Brandon Falk continues hacking an old Motorola phone
The first two streams that included writing a kernel exploit to get arbitrary code execution were posted above. These few cover extracting a phone snapshot including all physical memory and register states and running it in QEMU. The streams are quite long, but can be partially skipped through to get an idea of what he's doing.
Stream 3: https://www.youtube.com/watch?v=RLzZPSPI8ds
Stream 4: https://www.youtube.com/watch?v=NJjpkzuc1k4
Stream 5, part 1: https://www.youtube.com/watch?v=6TzdYokXoF8
Stream 5, part 2: https://www.youtube.com/watch?v=hlW8ktQkyPA
Stream 6: https://www.youtube.com/watch?v=kATF_EIltHc
The first two streams that included writing a kernel exploit to get arbitrary code execution were posted above. These few cover extracting a phone snapshot including all physical memory and register states and running it in QEMU. The streams are quite long, but can be partially skipped through to get an idea of what he's doing.
Stream 3: https://www.youtube.com/watch?v=RLzZPSPI8ds
Stream 4: https://www.youtube.com/watch?v=NJjpkzuc1k4
Stream 5, part 1: https://www.youtube.com/watch?v=6TzdYokXoF8
Stream 5, part 2: https://www.youtube.com/watch?v=hlW8ktQkyPA
Stream 6: https://www.youtube.com/watch?v=kATF_EIltHc
YouTube
Dumping register and physical memory state with our Android exploit
In this video we dump register and physical memory state "atomically" from the kernel with our exploit to get ready to lift the kernel into QEMU for fuzzing or analysis.
A Systematic Study of Elastic Objects in Kernel Exploitation
A paper that describes an approach to finding suitable slab objects to assist with exploitation of memory corruptions to achieve information leaks.
Paper: https://dl.acm.org/doi/pdf/10.1145/3372297.3423353
Video: https://www.youtube.com/watch?v=yXhH0IJAxkE
A paper that describes an approach to finding suitable slab objects to assist with exploitation of memory corruptions to achieve information leaks.
Paper: https://dl.acm.org/doi/pdf/10.1145/3372297.3423353
Video: https://www.youtube.com/watch?v=yXhH0IJAxkE
Kernel Exploitation With A File System Fuzzer
Another research about fuzzing the kernel via mounting corrupted filesystems. In the first part they describe the approach, but the slides could be better, so it's hard to understand what exactly they're doing (something based on Janus [1]?). The second part discusses the exploitability of some of the found bugs and demos RIP control for one of them.
Slides: https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf
Video: https://www.youtube.com/watch?v=95f1b4FcrQ4
[1] https://taesoo.kim/pubs/2019/xu:janus.pdf
Another research about fuzzing the kernel via mounting corrupted filesystems. In the first part they describe the approach, but the slides could be better, so it's hard to understand what exactly they're doing (something based on Janus [1]?). The second part discusses the exploitability of some of the found bugs and demos RIP control for one of them.
Slides: https://cyberweek.ae/materials/2020/D1T2%20-%20Kernel%20Exploitation%20with%20a%20File%20System%20Fuzzer.pdf
Video: https://www.youtube.com/watch?v=95f1b4FcrQ4
[1] https://taesoo.kim/pubs/2019/xu:janus.pdf
Healer — a kernel fuzzer inspired by syzkaller
Written in Rust. Based on a quick look through the code, seems like a syzkaller clone in early stages of development.
https://github.com/SunHao-0/healer
Written in Rust. Based on a quick look through the code, seems like a syzkaller clone in early stages of development.
https://github.com/SunHao-0/healer
GitHub
GitHub - SunHao-0/healer: Kernel fuzzer inspired by Syzkaller.
Kernel fuzzer inspired by Syzkaller. Contribute to SunHao-0/healer development by creating an account on GitHub.
HITCON CTF 2020 — Linux kernel tasks
There were two kernel-related tasks: spark and atoms. spark required exploiting a memory corruption (see the writeups). atoms required causing a soft lockup and triggering the watchdog.
Sources and solutions: https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020/
Mini-writeup and exploit for spark #1: https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/spark
Mini-writeup (at the end) and exploit for spark #2: https://gist.github.com/sampritipanda/9fb8f1f92aef6591246e74ed5847c910
There were two kernel-related tasks: spark and atoms. spark required exploiting a memory corruption (see the writeups). atoms required causing a soft lockup and triggering the watchdog.
Sources and solutions: https://github.com/david942j/ctf-writeups/tree/master/hitcon-2020/
Mini-writeup and exploit for spark #1: https://github.com/BrieflyX/ctf-pwns/tree/master/kernel/spark
Mini-writeup (at the end) and exploit for spark #2: https://gist.github.com/sampritipanda/9fb8f1f92aef6591246e74ed5847c910
GitHub
ctf-writeups/hitcon-2020 at master · david942j/ctf-writeups
Collection of noscripts and writeups. Contribute to david942j/ctf-writeups development by creating an account on GitHub.
