Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)
Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.
By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Report: https://www.openwall.com/lists/oss-security/2021/07/20/1
Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.
By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Report: https://www.openwall.com/lists/oss-security/2021/07/20/1
Kernel Pwning with eBPF: a Love Story by Valentina Palmiotti
The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.
https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver by Gyorgy Miru
A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.
https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/
A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.
https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/
labs.taszk.io
[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver
A deep dive into the exploitation of Huawei's NPU kernel driver
Variant analysis of the 'Sequoia' bug
Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.
https://pwning.systems/posts/sequoia-variant-analysis/
Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.
https://pwning.systems/posts/sequoia-variant-analysis/
pwning.systems
Variant analysis of the 'Sequoia' bug
I imagine we've all heard about the recent 'Sequoia' bug discovered by the Qualys Research team. It's a fascinating bug so I decided to do variant analysis using CodeQL!
Fuzzing Linux with Xen
A DEF CON talk about fuzzing the Linux kernel over DMA-based interfaces with Xen. By Tamas K Lengyel.
Video: https://www.youtube.com/watch?v=_dXC_I2ybr4
Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf
A DEF CON talk about fuzzing the Linux kernel over DMA-based interfaces with Xen. By Tamas K Lengyel.
Video: https://www.youtube.com/watch?v=_dXC_I2ybr4
Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf
YouTube
DEF CON 29 - Tamas K Lengyel - Fuzzing Linux with Xen
Last year we've successfully upstreamed a new feature to Xen that allows high-speed fuzzing of virtual machines (VMs) using VM-forking. Recently through collaboration with the Xen community external monitoring of VMs via Intel(r) Processor Trace has also…
Linux Security Summit 2021
The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.
I'll be giving a talk about the new MTE-based KASAN mode on the last day.
The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.
I'll be giving a talk about the new MTE-based KASAN mode on the last day.
LF Events
Schedule | LF Events
All session times are listed below in Mountain Daylight Time (PDT). To view the schedule at your preferred time, please choose your location on the right-hand navigation panel under “Timezone”.
Two DEF CON talks about eBPF-based rootkits
#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan
Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan
Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.
YouTube
DEF CON 29 - Guillaume Fournier, Sylvain Afchain, Sylvain Baubeau - eBPF, I thought we were friends!
Since its first appearance in Kernel 3.18, eBPF (Extended Berkley Packet Filter) has progressively become a key technology for observability in the Linux kernel. Initially dedicated to network monitoring, eBPF can now be used to monitor and trace any kind…
Big improvements in my Linux Kernel Defence Map showing:
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
https://github.com/a13xp0p0v/linux-kernel-defence-map
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
https://github.com/a13xp0p0v/linux-kernel-defence-map
GitHub
GitHub - a13xp0p0v/linux-kernel-defence-map: Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation…
Linux Kernel Defence Map shows the relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies - a13xp0p0v/linux-kernel-defence-map
How AUTOSLAB Changes the Memory Unsafety Game
An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.
Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.
By Zhenpeng Lin.
An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.
Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.
By Zhenpeng Lin.
grsecurity.net
grsecurity - How AUTOSLAB Changes the Memory Unsafety Game
In this guest blog, Zhenpeng Lin details the three-month evaluation he performed of AUTOSLAB during a research internship with Open Source Security, Inc. AUTOSLAB is a compiler-plugin-enhanced feature of grsecurity introduced in 2020 that provides some interesting…
Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak
An article about an info-leak in the ptrace subsystem. The bug was fixed upstream two years ago, but it still affects some Red Hat and Samsung kernels, as those didn't backport the fix.
An article about an info-leak in the ptrace subsystem. The bug was fixed upstream two years ago, but it still affects some Red Hat and Samsung kernels, as those didn't backport the fix.
SSD Secure Disclosure
SSD Advisory – Samsung S10+/S9 kernel 4.14 (Android 10) Kernel Function Address (.text) and Heap Address Information Leak - SSD…
Find out how a vulnerability discovered in Samsung S10+/S9 kernel allows leaking of sensitive function address information.
Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
I improved my PoC exploit for CVE-2021-26708, added a full-power ROP chain, and implemented a new method of bypassing the Linux Kernel Runtime Guard (LKRG).
Article: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
Slides for ZeroNights conference: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf
I improved my PoC exploit for CVE-2021-26708, added a full-power ROP chain, and implemented a new method of bypassing the Linux Kernel Runtime Guard (LKRG).
Article: https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html
Slides for ZeroNights conference: https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf
Alexander Popov
Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
This is the follow-up to my research described in the article "Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel." My PoC exploit for CVE-2021-26708 had a very limited facility for privilege escalation, and I decided to continue my experiments…
The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal
Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.
https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf
Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf.
https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf
Linux Kernel Security
The Art of Exploiting UAF by Ret2bpf in Android Kernel by Xingyu Jin and Richard Neal Slides for the talk about exploiting an Android kernel UAF bug (CVE-2021-0399) through ret2bpf. https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20…
YouTube
#HITB2021SIN D1T1 - Exploiting UAF By Ret2bpf In Android Kernel - Xingyu Jin & Richard Neal
In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher…
Solving the Kernote CTF task from 0CTF/TCTF Final 2021 by Matteo Rizzo
Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.
https://org.anize.rs/0CTF-2021-finals/pwn/kernote
Nice writeup about exploiting UAF in the Linux kernel and using pt_regs for the ROP chain.
https://org.anize.rs/0CTF-2021-finals/pwn/kernote
Organisers
CTF Team
Mitigating Linux kernel memory corruptions with Arm Memory Tagging
Memory tagging is coming to kill all of your favorite Linux kernel exploits.
