Bootkitty: Analyzing the first UEFI bootkit for Linux
Martin Smolár and Peter Strýček published a report about a PoC UEFI bootkit targeting Linux systems. The bootkit patches GRUB, disables the signature checking for Linux kernel modules, and loads malicious userspace libraries into the init process.
This bootkit turned out to be created by Korean cybersecurity students.
Martin Smolár and Peter Strýček published a report about a PoC UEFI bootkit targeting Linux systems. The bootkit patches GRUB, disables the signature checking for Linux kernel modules, and loads malicious userspace libraries into the init process.
This bootkit turned out to be created by Korean cybersecurity students.
👍12
The Qualcomm DSP Driver — Unexpectedly Excavating an Exploit
An article by Seth Jenkins about investigating kernel crash logs produced by an In-The-Wild exploit that targeted the adsprpc Qualcomm driver and finding several vulnerabities in that driver.
An article by Seth Jenkins about investigating kernel crash logs produced by an In-The-Wild exploit that targeted the adsprpc Qualcomm driver and finding several vulnerabities in that driver.
👍10🔥1
Finding Bugs in Kernel series
A series of introductory articles by Slava Moskvin about using KASAN and syzkaller for finding kernel vulnerabilities.
A series of introductory articles by Slava Moskvin about using KASAN and syzkaller for finding kernel vulnerabilities.
👍24🔥1
KernelSnitch: Side-Channel Attacks on Kernel Data Structures
Paper by Lukas Maar et al. about using a timing side-channel for leaking addresses of exploitation-relevant kernel structures.
Paper by Lukas Maar et al. about using a timing side-channel for leaking addresses of exploitation-relevant kernel structures.
👍16🔥4
ksmbd vulnerability research
Article by Norbert Szetei about fuzzing the ksmbd module with syzkaller and finding a few memory corruption vulnerabilities.
Article by Norbert Szetei about fuzzing the ksmbd module with syzkaller and finding a few memory corruption vulnerabilities.
🔥9👍6
Accidentally uncovering a seven years old vulnerability in the Linux kernel
Article by Anderson Nascimento about finding and analyzing a slab use-after-free vulnerability in the TCP sockets implementation.
Article by Anderson Nascimento about finding and analyzing a slab use-after-free vulnerability in the TCP sockets implementation.
🔥22👍2
Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)
Article by Ng Zhi Yang about exploiting a logical bug in the Arm Mali GPU driver discovered a few years ago.
The bug allows gaining write permissions to a read-only memory region. The article explains how to exploit this bug from the untrusted_app context on Pixel 6 to load an arbitrary kernel module to disable SELinux and spawn a root reverse shell.
Article by Ng Zhi Yang about exploiting a logical bug in the Arm Mali GPU driver discovered a few years ago.
The bug allows gaining write permissions to a read-only memory region. The article explains how to exploit this bug from the untrusted_app context on Pixel 6 to load an arbitrary kernel module to disable SELinux and spawn a root reverse shell.
🔥6🤯5👍4
Patch-Gapping the Google Container-Optimized OS for $0
Detailed article by h0mbre about exploiting a slab use-after-free in the network scheduler subsystem to target the COS 105 kernelCTF instance.
Detailed article by h0mbre about exploiting a slab use-after-free in the network scheduler subsystem to target the COS 105 kernelCTF instance.
🔥10👍2
Is this memory safety here in the room with us?
Halvar Flake posted slides for his keynote talk about the recent trends to resolve the problem of memory corruptions: existing solutions, their limitations, and trade-offs.
While this talk does not directly focus on the Linux kernel, the shared points are relevant in the kernel context too.
Halvar Flake posted slides for his keynote talk about the recent trends to resolve the problem of memory corruptions: existing solutions, their limitations, and trade-offs.
While this talk does not directly focus on the Linux kernel, the shared points are relevant in the kernel context too.
🔥11👍3
Linux kernel hfsplus slab-out-of-bounds Write
Outstanding article by Attila Szasz about exploiting a slab out-of-bounds bug in the HFS+ filesystem driver.
The author discovered that Ubuntu allows local (not remote/SSH'd) non-privileged users to mount arbitrary filesystems via udisks2 due to the used polkit rules. This includes filesystems whose mounting normally requires CAP_SYS_ADMIN in the init user namespace.
The article thoroughly describes a variety of techniques used in the exploit, including a cross-cache attack, page_alloc-level memory shaping, arbitrary write via red-black trees, and modprobe_path privilege escalation.
Outstanding article by Attila Szasz about exploiting a slab out-of-bounds bug in the HFS+ filesystem driver.
The author discovered that Ubuntu allows local (not remote/SSH'd) non-privileged users to mount arbitrary filesystems via udisks2 due to the used polkit rules. This includes filesystems whose mounting normally requires CAP_SYS_ADMIN in the init user namespace.
The article thoroughly describes a variety of techniques used in the exploit, including a cross-cache attack, page_alloc-level memory shaping, arbitrary write via red-black trees, and modprobe_path privilege escalation.
🔥14
Linux kernel Rust module for rootkit detection
Article by Antoine Doglioli about implementing an in-kernel detector for many existing rootkits. The detector is written in Rust.
Article by Antoine Doglioli about implementing an in-kernel detector for many existing rootkits. The detector is written in Rust.
🔥8🤯4👎1🤔1
When Good Kernel Defences Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks
Awesome paper by Lukas Maar et al. about leaking exploitation-relevant kernel addresses via a TLB side-channel attack.
Authors demonstrate how to leak the addresses of the physmap, vmemmap, and vmalloc memory regions, addresses of page tables of all levels, addresses of kernel stacks, and addresses of various kernel objects including msg_msg, pipe_buffer, cred, file, and seq_file.
Authors then show how to apply the discovered techniques in exploits; the code is public.
Awesome paper by Lukas Maar et al. about leaking exploitation-relevant kernel addresses via a TLB side-channel attack.
Authors demonstrate how to leak the addresses of the physmap, vmemmap, and vmalloc memory regions, addresses of page tables of all levels, addresses of kernel stacks, and addresses of various kernel objects including msg_msg, pipe_buffer, cred, file, and seq_file.
Authors then show how to apply the discovered techniques in exploits; the code is public.
👍6🔥6
Three bypasses of Ubuntu's unprivileged user namespace restrictions
Article about bypassing the recent Ubuntu's restriction on getting capabilities in unprivileged user namespaces.
Article about bypassing the recent Ubuntu's restriction on getting capabilities in unprivileged user namespaces.
🔥14👍1🤔1
Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits
Alexander Popov (me) published the slides from his talk at Zer0Con 2025. In this talk, he presented the kernel-hack-drill open-source project and showed how it helped him to exploit CVE-2024-50264 in the Linux kernel.
Alexander Popov (me) published the slides from his talk at Zer0Con 2025. In this talk, he presented the kernel-hack-drill open-source project and showed how it helped him to exploit CVE-2024-50264 in the Linux kernel.
🔥32👍4🤔2🎉1
Exploiting CVE-2024-0582 via the Dirty Pagetable Method
Kuzey Arda Bulut posted an article about exploiting CVE-2024-0582 in io_uring using the Dirty Pagetable technique.
This bug was previously reported by Jann Horn and exploited by Oriol Castejón.
Kuzey Arda Bulut posted an article about exploiting CVE-2024-0582 in io_uring using the Dirty Pagetable technique.
This bug was previously reported by Jann Horn and exploited by Oriol Castejón.
🔥15