research internship with Open Source Security, Inc. AUTOSLAB is a compiler-plugin-enhanced feature of grsecurity introduced in 2020 that provides some interesting…
Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak
An article about an info-leak in the ptrace subsystem. The bug was fixed upstream two years ago, but it still affects some Red Hat and Samsung kernels, as those didn't backport the fix.
An article about an info-leak in the ptrace subsystem. The bug was fixed upstream two years ago, but it still affects some Red Hat and Samsung kernels, as those didn't backport the fix.
SSD Secure Disclosure
SSD Advisory – Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak - SSD…
Find out how a vulnerability discovered in Samsung S10+/S9 kernel allows leaking of sensitive function address information.
Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
I improved my PoC exploit for CVE-2021-26708, added a full-power ROP chain, and implemented a new method of bypassing the Linux Kernel Runtime Guard (LKRG).
Article: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
Slides for ZeroNights conference: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf
I improved my PoC exploit for CVE-2021-26708, added a full-power ROP chain, and implemented a new method of bypassing the Linux Kernel Runtime Guard (LKRG).
Article: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
Slides for ZeroNights conference: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf
Alexander Popov
Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
This is the follow-up to my research described in the article "Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel." My PoC exploit for CVE-2021-26708 had a very limited facility for privilege escalation, and I decided to continue my experiments…
The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal
Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.
https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf
Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.
https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf
Linux Kernel Security
The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf. https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20…
YouTube
#HITB2021SIN D1T1 - Exploiting UAF By Ret2bpf In Android Kernel - Xingyu Jin & Richard Neal
In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher…
Solving the Kernote CTF task from 0CTF/TCTF Final 2021 by Matteo Rizzo
Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.
https://org.anize.rs/0CTF-2021-finals/pwn/kernote
Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.
https://org.anize.rs/0CTF-2021-finals/pwn/kernote
Organisers
CTF Team