Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg

Sergi Martinez published an article about exploiting CVE-2022-32250, a slab use-after-free in the netfilter subsystem. Unlike the existing public exploits for this bug, Sergi's exploit targets the kernel version 5.18.1, where both the vulnerable object and msg_msg are allocated in kmalloc-cg-* slab caches.

DirtyCred Remastered: how to turn an UAF into Privilege Escalation

LukeGix and Alessandro Groppo published two articles about exploiting CVE-2022-2602, another use-after-free in the io_uring subsystem.

They used inode locking for pausing a kernel thread during UAF exploitation. To escalate privileges, the researchers employed the DirtyCred file exploitation technique.

Exploiting null-dereferences in the Linux kernel

Seth Jenkins published an article about turning a refcount incrementing side-effect of a null-deref kernel bug into a slab double-free.

Pwning the all Google phone with a non-Google bug

An article by Man Yue Mo about getting root from the untrusted app domain on Pixel 6 via a slab use-after-free in the Arm Mali GPU driver.

The researcher also points out a patch gap in Android and provides a list of bugs that were exploitable for months after becoming public.

The code that wasn't there: Reading memory on an Android device by accident

An article by Man Yue Mo about exploiting a missing cache flush in the Qualcomm Adreno GPU driver.

The author showed how to use the bug to leak kernel memory and bypass KASLR on Android.

Rooting the FiiO M6

Jack Maginnes published two articles about finding and exploiting a stack buffer-overflow in the old Android-based FiiO M6 MP3 player.

Pwning Pixel 6 with a leftover patch

An article by Man Yue Mo about exploiting a logical bug in the Arm Mali GPU driver on Pixel 6.

Man Yue Mo used the bug to make GPU access freed memory and gained root from the untrusted_app context.

Linux IPv6 "Route of Death" 0day

Max VA @maxpl0it published an article describing remote DoS vulnerability in the code handling IPv6 routing headers.

Privilege escalation exploit for CVE-2023-0386 in OverlayFS

A privilege escalation exploit by xkaneiki for a logical bug in OverlayFS. Exploitation requires unprivileged user namespaces enabled.

Following the exploit, Ryan Simon et al. published an article describing the exploitation process.

Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel

A talk (slides) by Moshe Kol about exploiting a slab use-after-free bug in the Android Binder IPC.

The exploit achieves kernel arbitrary read/write primitives from the unstrusted_app context and obtains root privileges on Pixel 6.

Moshe also published an article about their exploit.

Exploit Engineering – Attacking the Linux Kernel

A talk (slides) by Alex Plaskett and Cedric Halbronn about approaches to finding, triaging, and exploiting Linux kernel bugs.

During the talk, the speakers announced libslub — a GDB extension for examining SLUB object addresses and metadata.

Abusing Linux In-Kernel SMB Server to Gain Kernel Remote Code Execution

A talk by Guillaume Teissier and Quentin Minster about remotely exploiting two slab corruption bugs in the KSMBD module.

The exploit achieves remote code execution but requires having valid SMB authentication credentials to trigger the bugs.

Rooting with root cause: finding a variant of a Project Zero bug

Yet another article by Man Yue Mo about exploiting the Arm Mali GPU driver.

Man Yue Mo used a race condition bug to make GPU access freed memory and gained root from the untrusted_app context on Pixel 6.

CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver

An article about exploiting a logical bug in the fault handler implementation of udmabuf mappings.

The exploit shared by Eloi Sanfelix gains root on Ubuntu. Triggering the bug requires the user to be in the kvm group.

Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability

An article by Vu Thi Lan about exploiting a slab use-after-free bug in the netfilter subsystem.

The shared exploit gains root on Ubuntu.

UNCONTAINED: Uncovering Container Confusion in the Linux Kernel

A paper (overview) by Jakob Koschel, Pietro Borrello, et al. about finding type confusion bugs in container_of invocations.

Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel

An article by Nicolas Wu about the Dirty Pagetable exploitation technique.

Dirty Pagetable enables using a slab bug to overwrite userspace Page Table Entries and gain arbitrary read/write access to physical memory.

To demonstrate the technique, Nicolas Wu and Ye Zhang wrote a few exploits, including one for CVE-2023-21400, a racy slab double-free in the io_uring subsystem. The exploit gains root on Pixel 7.

No CVE for this bug which has never been in the official kernel

Javier P Rufo published an article about exploiting a slab use-after-free bug in the ptrace subsystem via a cross-cache attack.

A new method for container escape using file-based DirtyCred

An article by Choo Yi Kai about escaping a Docker container by overwriting /proc/sys/kernel/modprobe via the DirtyCred exploitation technique.

The article also describes a way to delay the page fault handler via FALLOC_FL_PUNCH_HOLE for winning a race condition, similar to the commonly-used userfaultfd and FUSE–based techniques.

StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability

An article by Ruihan Li about exploiting StackRot — a locking bug in the virtual memory management subsystem that leads to a UAF-by-RCU vulnerability.

The author also shared an exploit that acquires root privileges in the Google kCTF challenge.

GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux

An article by Sagi Tzadik and Shir Tamari about finding and exploiting two logical bugs in the OverlayFS implementation on Ubuntu kernels.