Race conditions in Linux Kernel perf events
Nils Ole Timm published an article about exploiting a perf events race condition provoking a kernel page UAF.
The researcher also published a limited PoC exploit for kernel configurations that don't turn on
Nils Ole Timm published an article about exploiting a perf events race condition provoking a kernel page UAF.
The researcher also published a limited PoC exploit for kernel configurations that don't turn on
check_pages_enabled.GitHub
GitHub - Binary-Gecko/perf_PoC
Contribute to Binary-Gecko/perf_PoC development by creating an account on GitHub.
👍7🔥2
SELinux bypasses
An amazing article by Klecko about different approaches to bypassing SELinux in Android kernel exploits.
The author lists multiple ways to disable SELinux via an arbitrary address read/write primitive and shows which of them are detected by the Samsung and Huawei hypervisors (spoiler: not all 😁).
An amazing article by Klecko about different approaches to bypassing SELinux in Android kernel exploits.
The author lists multiple ways to disable SELinux via an arbitrary address read/write primitive and shows which of them are detected by the Samsung and Huawei hypervisors (spoiler: not all 😁).
👍7
More Bang for Your Bug!
Slides for the talk at the Linux Plumbers conference by Eduardo Vela and Space Meyer about kernelCTF, kernel attack surface, and exploit mitigations.
Slides for the talk at the Linux Plumbers conference by Eduardo Vela and Space Meyer about kernelCTF, kernel attack surface, and exploit mitigations.
Google Docs
💥🐞
More Bang for Your Bug Your Bug 1
👍10🔥6
Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel
A talk (video) by Pedro Pinto about exploiting a slab use-after-free bug in the traffic control subsystem.
The author performed multiple cross-cache attacks to ultimately get an arbitrary read/write primitive via pipe_buffer->page and escalate privileges via modprobe_path.
Pedro also shared his experience submitting this bug to the KernelCTF bug bounty program.
A talk (video) by Pedro Pinto about exploiting a slab use-after-free bug in the traffic control subsystem.
The author performed multiple cross-cache attacks to ultimately get an arbitrary read/write primitive via pipe_buffer->page and escalate privileges via modprobe_path.
Pedro also shared his experience submitting this bug to the KernelCTF bug bounty program.
🔥16👍1
Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel
A talk (video) by Mingi Cho and Wongi Lee about exploiting a slab use-after-free bug in the netfilter subsystem and an out-of-bounds bug in the traffic control subsystem.
The researchers managed to exploit both bugs on the kernelCTF migitation instance. Notably, they relied on cross-CPU slab/page_alloc shaping techniques in both exploits.
A talk (video) by Mingi Cho and Wongi Lee about exploiting a slab use-after-free bug in the netfilter subsystem and an out-of-bounds bug in the traffic control subsystem.
The researchers managed to exploit both bugs on the kernelCTF migitation instance. Notably, they relied on cross-CPU slab/page_alloc shaping techniques in both exploits.
🔥13
1day vuln dev: DirtyCOW
A video by SideQuest covering the author's approach to analyzing the DirtyCow vulnerability.
A video by SideQuest covering the author's approach to analyzing the DirtyCow vulnerability.
YouTube
1day vuln dev: DirtyCOW
This vid is an extended ver of https://www.youtube.com/watch?v=z9QHj5TZXJE
* SideQuest discord server: https://discord.gg/f4KQeNCsNJ
---
Some related links of stuff I mentioned in the vid:
* clangd: https://clangd.llvm.org/
* menuconfig:
* https://w…
* SideQuest discord server: https://discord.gg/f4KQeNCsNJ
---
Some related links of stuff I mentioned in the vid:
* clangd: https://clangd.llvm.org/
* menuconfig:
* https://w…
👍9🤔4🤯1
Defects-in-Depth: Analyzing the Integration of Effective Defenses against One-Day Exploits in Android Kernels
An outstanding paper by Lukas Maar et al. about analyzing the exploitation techniques used in public 1-day Android kernel exploits over the last few years and cross-referencing them with the mitigations implemented by various Android vendors 🔥
An outstanding paper by Lukas Maar et al. about analyzing the exploitation techniques used in public 1-day Android kernel exploits over the last few years and cross-referencing them with the mitigations implemented by various Android vendors 🔥
👍9🔥1
Novel approach to exploit a limited OOB on Ubuntu at Pwn2Own Vancouver 2024
Slides from a talk by Pumpkin Chang about exploiting a stack out-of-bounds write bug in the traffic control subsystem.
