Linux Kernel Heap Out-Of-Bounds Write in xt_compat_target_from_user()
Very old vulnerability, it can be exploited for LPE. Kernels starting from v2.6.19 are affected.
https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528
Very old vulnerability, it can be exploited for LPE. Kernels starting from v2.6.19 are affected.
https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528
KMSAN, a look under the hood
A talk about the internals of KernelMemorySanitizer — a tool that finds uses of uninitialized memory and information leaks. By Alexander Potapenko.
Recording: https://www.youtube.com/watch?v=LNs2U-3m3yg
Slides: https://github.com/ramosian-glider/talks-and-presentations/blob/master/2021/KernelMemorySanitizer_a_look_under_the_hood.pdf
A talk about the internals of KernelMemorySanitizer — a tool that finds uses of uninitialized memory and information leaks. By Alexander Potapenko.
Recording: https://www.youtube.com/watch?v=LNs2U-3m3yg
Slides: https://github.com/ramosian-glider/talks-and-presentations/blob/master/2021/KernelMemorySanitizer_a_look_under_the_hood.pdf
YouTube
KMSAN, a look under the hood
Alexander Potapenko from Google Munich give a talk at FaMAF-UNC in Argentina about his new huge-patchset to detect uninitialized memory in the Linux kernel, KMSAN.
Alexander was invited by Eclypsium and the low-level subjects of the CS degree in FaMAF-UNC.…
Alexander was invited by Eclypsium and the low-level subjects of the CS degree in FaMAF-UNC.…
Exploitation of a double free vulnerability in Ubuntu shiftfs driver
A very detailed article by Vincent Dehors. The author describes his exploit for Pwn2Own Vancouver, where he got LPE on Ubuntu Groovy 20.10.
https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html
A very detailed article by Vincent Dehors. The author describes his exploit for Pwn2Own Vancouver, where he got LPE on Ubuntu Groovy 20.10.
https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html
Synacktiv
Exploitation of a double free vulnerability in Ubuntu shiftfs driver
CVE-2021-22555: Turning \x00\x00 into 10000$ by Andy Nguyen
CVE-2021-22555 is a 15 years old heap out-of-bounds write vulnerability in Linux Netfilter that is powerful enough to bypass all modern security mitigations and achieve kernel code execution. It was used to break the kubernetes pod isolation of the kCTF cluster and won 10000$.
https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Amazingly, Andy independently reinvented the msgsnd() exploitation technique, that I created in January for my CVE-2021-26708 exploit:
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
CVE-2021-22555 is a 15 years old heap out-of-bounds write vulnerability in Linux Netfilter that is powerful enough to bypass all modern security mitigations and achieve kernel code execution. It was used to break the kubernetes pod isolation of the kCTF cluster and won 10000$.
https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Amazingly, Andy independently reinvented the msgsnd() exploitation technique, that I created in January for my CVE-2021-26708 exploit:
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
security-research
CVE-2021-22555: Turning \x00\x00 into 10000$
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)
Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.
By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Report: https://www.openwall.com/lists/oss-security/2021/07/20/1
Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.
By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Report: https://www.openwall.com/lists/oss-security/2021/07/20/1
Kernel Pwning with eBPF: a Love Story by Valentina Palmiotti
The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver by Gyorgy Miru
A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.
https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/
A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.
https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/
labs.taszk.io
[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver
A deep dive into the exploitation of Huawei's NPU kernel driver
Variant analysis of the 'Sequoia' bug
Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.
https://pwning.systems/posts/sequoia-variant-analysis/
Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.
https://pwning.systems/posts/sequoia-variant-analysis/
pwning.systems
Variant analysis of the 'Sequoia' bug
I imagine we've all heard about the recent 'Sequoia' bug discovered by the Qualys Research team. It's a fascinating bug so I decided to do variant analysis using CodeQL!
Fuzzing Linux with Xen
A DEF CON talk about fuzzing the Linux kernel over DMA-based interfaces with Xen. By Tamas K Lengyel.
Video: https://www.youtube.com/watch?v=_dXC_I2ybr4
Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf
A DEF CON talk about fuzzing the Linux kernel over DMA-based interfaces with Xen. By Tamas K Lengyel.
Video: https://www.youtube.com/watch?v=_dXC_I2ybr4
Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf
YouTube
DEF CON 29 - Tamas K Lengyel - Fuzzing Linux with Xen
Last year we've successfully upstreamed a new feature to Xen that allows high-speed fuzzing of virtual machines (VMs) using VM-forking. Recently through collaboration with the Xen community external monitoring of VMs via Intel(r) Processor Trace has also…
Linux Security Summit 2021
The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.
I'll be giving a talk about the new MTE-based KASAN mode on the last day.
The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.
I'll be giving a talk about the new MTE-based KASAN mode on the last day.
LF Events
Schedule | LF Events
All session times are listed below in Mountain Daylight Time (PDT). To view the schedule at your preferred time, please choose your location on the right-hand navigation panel under “Timezone”.
Two DEF CON talks about eBPF-based rootkits
#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan
Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan
Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
YouTube
DEF CON 29 - Guillaume Fournier, Sylvain Afchain, Sylvain Baubeau - eBPF, I thought we were friends!
