Locating the kernel PGD on Android/aarch64
A post-exploitation technique for locating Android kernel page tables.
https://duasynt.com/blog/android-pgd-page-tables
Bonus: GDB noscript for getting the PTE entry based on a virtual address: https://github.com/duasynt/gdb_noscripts/
A post-exploitation technique for locating Android kernel page tables.
https://duasynt.com/blog/android-pgd-page-tables
Bonus: GDB noscript for getting the PTE entry based on a virtual address: https://github.com/duasynt/gdb_noscripts/
MTE-based KASAN merged into mainline
My two patchsets that add a new Hardware Tag-Based KASAN mode that's based on arm64 Memory Tagging Extension have been merged. Eventually, MTE is planned to be used as an in-kernel memory corruption mitigation.
These cover letters describe the changes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11f094e312ae834531672aee711079c00ca39ff8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c696de9f12b7ddeddc05d378fc4dc0f66e9a8c95
My two patchsets that add a new Hardware Tag-Based KASAN mode that's based on arm64 Memory Tagging Extension have been merged. Eventually, MTE is planned to be used as an in-kernel memory corruption mitigation.
These cover letters describe the changes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11f094e312ae834531672aee711079c00ca39ff8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c696de9f12b7ddeddc05d378fc4dc0f66e9a8c95
CVEhound
A tool for checking the Linux kernel source code for known CVEs. The tool uses coccinelle rules and grep to detect the code patterns of known unpatched CVEs. Developed by Denis Efremov.
https://github.com/evdenis/cvehound
A tool for checking the Linux kernel source code for known CVEs. The tool uses coccinelle rules and grep to detect the code patterns of known unpatched CVEs. Developed by Denis Efremov.
https://github.com/evdenis/cvehound
GitHub
GitHub - evdenis/cvehound: Check linux sources dump for known CVEs.
Check linux sources dump for known CVEs. Contribute to evdenis/cvehound development by creating an account on GitHub.
Exploit for CVE-2020-27194
Simon Scannell published an exploit for the eBPF JIT bug he had previously found via fuzzing.
Exploit: https://github.com/scannells/exploits/tree/master/CVE-2020-27194
Article: https://scannell.me/fuzzing-for-ebpf-jit-bugs-in-the-linux-kernel/
Simon Scannell published an exploit for the eBPF JIT bug he had previously found via fuzzing.
Exploit: https://github.com/scannells/exploits/tree/master/CVE-2020-27194
Article: https://scannell.me/fuzzing-for-ebpf-jit-bugs-in-the-linux-kernel/
GitHub
exploits/CVE-2020-27194 at master · scannells/exploits
Some exploits I have written to showcase and to share - scannells/exploits
Android Security Bulletin — January 2021
Includes fixes for an info-leak in core dumps found by KMSAN, some speculative execution attacks, and for a bunch of Qualcomm drivers.
https://source.android.com/security/bulletin/2021-01-01
Includes fixes for an info-leak in core dumps found by KMSAN, some speculative execution attacks, and for a bunch of Qualcomm drivers.
https://source.android.com/security/bulletin/2021-01-01
A Samsung RKP Compendium
A blog post that covers the internals of the Samsung Real-time Kernel Protection (RKP) and exploitation of a bug in RKP that allows getting code execution in EL2 (hypervisor).
https://blog.longterm.io/samsung_rkp.html
A blog post that covers the internals of the Samsung Real-time Kernel Protection (RKP) and exploitation of a bug in RKP that allows getting code execution in EL2 (hypervisor).
https://blog.longterm.io/samsung_rkp.html
In-the-Wild Series: Android Exploits
P0 published the analysis of an exploit chain detected in-the-wild. All Android kernel exploits in the chain are based on N-day bugs.
Android kernel bugs: https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html
Full series: https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html
P0 published the analysis of an exploit chain detected in-the-wild. All Android kernel exploits in the chain are based on N-day bugs.
Android kernel bugs: https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html
Full series: https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html
Blogspot
In-the-Wild Series: Android Exploits
This is part 4 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other pa...
Hack The Box — RopeTwo
A write-up for a Hack The Box lab that included a vulnerable kernel module.
https://0xdf.gitlab.io/2021/01/16/htb-ropetwo.html
A write-up for a Hack The Box lab that included a vulnerable kernel module.
https://0xdf.gitlab.io/2021/01/16/htb-ropetwo.html
0xdf hacks stuff
HTB: RopeTwo
RopeTwo, much like Rope, was just a lot of binary exploitation. It starts with a really neat attack on Google’s v8 JavaScript engine, with a couple of newly added vulnerable functions to allow out of bounds read and write. I’ll use that with an XSS vulnerability…
eBPF: bug in the BPF_RSH instruction
The bug affects kernels from 4.9 to 4.13 and requires CAP_SYS_ADMIN to be triggered. Found by Ryota Shiga and reported to ZDI in April 2020.
https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier
The bug affects kernels from 4.9 to 4.13 and requires CAP_SYS_ADMIN to be triggered. Found by Ryota Shiga and reported to ZDI in April 2020.
https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier
Zero Day Initiative
Zero Day Initiative — ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier
In April 2020, the ZDI received a Linux kernel submission that turned out to be an incorrect calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. If you’re not familiar with it, eBPF is a Linux subsystem that is designed to safely execute…
Exploiting CVE-2014-3153 (Towelroot)
An exploit write-up for an old bug that was originally used to root Android phones. This exploit, however, targets 32-bit Ubuntu. By Elon Gliksberg.
https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html
An exploit write-up for an old bug that was originally used to root Android phones. This exploit, however, targets 32-bit Ubuntu. By Elon Gliksberg.
https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html
Elon Gliksberg
Exploiting CVE-2014-3153 (Towelroot)
Understanding The Kernel
Learning Linux Kernel Exploitation
Linux kernel exploitation tutorials. Part 1 covers the basic ret2usr technique, part 2 expands it with SMEP and KPTI bypasses.
