Android Security Bulletin — January 2021
Includes fixes for an info-leak in core dumps found by KMSAN, some speculative execution attacks, and for a bunch of Qualcomm drivers.
https://source.android.com/security/bulletin/2021-01-01
Includes fixes for an info-leak in core dumps found by KMSAN, some speculative execution attacks, and for a bunch of Qualcomm drivers.
https://source.android.com/security/bulletin/2021-01-01
A Samsung RKP Compendium
A blog post that covers the internals of the Samsung Real-time Kernel Protection (RKP) and exploitation of a bug in RKP that allows getting code execution in EL2 (hypervisor).
https://blog.longterm.io/samsung_rkp.html
A blog post that covers the internals of the Samsung Real-time Kernel Protection (RKP) and exploitation of a bug in RKP that allows getting code execution in EL2 (hypervisor).
https://blog.longterm.io/samsung_rkp.html
In-the-Wild Series: Android Exploits
P0 published the analysis of an exploit chain detected in-the-wild. All Android kernel exploits in the chain are based on N-day bugs.
Android kernel bugs: https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html
Full series: https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html
P0 published the analysis of an exploit chain detected in-the-wild. All Android kernel exploits in the chain are based on N-day bugs.
Android kernel bugs: https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html
Full series: https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html
Blogspot
In-the-Wild Series: Android Exploits
This is part 4 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other pa...
Hack The Box — RopeTwo
A write-up for a Hack The Box lab that included a vulnerable kernel module.
https://0xdf.gitlab.io/2021/01/16/htb-ropetwo.html
A write-up for a Hack The Box lab that included a vulnerable kernel module.
https://0xdf.gitlab.io/2021/01/16/htb-ropetwo.html
0xdf hacks stuff
HTB: RopeTwo
RopeTwo, much like Rope, was just a lot of binary exploitation. It starts with a really neat attack on Google’s v8 JavaScript engine, with a couple of newly added vulnerable functions to allow out of bounds read and write. I’ll use that with an XSS vulnerability…
eBPF: bug in the BPF_RSH instruction
The bug affects kernels from 4.9 to 4.13 and requires CAP_SYS_ADMIN to be triggered. Found by Ryota Shiga and reported to ZDI in April 2020.
https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier
The bug affects kernels from 4.9 to 4.13 and requires CAP_SYS_ADMIN to be triggered. Found by Ryota Shiga and reported to ZDI in April 2020.
https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier
Zero Day Initiative
Zero Day Initiative — ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier
In April 2020, the ZDI received a Linux kernel submission that turned out to be an incorrect calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. If you’re not familiar with it, eBPF is a Linux subsystem that is designed to safely execute…
Exploiting CVE-2014-3153 (Towelroot)
An exploit write-up for an old bug that was originally used to root Android phones. This exploit, however, targets 32-bit Ubuntu. By Elon Gliksberg.
https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html
An exploit write-up for an old bug that was originally used to root Android phones. This exploit, however, targets 32-bit Ubuntu. By Elon Gliksberg.
https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html
Elon Gliksberg
Exploiting CVE-2014-3153 (Towelroot)
Understanding The Kernel
Learning Linux Kernel Exploitation
Linux kernel exploitation tutorials. Part 1 covers the basic ret2usr technique, part 2 expands it with SMEP and KPTI bypasses.
Part 1: https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/
Part 2: https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/
Linux kernel exploitation tutorials. Part 1 covers the basic ret2usr technique, part 2 expands it with SMEP and KPTI bypasses.
Part 1: https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/
Part 2: https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/
My cool site
Learning Linux Kernel Exploitation - Part 1
The first part of the series about learning Linux kernel exploitation through hxpCTF2020 kernel-rop: Setting up the environment and the simplest technique of ret2usr
Exploiting Samsung NPU memory corruption
Another write-up that covers the Samsung NPU vulnerability ( CVE-2020-28343/SVE-2020-18610) previously found and reported by P0.
https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md
Another write-up that covers the Samsung NPU vulnerability ( CVE-2020-28343/SVE-2020-18610) previously found and reported by P0.
https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md
Android Security Bulletin — February 2021
One kernel bug in IPv6 and a bunch of issues in Qualcomm drivers.
https://source.android.com/security/bulletin/2021-02-01#kernel-components
One kernel bug in IPv6 and a bunch of issues in Qualcomm drivers.
https://source.android.com/security/bulletin/2021-02-01#kernel-components
VDSO As A Potential KASLR Oracle
A research that shows how to use Spectre to leak VDSO kernel address on arm64. By Philip Pettersson and Alex Radocea.
https://www.longterm.io/vdso_sidechannel.html
A research that shows how to use Spectre to leak VDSO kernel address on arm64. By Philip Pettersson and Alex Radocea.
https://www.longterm.io/vdso_sidechannel.html
Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation
In January I found, exploited, fixed and responsibly disclosed Linux kernel vulnerabilities in virtual sockets.
Public announcement: https://seclists.org/oss-sec/2021/q1/107
My PoC exploit gains LPE on Fedora Server 33 for x86_64 bypassing SMEP and SMAP. I'll share all the details later.
// by @a13xp0p0v
In January I found, exploited, fixed and responsibly disclosed Linux kernel vulnerabilities in virtual sockets.
