pipe_buffer arbitrary read write

Awarau published an article describing the arbitrary read/write technique using pipe_buffer.

Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse

An article by Mathias Krause about creating a mitigation for same-type same-address use-after-free bugs affecting the file and cred structures. Mathias also provided a set of exploits that was used to test the mitigation.

A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

An article by Maddie Stone covering an exploit chain for Exynos-based Samsung phones that relies on two kernel bugs.

The exploit bypasses KASLR by triggering a warning and reading the report from the kernel log. The exploit then uses a use-after-free of the file structure in the DECON driver to gain AARW by controlling addr_limit.

Exploiting CVE-2022-42703 - Bringing back the stack attack

An article by Seth Jenkins about exploiting a slab use-after-free side effect of a logical bug in the memory subsystem found by Jann Horn.

Seth used a cross-cache attack to overwrite an anon_vma structure and gain a limited arbitrary-write primitive. Seth then modified the context saved to the fixed-address cpu_entry_area region during a hardware exception. This allowed to corrupt the size passed to copy_to/from_user calls and thus get controlled stack read and write buffer overflows.

The article additionally expands on how KASLR is useless against local attackers due to side-channel vulnerabilities.

EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)

An article about using Meltdown to bypass KASLR despite enabled KPTI.

This bypass method has been known for a while.

Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg

Sergi Martinez published an article about exploiting CVE-2022-32250, a slab use-after-free in the netfilter subsystem. Unlike the existing public exploits for this bug, Sergi's exploit targets the kernel version 5.18.1, where both the vulnerable object and msg_msg are allocated in kmalloc-cg-* slab caches.

DirtyCred Remastered: how to turn an UAF into Privilege Escalation

LukeGix and Alessandro Groppo published two articles about exploiting CVE-2022-2602, another use-after-free in the io_uring subsystem.

They used inode locking for pausing a kernel thread during UAF exploitation. To escalate privileges, the researchers employed the DirtyCred file exploitation technique.

Exploiting null-dereferences in the Linux kernel

Seth Jenkins published an article about turning a refcount incrementing side-effect of a null-deref kernel bug into a slab double-free.

Pwning the all Google phone with a non-Google bug

An article by Man Yue Mo about getting root from the untrusted app domain on Pixel 6 via a slab use-after-free in the Arm Mali GPU driver.

The researcher also points out a patch gap in Android and provides a list of bugs that were exploitable for months after becoming public.

The code that wasn't there: Reading memory on an Android device by accident

An article by Man Yue Mo about exploiting a missing cache flush in the Qualcomm Adreno GPU driver.

The author showed how to use the bug to leak kernel memory and bypass KASLR on Android.

Rooting the FiiO M6

Jack Maginnes published two articles about finding and exploiting a stack buffer-overflow in the old Android-based FiiO M6 MP3 player.

Pwning Pixel 6 with a leftover patch

An article by Man Yue Mo about exploiting a logical bug in the Arm Mali GPU driver on Pixel 6.

Man Yue Mo used the bug to make GPU access freed memory and gained root from the untrusted_app context.

Linux IPv6 "Route of Death" 0day

Max VA @maxpl0it published an article describing remote DoS vulnerability in the code handling IPv6 routing headers.

Privilege escalation exploit for CVE-2023-0386 in OverlayFS

A privilege escalation exploit by xkaneiki for a logical bug in OverlayFS. Exploitation requires unprivileged user namespaces enabled.

Following the exploit, Ryan Simon et al. published an article describing the exploitation process.

Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel

A talk (slides) by Moshe Kol about exploiting a slab use-after-free bug in the Android Binder IPC.

The exploit achieves kernel arbitrary read/write primitives from the unstrusted_app context and obtains root privileges on Pixel 6.

Moshe also published an article about their exploit.

Exploit Engineering – Attacking the Linux Kernel

A talk (slides) by Alex Plaskett and Cedric Halbronn about approaches to finding, triaging, and exploiting Linux kernel bugs.

During the talk, the speakers announced libslub — a GDB extension for examining SLUB object addresses and metadata.

Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution

A talk by Guillaume Teissier and Quentin Minster about remotely exploiting two slab corruption bugs in the KSMBD module.

The exploit achieves remote code execution but requires having valid SMB authentication credentials to trigger the bugs.

Rooting with root cause: finding a variant of a Project Zero bug

Yet another article by Man Yue Mo about exploiting the Arm Mali GPU driver.

Man Yue Mo used a race condition bug to make GPU access freed memory and gained root from the untrusted_app context on Pixel 6.

CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver

An article about exploiting a logical bug in the fault handler implementation of udmabuf mappings.

The exploit shared by Eloi Sanfelix gains root on Ubuntu. Triggering the bug requires the user to be in the kvm group.

Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability

An article by Vu Thi Lan about exploiting a slab use-after-free bug in the netfilter subsystem.

The shared exploit gains root on Ubuntu.

UNCONTAINED: Uncovering Container Confusion in the Linux Kernel

A paper (overview) by Jakob Koschel, Pietro Borrello, et al. about finding type confusion bugs in container_of invocations.