Linux kernel heap quarantine versus use-after-free exploits
An article summarizing the experiment.
If TLDR, see the poem at the end :)
https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.html
An article summarizing the experiment.
If TLDR, see the poem at the end :)
https://a13xp0p0v.github.io/2020/11/30/slab-quarantine.html
Alexander Popov
Linux kernel heap quarantine versus use-after-free exploits
It's 2020. Quarantines are everywhere – and here I'm writing about one, too. But this quarantine is of a different kind. In this article I'll describe the Linux Kernel Heap Quarantine that I developed for mitigating kernel use-after-free exploitation.
io_uring: ->mm and ->files access across suid boundaries
A bug in the io_uring subsystem that allows stealing opened file denoscriptors from privileged processes. Reported by Jann Horn from P0. Only affects 5.8+.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2089
A bug in the io_uring subsystem that allows stealing opened file denoscriptors from privileged processes. Reported by Jann Horn from P0. Only affects 5.8+.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2089
BSidesTLV CTF 2020 — Kapara
A Linux kernel exploitation task targeting a custom written vulnerable module with a use-after-free bug.
Video writeup by Gal Zaban: https://media.handmade-seattle.com/linux-kernel-adventures/
Text writeup by JCTF Team: https://jctf.team/BSidesTLV-2020/Kapara/
A Linux kernel exploitation task targeting a custom written vulnerable module with a use-after-free bug.
Video writeup by Gal Zaban: https://media.handmade-seattle.com/linux-kernel-adventures/
Text writeup by JCTF Team: https://jctf.team/BSidesTLV-2020/Kapara/
Android Security Bulletin — December 2020
Includes a few kernel entries: an issue in the audit subsystem found by syzbot, a couple of USB/HID bugs, and a couple of epoll issues. There's also a bug in Qualcomm Crypto Engine Device (see the Qualcomm components section).
https://source.android.com/security/bulletin/2020-12-01#kernel-components
Includes a few kernel entries: an issue in the audit subsystem found by syzbot, a couple of USB/HID bugs, and a couple of epoll issues. There's also a bug in Qualcomm Crypto Engine Device (see the Qualcomm components section).
https://source.android.com/security/bulletin/2020-12-01#kernel-components
Three Dark clouds over the Android kernel
Yao Jun, PoC conference 2020
A good talk about Kernel Space Mirror Attack (KSMA) and SLAB Mirror Attack (SMA) against the Linux kernel.
Slides:
https://github.com/2freeman/Slides/blob/main/PoC-2020-Three%20Dark%20clouds%20over%20the%20Android%20kernel.pdf
Yao Jun, PoC conference 2020
A good talk about Kernel Space Mirror Attack (KSMA) and SLAB Mirror Attack (SMA) against the Linux kernel.
Slides:
https://github.com/2freeman/Slides/blob/main/PoC-2020-Three%20Dark%20clouds%20over%20the%20Android%20kernel.pdf
GitHub
Slides/PoC-2020-Three Dark clouds over the Android kernel.pdf at main · 2freeman/Slides
Contribute to 2freeman/Slides development by creating an account on GitHub.
Shared mapping leak in Qualcomm Adreno GPU
Another bug in Adreno GPU disclosed by Ben Hawkes from Project Zero — an infoleak this time. The fun part: Qualcomm's attempt to fix this introduced an exploitable use-after-free.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2092
Another bug in Adreno GPU disclosed by Ben Hawkes from Project Zero — an infoleak this time. The fun part: Qualcomm's attempt to fix this introduced an exploitable use-after-free.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2092
Kernel Integrity Enforcement with HLAT
Protecting the kernel from page-tables–based attacks with Hypervisor-managed Linear Address Translation Intel VT-x extension. A concept by Gao Chao from Intel.
Video: https://www.youtube.com/watch?v=N8avvE_neV0
Slides: https://static.sched.com/hosted_files/osseu2020/ce/LSSEU20_kernel%20integrity%20enforcement%20with%20HLAT%20in%20a%20virtual%20machine_v3.pdf
Protecting the kernel from page-tables–based attacks with Hypervisor-managed Linear Address Translation Intel VT-x extension. A concept by Gao Chao from Intel.
Video: https://www.youtube.com/watch?v=N8avvE_neV0
Slides: https://static.sched.com/hosted_files/osseu2020/ce/LSSEU20_kernel%20integrity%20enforcement%20with%20HLAT%20in%20a%20virtual%20machine_v3.pdf
YouTube
Kernel Integrity Enforcement with HLAT In a Virtual Machine - Chao Gao, Intel Corporation
An iOS hacker tries Android
A writeup for the vulnerability in Samsung Neural Processing Unit from a few weeks ago. By Brandon Azad.
https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html
A writeup for the vulnerability in Samsung Neural Processing Unit from a few weeks ago. By Brandon Azad.
https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html
Blogspot
An iOS hacker tries Android
Written by Brandon Azad, when working at Project Zero One of the amazing aspects of working at Project Zero is having the flexibility to dir...