Public announcement: https://seclists.org/oss-sec/2021/q1/107
My PoC exploit gains LPE on Fedora Server 33 for x86_64 bypassing SMEP and SMAP. I'll share all the details later.
// by @a13xp0p0v
Learning Linux Kernel Exploitation: Part 3
The final part of the Linux kernel exploitation tutorial series. Covers bypassing KASLR and FG-KASLR (Function Granular KASLR, not currently in the mainline).
Part 3: https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/
FG-KASLR: https://lwn.net/Articles/832434/
The final part of the Linux kernel exploitation tutorial series. Covers bypassing KASLR and FG-KASLR (Function Granular KASLR, not currently in the mainline).
Part 3: https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/
FG-KASLR: https://lwn.net/Articles/832434/
My cool site
Learning Linux Kernel Exploitation - Part 3
The final part of the series about learning Linux kernel exploitation through hxpCTF2020 kernel-rop: Full protection
Security things in Linux v5.8
A list of security-related novelties merged into mainline in version 5.8. (5.11 is about to be released, so the list is lagging behind a bit.) By Kees Cook.
https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/
A list of security-related novelties merged into mainline in version 5.8. (5.11 is about to be released, so the list is lagging behind a bit.) By Kees Cook.
https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/
DiceCTF 2021 — HashBrown
A write-up for a Linux kernel exploitation task with a race condition leading to a memory corruption. Enabled protections include FG-KASLR, KPTI, SMEP, SMAP, and
https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html
A write-up for a Linux kernel exploitation task with a race condition leading to a memory corruption. Enabled protections include FG-KASLR, KPTI, SMEP, SMAP, and
SLAB_FREELIST_RANDOM.https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html
www.willsroot.io
DiceCTF 2021 HashBrown Writeup: From Kernel Module Hashmap Resize Race Condition to FG-KASLR Bypass
Vulnerability Research on Low-Level Systems
kernel pwn — CTF task collection
A collection of Linux kernel exploitation CTF tasks and write-ups. The write-ups are in Japanese.
https://github.com/smallkirby/kernelpwn
A collection of Linux kernel exploitation CTF tasks and write-ups. The write-ups are in Japanese.
https://github.com/smallkirby/kernelpwn
GitHub
GitHub - smallkirby/kernelpwn: kernel-pwn and writeup collection
kernel-pwn and writeup collection. Contribute to smallkirby/kernelpwn development by creating an account on GitHub.
Linux Foundation Mentorship Series:
Fuzzing Linux Kernel
March 2, 2021 | 7:30 – 9:00 AM PST
by Andrey Konovalov (aka @xairy), Senior Software Engineer, Google
https://events.linuxfoundation.org/mentorship-session-fuzzing-linux-kernel/
Fuzzing Linux Kernel
March 2, 2021 | 7:30 – 9:00 AM PST
by Andrey Konovalov (aka @xairy), Senior Software Engineer, Google
https://events.linuxfoundation.org/mentorship-session-fuzzing-linux-kernel/
LF Events
Mentorship Session: Fuzzing Linux Kernel | LF Events
A complimentary live mentorship session that connects subject matter experts with attendees through a live webinar and Q&A session.
Linux Kernel Exploitation Technique by overwriting modprobe_path
A blog post with a self-explanatory name by Dang Le.
https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/
A blog post with a self-explanatory name by Dang Le.
https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/
My cool site
Linux Kernel Exploitation Technique: Overwriting modprobe_path
A popular and powerful technique to exploit the Linux kernel through modprobe_path
Dynamic Program Analysis for Fun and Profit
Dmitry Vyukov talks about dynamic bug-detection tools for the Linux kernel. Part of the Linux Foundation Mentorship Series.
Video: https://www.youtube.com/watch?v=ufcyOkgFZ2Q
Slides: https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf
Dmitry Vyukov talks about dynamic bug-detection tools for the Linux kernel. Part of the Linux Foundation Mentorship Series.
Video: https://www.youtube.com/watch?v=ufcyOkgFZ2Q
Slides: https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf
YouTube
Mentorship Session: Dynamic Program Analysis for Fun and Profit
Nice analysis of futex+vfs kernel bug CVE-2020-14381, reported by Jann Horn one year ago.
Published by FrizN.
https://blog.frizn.fr/linux-kernel/cve-2020-14381
Published by FrizN.
https://blog.frizn.fr/linux-kernel/cve-2020-14381
blog.frizn.fr
FrizN - Linux kernel - The curious case of CVE-2020-14381
FrizN's blog: ctf writeups, pwnables, reverse engineering, sploits
Analysis of a working spectre (CVE-2017-5753) exploit for Linux "in the wild"
https://dustri.org/b/spectre-exploits-in-the-wild.html
https://dustri.org/b/spectre-exploits-in-the-wild.html
dustri.org
Spectre exploits in the "wild"
Personal blog of Julien (jvoisin) Voisin
Android Security Bulletin — March 2021
A bug in the
https://source.android.com/security/bulletin/2021-03-01#kernel-components
A bug in the
xt_qtaguid netfilter module and a bunch of bugs in Qualcomm drivers.https://source.android.com/security/bulletin/2021-03-01#kernel-components