I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in the YouTube chat during the talk to answer questions.
https://www.youtube.com/watch?v=UwMt0e_dC_Q
Memory tagging is coming to kill all of your favorite Linux kernel exploits.
I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube in 24 hours. Please join in! I'll be in the YouTube chat during the talk to answer questions.
https://www.youtube.com/watch?v=UwMt0e_dC_Q
YouTube
Mitigating Linux kernel memory corruptions with Arm Memory Tagging | Linux Security Summit 2021
Memory tagging is coming to kill all of your favorite Linux kernel exploits!
Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to…
Memory Tagging Extension (MTE) is an ARM v8.5 feature that enables hardware-assisted validation of the correctness of memory accesses. In a nutshell, MTE allows assigning tags to…
Linux Kernel Security
Mitigating Linux kernel memory corruptions with Arm Memory Tagging Memory tagging is coming to kill all of your favorite Linux kernel exploits. I'll be premiering my "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" LSS talk on YouTube…
The video is now public. The slides are here.
Google Docs
2021, Linux Security Summit: Mitigating Linux kernel memory corruptions with Arm Memory Tagging
Memory Tagging + Linux kernel = or Mitigating Linux kernel memory corruptions with Arm Memory Tagging Andrey Konovalov, xairy.io Linux Security Summit October 1st 2021
Linux Plumbers 2021
A few security-related talks from the Linux Plumbers conference this year:
- Detecting semantic bugs using differential fuzzing by Mara Mihali [video] [slides]
- Compiler Features for Kernel Security by Kees Cook [slides] [video]
- Rust for Linux by Miguel Ojeda [slides] [video]
- Android drivers in Rust by Wedson Almeida Filho [slides] [video]
- A proof-carrying approach to building correct and flexible BPF verifiers by Luke Nelson [slides] [video]
And there are many generic Linux and Android kernel–related talks, see the schedule and YouTube.
A few security-related talks from the Linux Plumbers conference this year:
- Detecting semantic bugs using differential fuzzing by Mara Mihali [video] [slides]
- Compiler Features for Kernel Security by Kees Cook [slides] [video]
- Rust for Linux by Miguel Ojeda [slides] [video]
- Android drivers in Rust by Wedson Almeida Filho [slides] [video]
- A proof-carrying approach to building correct and flexible BPF verifiers by Luke Nelson [slides] [video]
And there are many generic Linux and Android kernel–related talks, see the schedule and YouTube.
Indico
Linux Plumbers Conference 2021
20-24 September,Virtually The Linux Plumbers Conference is the premier event for developers working at all levels of the plumbing layer and beyond. LPC 2021 will be held virtually (like in 2020). We are looking forward to seeing you online!
pkill_on_warn
I've got an idea that can improve the Linux kernel security and safety. It's inspired by the exploit dev practice.
See my patch introducing pkill_on_warn: https://lore.kernel.org/linux-doc/20210929185823.499268-1-alex.popov@linux.com/T/#u
It provoked an interesting discussion with the Linux kernel rockstars, including Linus.
I've got an idea that can improve the Linux kernel security and safety. It's inspired by the exploit dev practice.
See my patch introducing pkill_on_warn: https://lore.kernel.org/linux-doc/20210929185823.499268-1-alex.popov@linux.com/T/#u
It provoked an interesting discussion with the Linux kernel rockstars, including Linus.
An eBPF fuzzer
A proof-of-concept fuzzer targeting bugs in eBPF JIT. Implemented by zerons. Inspired by a related article by Simon Scannell.
A proof-of-concept fuzzer targeting bugs in eBPF JIT. Implemented by zerons. Inspired by a related article by Simon Scannell.
GitHub
GitHub - snorez/ebpf-fuzzer: fuzz the linux kernel bpf verifier
fuzz the linux kernel bpf verifier. Contribute to snorez/ebpf-fuzzer development by creating an account on GitHub.
How a simple Linux kernel memory corruption bug can lead to complete system compromise
An article by Jann Horn describing an exploit for a locking bug leading to a corrupted reference counter in the TTY subsystem. The article also thoroughly discusses ways to mitigate memory corruption bugs.
The exploit frees a buggy slab object leaving a dangling reference to it, flushes out the page with the object to page allocator, reallocates that page and fills it with a page table, and then corrupts it via the dangling reference to gain write access to the text segment of a setuid binary.
An article by Jann Horn describing an exploit for a locking bug leading to a corrupted reference counter in the TTY subsystem. The article also thoroughly discusses ways to mitigate memory corruption bugs.
The exploit frees a buggy slab object leaving a dangling reference to it, flushes out the page with the object to page allocator, reallocates that page and fills it with a page table, and then corrupts it via the dangling reference to gain write access to the text segment of a setuid binary.
Blogspot
How a simple Linux kernel memory corruption bug can lead to complete system compromise
An analysis of current and potential kernel security mitigations Posted by Jann Horn, Project Zero Introduction This blog post de...
SuDump: Exploiting suid binaries through the kernel
An article by Itai Greenhut covering a logical bug in the Linux kernel coredump generation code.
The researchers failed to find a way to exploit the bug in default distro configurations, but they showed how to gain root privileges on Ubuntu when a user is allowed to run at least one binary as root through sudo.
Exciting to see a logical bug as a change from all those countless memory corruptions.
An article by Itai Greenhut covering a logical bug in the Linux kernel coredump generation code.
The researchers failed to find a way to exploit the bug in default distro configurations, but they showed how to gain root privileges on Ubuntu when a user is allowed to run at least one binary as root through sudo.
Exciting to see a logical bug as a change from all those countless memory corruptions.
Alephsecurity
SuDump: Exploiting suid binaries through the kernel