Part 1: https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/
Part 2: https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/
Linux kernel exploitation tutorials. Part 1 covers the basic ret2usr technique, part 2 expands it with SMEP and KPTI bypasses.
Part 1: https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/
Part 2: https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/
My cool site
Learning Linux Kernel Exploitation - Part 1
The first part of the series about learning Linux kernel exploitation through hxpCTF2020 kernel-rop: Setting up the environment and the simplest technique of ret2usr
Exploiting Samsung NPU memory corruption
Another write-up that covers the Samsung NPU vulnerability ( CVE-2020-28343/SVE-2020-18610) previously found and reported by P0.
https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md
Another write-up that covers the Samsung NPU vulnerability ( CVE-2020-28343/SVE-2020-18610) previously found and reported by P0.
https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md
Android Security Bulletin — February 2021
One kernel bug in IPv6 and a bunch of issues in Qualcomm drivers.
https://source.android.com/security/bulletin/2021-02-01#kernel-components
One kernel bug in IPv6 and a bunch of issues in Qualcomm drivers.
https://source.android.com/security/bulletin/2021-02-01#kernel-components
VDSO As A Potential KASLR Oracle
A research that shows how to use Spectre to leak VDSO kernel address on arm64. By Philip Pettersson and Alex Radocea.
https://www.longterm.io/vdso_sidechannel.html
A research that shows how to use Spectre to leak VDSO kernel address on arm64. By Philip Pettersson and Alex Radocea.
https://www.longterm.io/vdso_sidechannel.html
Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation
In January I found, exploited, fixed and responsibly disclosed Linux kernel vulnerabilities in virtual sockets.
Public announcement: https://seclists.org/oss-sec/2021/q1/107
My PoC exploit gains LPE on Fedora Server 33 for x86_64 bypassing SMEP and SMAP. I'll share all the details later.
// by @a13xp0p0v
In January I found, exploited, fixed and responsibly disclosed Linux kernel vulnerabilities in virtual sockets.
Public announcement: https://seclists.org/oss-sec/2021/q1/107
My PoC exploit gains LPE on Fedora Server 33 for x86_64 bypassing SMEP and SMAP. I'll share all the details later.
// by @a13xp0p0v
Learning Linux Kernel Exploitation: Part 3
The final part of the Linux kernel exploitation tutorial series. Covers bypassing KASLR and FG-KASLR (Function Granular KASLR, not currently in the mainline).
Part 3: https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/
FG-KASLR: https://lwn.net/Articles/832434/
The final part of the Linux kernel exploitation tutorial series. Covers bypassing KASLR and FG-KASLR (Function Granular KASLR, not currently in the mainline).
Part 3: https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/
FG-KASLR: https://lwn.net/Articles/832434/
My cool site
Learning Linux Kernel Exploitation - Part 3
The final part of the series about learning Linux kernel exploitation through hxpCTF2020 kernel-rop: Full protection
Security things in Linux v5.8
A list of security-related novelties merged into mainline in version 5.8. (5.11 is about to be released, so the list is lagging behind a bit.) By Kees Cook.
https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/
A list of security-related novelties merged into mainline in version 5.8. (5.11 is about to be released, so the list is lagging behind a bit.) By Kees Cook.
https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/
DiceCTF 2021 — HashBrown
A write-up for a Linux kernel exploitation task with a race condition leading to a memory corruption. Enabled protections include FG-KASLR, KPTI, SMEP, SMAP, and
https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html
A write-up for a Linux kernel exploitation task with a race condition leading to a memory corruption. Enabled protections include FG-KASLR, KPTI, SMEP, SMAP, and
SLAB_FREELIST_RANDOM.https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html
www.willsroot.io
DiceCTF 2021 HashBrown Writeup: From Kernel Module Hashmap Resize Race Condition to FG-KASLR Bypass
Vulnerability Research on Low-Level Systems
kernel pwn — CTF task collection
A collection of Linux kernel exploitation CTF tasks and write-ups. The write-ups are in Japanese.
https://github.com/smallkirby/kernelpwn
A collection of Linux kernel exploitation CTF tasks and write-ups. The write-ups are in Japanese.
https://github.com/smallkirby/kernelpwn
GitHub
GitHub - smallkirby/kernelpwn: kernel-pwn and writeup collection
kernel-pwn and writeup collection. Contribute to smallkirby/kernelpwn development by creating an account on GitHub.
Linux Foundation Mentorship Series:
Fuzzing Linux Kernel
March 2, 2021 | 7:30 – 9:00 AM PST
by Andrey Konovalov (aka @xairy), Senior Software Engineer, Google
https://events.linuxfoundation.org/mentorship-session-fuzzing-linux-kernel/
Fuzzing Linux Kernel
March 2, 2021 | 7:30 – 9:00 AM PST
by Andrey Konovalov (aka @xairy), Senior Software Engineer, Google
https://events.linuxfoundation.org/mentorship-session-fuzzing-linux-kernel/
LF Events
Mentorship Session: Fuzzing Linux Kernel | LF Events
A complimentary live mentorship session that connects subject matter experts with attendees through a live webinar and Q&A session.
Linux Kernel Exploitation Technique by overwriting modprobe_path
A blog post with a self-explanatory name by Dang Le.
https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/
A blog post with a self-explanatory name by Dang Le.
https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/
My cool site
Linux Kernel Exploitation Technique: Overwriting modprobe_path
A popular and powerful technique to exploit the Linux kernel through modprobe_path