Since its first appearance in Kernel 3.18, eBPF (Extended Berkley Packet Filter) has progressively become a key technology for observability in the Linux kernel. Initially dedicated to network monitoring, eBPF can now be used to monitor and trace any kind…
Big improvements in my Linux Kernel Defence Map showing:
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
https://github.com/a13xp0p0v/linux-kernel-defence-map
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
https://github.com/a13xp0p0v/linux-kernel-defence-map
GitHub
GitHub - a13xp0p0v/linux-kernel-defence-map: Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation…
Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies - a13xp0p0v/linux-kernel-defence-map
How AUTOSLAB Changes the Memory Unsafety Game
An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.
Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.
By Zhenpeng Lin.
An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.
Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.
By Zhenpeng Lin.
grsecurity.net
grsecurity - How AUTOSLAB Changes the Memory Unsafety Game
In this guest blog, Zhenpeng Lin details the three-month evaluation he performed of AUTOSLAB during a research internship with Open Source Security, Inc. AUTOSLAB is a compiler-plugin-enhanced feature of grsecurity introduced in 2020 that provides some interesting…
Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak
An article about an info-leak in the ptrace subsystem. The bug was fixed upstream two years ago, but it still affects some Red Hat and Samsung kernels, as those didn't backport the fix.
An article about an info-leak in the ptrace subsystem. The bug was fixed upstream two years ago, but it still affects some Red Hat and Samsung kernels, as those didn't backport the fix.
SSD Secure Disclosure
SSD Advisory – Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak - SSD…
Find out how a vulnerability discovered in Samsung S10+/S9 kernel allows leaking of sensitive function address information.
Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
I improved my PoC exploit for CVE-2021-26708, added a full-power ROP chain, and implemented a new method of bypassing the Linux Kernel Runtime Guard (LKRG).
Article: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
Slides for ZeroNights conference: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf
I improved my PoC exploit for CVE-2021-26708, added a full-power ROP chain, and implemented a new method of bypassing the Linux Kernel Runtime Guard (LKRG).
Article: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
Slides for ZeroNights conference: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf
Alexander Popov
Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
This is the follow-up to my research described in the article "Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel." My PoC exploit for CVE-2021-26708 had a very limited facility for privilege escalation, and I decided to continue my experiments…
The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal
Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.
https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf
Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.
https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf
Linux Kernel Security
The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf. https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20…
YouTube
#HITB2021SIN D1T1 - Exploiting UAF By Ret2bpf In Android Kernel - Xingyu Jin & Richard Neal
In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher…
Solving the Kernote CTF task from 0CTF/TCTF Final 2021 by Matteo Rizzo
Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.
https://org.anize.rs/0CTF-2021-finals/pwn/kernote
Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.
https://org.anize.rs/0CTF-2021-finals/pwn/kernote
Organisers
CTF Team
Mitigating Linux kernel memory corruptions with Arm Memory Tagging
Memory tagging is coming to kill all of your favorite Linux kernel exploits.
I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in the YouTube chat during the talk to answer questions.
https://www.youtube.com/watch?v=UwMt0e_dC_Q
Memory tagging is coming to kill all of your favorite Linux kernel exploits.
I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in the YouTube chat during the talk to answer questions.
https://www.youtube.com/watch?v=UwMt0e_dC_Q
YouTube
Mitigating Linux kernel memory corruptions with Arm Memory Tagging | Linux Security Summit 2021
Memory tagging is coming to kill all of your favorite Linux kernel exploits!
Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to…
Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to…
Linux Kernel Security
Mitigating Linux kernel memory corruptions with Arm Memory Tagging Memory tagging is coming to kill all of your favorite Linux kernel exploits. I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube…
The video is now public. The slides are here.
Google Docs
2021, Linux Security Summit: Mitigating Linux kernel memory corruptions with Arm Memory Tagging
Memory Tagging + Linux kernel = or Mitigating Linux kernel memory corruptions with Arm Memory Tagging Andrey Konovalov, xairy.io Linux Security Summit October 1st 2021
Linux Plumbers 2021
A few security-related talks from the Linux Plumbers conference this year:
- Detecting semantic bugs using differential fuzzing by Mara Mihali [video] [slides]
- Compiler Features for Kernel Security by Kees Cook [slides] [video]
- Rust for Linux by Miguel Ojeda [slides] [video]
- Android drivers in Rust by Wedson Almeida Filho [slides] [video]
- A proof-carrying approach to building correct and flexible BPF verifiers by Luke Nelson [slides] [video]
And there are many generic Linux and Android kernel–related talks, see the schedule and YouTube.
A few security-related talks from the Linux Plumbers conference this year:
- Detecting semantic bugs using differential fuzzing by Mara Mihali [video] [slides]
- Compiler Features for Kernel Security by Kees Cook [slides] [video]
- Rust for Linux by Miguel Ojeda [slides] [video]
- Android drivers in Rust by Wedson Almeida Filho [slides] [video]
- A proof-carrying approach to building correct and flexible BPF verifiers by Luke Nelson [slides] [video]
And there are many generic Linux and Android kernel–related talks, see the schedule and YouTube.
Indico
Linux Plumbers Conference 2021
20-24 September,Virtually The Linux Plumbers Conference is the premier event for developers working at all levels of the plumbing layer and beyond. LPC 2021 will be held virtually (like in 2020). We are looking forward to seeing you online!