Pumpkin shaped vmalloc memory to make the stack out-of-bounds access land in an eBPF bytecode allocation and used the write primitive to overwrite the eBPF bytecode as it was being JITed.
Slides from a talk by Pumpkin Chang about exploiting a stack out-of-bounds write bug in the traffic control subsystem.
Pumpkin shaped vmalloc memory to make the stack out-of-bounds access land in an eBPF bytecode allocation and used the write primitive to overwrite the eBPF bytecode as it was being JITed.
🔥8🤯4👏2👍1😱1
OtterRoot: Netfilter Universal Root 1-day
An article by Pedro Pinto about exploiting a slab double-free bug in the netfilter subsystem.
Pedro wrote two exploits for this bug: one that relies on ROP and that was used to exploit a kernelCTF instance, and the other that gets physical memory arbitrary read/write without relying on any offsets.
An article by Pedro Pinto about exploiting a slab double-free bug in the netfilter subsystem.
Pedro wrote two exploits for this bug: one that relies on ROP and that was used to exploit a kernelCTF instance, and the other that gets physical memory arbitrary read/write without relying on any offsets.
OtterSec
OtterRoot: Netfilter Universal Root 1-day
A peek into the state of Linux kernel security and the open-source patch-gap. We explore how we monitored commits to find new bug fixes and achieved 0day-like capabilities by exploiting a 1-day vulnerability.
🔥14👍1
Diving into Linux kernel security
Alexander Popov (me) published his H2HC talk slides that describe how to get started with learning Linux kernel security and knowingly configure the security parameters of Linux-based systems.
Alexander Popov (me) published his H2HC talk slides that describe how to get started with learning Linux kernel security and knowingly configure the security parameters of Linux-based systems.
🔥48👍10😱1
Bootkitty: Analyzing the first UEFI bootkit for Linux
Martin Smolár and Peter Strýček published a report about a PoC UEFI bootkit targeting Linux systems. The bootkit patches GRUB, disables the signature checking for Linux kernel modules, and loads malicious userspace libraries into the init process.
This bootkit turned out to be created by Korean cybersecurity students.
Martin Smolár and Peter Strýček published a report about a PoC UEFI bootkit targeting Linux systems. The bootkit patches GRUB, disables the signature checking for Linux kernel modules, and loads malicious userspace libraries into the init process.
This bootkit turned out to be created by Korean cybersecurity students.
👍12
The Qualcomm DSP Driver — Unexpectedly Excavating an Exploit
An article by Seth Jenkins about investigating kernel crash logs produced by an In-The-Wild exploit that targeted the adsprpc Qualcomm driver and finding several vulnerabities in that driver.
An article by Seth Jenkins about investigating kernel crash logs produced by an In-The-Wild exploit that targeted the adsprpc Qualcomm driver and finding several vulnerabities in that driver.
👍10🔥1
Finding Bugs in Kernel series
A series of introductory articles by Slava Moskvin about using KASAN and syzkaller for finding kernel vulnerabilities.
A series of introductory articles by Slava Moskvin about using KASAN and syzkaller for finding kernel vulnerabilities.
👍24🔥1
KernelSnitch: Side-Channel Attacks on Kernel Data Structures
Paper by Lukas Maar et al. about using a timing side-channel for leaking addresses of exploitation-relevant kernel structures.
Paper by Lukas Maar et al. about using a timing side-channel for leaking addresses of exploitation-relevant kernel structures.
👍16🔥4
ksmbd vulnerability research
Article by Norbert Szetei about fuzzing the ksmbd module with syzkaller and finding a few memory corruption vulnerabilities.
Article by Norbert Szetei about fuzzing the ksmbd module with syzkaller and finding a few memory corruption vulnerabilities.
🔥9👍6
Accidentally uncovering a seven years old vulnerability in the Linux kernel
Article by Anderson Nascimento about finding and analyzing a slab use-after-free vulnerability in the TCP sockets implementation.
Article by Anderson Nascimento about finding and analyzing a slab use-after-free vulnerability in the TCP sockets implementation.
🔥22👍2