We now have a chat for comments and discussions: @linkersec_chat

Debugging the Kernel with QEMU by Keith Makan

The first post of a potential upcoming Linux kernel exploitation series. Building and running Linux kernel in QEMU. Debugging a kernel module with GDB.

https://blog.k3170makan.com/2020/11/linux-kernel-exploitation-0x0-debugging.html

Finding and exploiting a bug in an old Android phone

Finding and exploiting a Linux kernel bug in an old Motorola phone. A stream, live right now! By Brandon Falk.

Live: https://www.twitch.tv/gamozo
Part 1: https://www.youtube.com/watch?v=g62FXds2pt8
Part 2: https://www.youtube.com/watch?v=qnyFk-f3Koo

Linux Kernel Bug Fixing Mentorship

Himadri Pandya, a Linux kernel bug fixing mentee, describes their experience with fixing a few USB related Linux kernel bugs.

https://himadripandya.me/post/634481719919165440/linux-kernel-bug-fixing-mentorship

Linux Kernel Heap Quarantine testing and review

Kees Cook is testing Linux Kernel Heap Quarantine developed by Alexander Popov (me).

I'll post an article about the kernel heap experiment soon.

Recording: https://youtube.com/watch?v=1sBMwnKNSw0
Patch series:
https://www.openwall.com/lists/kernel-hardening/2020/09/29/2

Samsung NPU (Neural Processing Unit) memory corruption in shared memory parsing

P0 researchers Ben Hawkes and Brandon Azad found a few kernel bugs affecting Galaxy S10 and Galaxy S20. The report includes a proof-of-concept exploit that obtains kernel read/write/execute primitive.

Info: https://bugs.chromium.org/p/project-zero/issues/detail?id=2073
Exploit: https://bugs.chromium.org/p/project-zero/issues/detail?id=2073#c1

Explaining the exploit and rants by Brandon Falk

Brandon Falk summarizes the work done on a bug in an old Motorola phone he found and exploited on stream a couple of days ago.

https://www.youtube.com/watch?v=t-t7D0vQNmo

grsecurity is nominated for a PWNIE Award 2020 as the Lamest Vendor Response

Nomination
https://pwnies.com/nominations/active/lamest-vendor-response/open-source-security-inc-grsecurity-pax

Report
Control-Flow Integrity for the Linux kernel: A Security Evaluation (by Federico Bento): https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf

Brandon Falk continues hacking an old Motorola phone

The first two streams that included writing a kernel exploit to get arbitrary code execution were posted above. These few cover extracting a phone snapshot including all physical memory and register states and running it in QEMU. The streams are quite long, but can be partially skipped through to get an idea of what he's doing.

Stream 3: https://www.youtube.com/watch?v=RLzZPSPI8ds
Stream 4: https://www.youtube.com/watch?v=NJjpkzuc1k4
Stream 5, part 1: https://www.youtube.com/watch?v=6TzdYokXoF8
Stream 5, part 2: https://www.youtube.com/watch?v=hlW8ktQkyPA
Stream 6: https://www.youtube.com/watch?v=kATF_EIltHc

A Systematic Study of Elastic Objects in Kernel Exploitation

A paper that describes an approach to finding suitable slab objects to assist with exploitation of memory corruptions to achieve information leaks.

Paper: https://dl.acm.org/doi/pdf/10.1145/3372297.3423353
Video: https://www.youtube.com/watch?v=yXhH0IJAxkE

Kernel Exploitation With A File System Fuzzer

Another research about fuzzing the kernel via mounting corrupted filesystems. In the first part they describe the approach, but the slides could be better, so it's hard to understand what exactly they're doing (something based on Janus [1]?). The second part discusses the exploitability of some of the found bugs and demos RIP control for one of them.

Slides: https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf
Video: https://www.youtube.com/watch?v=95f1b4FcrQ4

[1] https://taesoo.kim/pubs/2019/xu:janus.pdf

Healer — a kernel fuzzer inspired by syzkaller

Written in Rust. Based on a quick look through the code, seems like a syzkaller clone in early stages of development.

https://github.com/SunHao-0/healer

HITCON CTF 2020 — Linux kernel tasks

There were two kernel-related tasks: spark and atoms. spark required exploiting a memory corruption (see the writeups). atoms required causing a soft lockup and triggering the watchdog.

Sources and solutions: https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020/
Mini-writeup and exploit for spark #1: https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/spark
Mini-writeup (at the end) and exploit for spark #2: https://gist.github.com/sampritipanda/9fb8f1f92aef6591246e74ed5847c910

Linux kernel heap quarantine versus use-after-free exploits

An article summarizing the experiment.

If TLDR, see the poem at the end :)

https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.html

io_uring: ->mm and ->files access across suid boundaries

A bug in the io_uring subsystem that allows stealing opened file denoscriptors from privileged processes. Reported by Jann Horn from P0. Only affects 5.8+.

https://bugs.chromium.org/p/project-zero/issues/detail?id=2089

BSidesTLV CTF 2020 — Kapara

A Linux kernel exploitation task targeting a custom written vulnerable module with a use-after-free bug.

Video writeup by Gal Zaban: https://media.handmade-seattle.com/linux-kernel-adventures/
Text writeup by JCTF Team: https://jctf.team/BSidesTLV-2020/Kapara/

Android Security Bulletin — December 2020

Includes a few kernel entries: an issue in the audit subsystem found by syzbot, a couple of USB/HID bugs, and a couple of epoll issues. There's also a bug in Qualcomm Crypto Engine Device (see the Qualcomm components section).

https://source.android.com/security/bulletin/2020-12-01#kernel-components

Three Dark clouds over the Android kernel

Yao Jun, PoC conference 2020

A good talk about Kernel Space Mirror Attack (KSMA) and SLAB Mirror Attack (SMA) against the Linux kernel.

Slides:
https://github.com/2freeman/Slides/blob/main/PoC-2020-Three%20Dark%20clouds%20over%20the%20Android%20kernel.pdf

Shared mapping leak in Qualcomm Adreno GPU

Another bug in Adreno GPU disclosed by Ben Hawkes from Project Zero — an infoleak this time. The fun part: Qualcomm's attempt to fix this introduced an exploitable use-after-free.

https://bugs.chromium.org/p/project-zero/issues/detail?id=2092

Kernel Integrity Enforcement with HLAT

Protecting the kernel from page-tables–based attacks with Hypervisor-managed Linear Address Translation Intel VT-x extension. A concept by Gao Chao from Intel.

Video: https://www.youtube.com/watch?v=N8avvE_neV0
Slides: https://static.sched.com/hosted_files/osseu2020/ce/LSSEU20_kernel%20integrity%20enforcement%20with%20HLAT%20in%20a%20virtual%20machine_v3.pdf

An iOS hacker tries Android

A writeup for the vulnerability in Samsung Neural Processing Unit from a few weeks ago. By Brandon Azad.

https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html