Exploiting a Single Instruction Race Condition in Binder
Yet another exploitable use-after-free in Binder. By Maxime Peterlin, Philip Pettersson, Alexandre Adamski, and Alex Radocea.
https://blog.longterm.io/cve-2020-0423.html
Yet another exploitable use-after-free in Binder. By Maxime Peterlin, Philip Pettersson, Alexandre Adamski, and Alex Radocea.
https://blog.longterm.io/cve-2020-0423.html
Broken locking in TIOCSPGRP leads to corrupted refcount
A vulnerability in the TTY subsystem. Potentially exploitable — a strategy mentioned. By Jann Horn from Project Zero.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2125
A vulnerability in the TTY subsystem. Potentially exploitable — a strategy mentioned. By Jann Horn from Project Zero.
https://bugs.chromium.org/p/project-zero/issues/detail?id=2125
Locating the kernel PGD on Android/aarch64
A post-exploitation technique for locating Android kernel page tables.
https://duasynt.com/blog/android-pgd-page-tables
Bonus: GDB noscript for getting the PTE entry based on a virtual address: https://github.com/duasynt/gdb_noscripts/
A post-exploitation technique for locating Android kernel page tables.
https://duasynt.com/blog/android-pgd-page-tables
Bonus: GDB noscript for getting the PTE entry based on a virtual address: https://github.com/duasynt/gdb_noscripts/
MTE-based KASAN merged into mainline
My two patchsets that add a new Hardware Tag-Based KASAN mode that's based on arm64 Memory Tagging Extension have been merged. Eventually, MTE is planned to be used as an in-kernel memory corruption mitigation.
These cover letters describe the changes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11f094e312ae834531672aee711079c00ca39ff8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c696de9f12b7ddeddc05d378fc4dc0f66e9a8c95
My two patchsets that add a new Hardware Tag-Based KASAN mode that's based on arm64 Memory Tagging Extension have been merged. Eventually, MTE is planned to be used as an in-kernel memory corruption mitigation.
These cover letters describe the changes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11f094e312ae834531672aee711079c00ca39ff8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c696de9f12b7ddeddc05d378fc4dc0f66e9a8c95
CVEhound
A tool for checking the Linux kernel source code for known CVEs. The tool uses coccinelle rules and grep to detect the code patterns of known unpatched CVEs. Developed by Denis Efremov.
https://github.com/evdenis/cvehound
A tool for checking the Linux kernel source code for known CVEs. The tool uses coccinelle rules and grep to detect the code patterns of known unpatched CVEs. Developed by Denis Efremov.
https://github.com/evdenis/cvehound
GitHub
GitHub - evdenis/cvehound: Check linux sources dump for known CVEs.
Check linux sources dump for known CVEs. Contribute to evdenis/cvehound development by creating an account on GitHub.
Exploit for CVE-2020-27194
Simon Scannell published an exploit for the eBPF JIT bug he had previously found via fuzzing.
Exploit: https://github.com/scannells/exploits/tree/master/CVE-2020-27194
Article: https://scannell.me/fuzzing-for-ebpf-jit-bugs-in-the-linux-kernel/
Simon Scannell published an exploit for the eBPF JIT bug he had previously found via fuzzing.
Exploit: https://github.com/scannells/exploits/tree/master/CVE-2020-27194
Article: https://scannell.me/fuzzing-for-ebpf-jit-bugs-in-the-linux-kernel/
GitHub
exploits/CVE-2020-27194 at master · scannells/exploits
Some exploits I have written to showcase and to share - scannells/exploits
Android Security Bulletin — January 2021
Includes fixes for an info-leak in core dumps found by KMSAN, some speculative execution attacks, and for a bunch of Qualcomm drivers.
https://source.android.com/security/bulletin/2021-01-01
Includes fixes for an info-leak in core dumps found by KMSAN, some speculative execution attacks, and for a bunch of Qualcomm drivers.
https://source.android.com/security/bulletin/2021-01-01
A Samsung RKP Compendium
A blog post that covers the internals of the Samsung Real-time Kernel Protection (RKP) and exploitation of a bug in RKP that allows getting code execution in EL2 (hypervisor).
https://blog.longterm.io/samsung_rkp.html
A blog post that covers the internals of the Samsung Real-time Kernel Protection (RKP) and exploitation of a bug in RKP that allows getting code execution in EL2 (hypervisor).
https://blog.longterm.io/samsung_rkp.html