Learning Linux Kernel Exploitation: Part 3

The final part of the Linux kernel exploitation tutorial series. Covers bypassing KASLR and FG-KASLR (Function Granular KASLR, not currently in the mainline).

Part 3: https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/
FG-KASLR: https://lwn.net/Articles/832434/

Security things in Linux v5.8

A list of security-related novelties merged into mainline in version 5.8. (5.11 is about to be released, so the list is lagging behind a bit.) By Kees Cook.

https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/

DiceCTF 2021 — HashBrown

A write-up for a Linux kernel exploitation task with a race condition leading to a memory corruption. Enabled protections include FG-KASLR, KPTI, SMEP, SMAP, and SLAB_FREELIST_RANDOM.

https://www.willsroot.io/2021/02/dicectf-2021-hashbrown-writeup-from.html

kernel pwn — CTF task collection

A collection of Linux kernel exploitation CTF tasks and write-ups. The write-ups are in Japanese.

https://github.com/smallkirby/kernelpwn

Linux Foundation Mentorship Series:

Fuzzing Linux Kernel
March 2, 2021 | 7:30 – 9:00 AM PST

by Andrey Konovalov (aka @xairy), Senior Software Engineer, Google

https://events.linuxfoundation.org/mentorship-session-fuzzing-linux-kernel/

Linux Kernel Exploitation Technique by overwriting modprobe_path

A blog post with a self-explanatory name by Dang Le.

https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/

Dynamic Program Analysis for Fun and Profit

Dmitry Vyukov talks about dynamic bug-detection tools for the Linux kernel. Part of the Linux Foundation Mentorship Series.

Video: https://www.youtube.com/watch?v=ufcyOkgFZ2Q
Slides: https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf

Nice analysis of futex+vfs kernel bug CVE-2020-14381, reported by Jann Horn one year ago.

Published by FrizN.

https://blog.frizn.fr/linux-kernel/cve-2020-14381

Analysis of a working spectre (CVE-2017-5753) exploit for Linux "in the wild"

https://dustri.org/b/spectre-exploits-in-the-wild.html

Android Security Bulletin — March 2021

A bug in the xt_qtaguid netfilter module and a bunch of bugs in Qualcomm drivers.

https://source.android.com/security/bulletin/2021-03-01#kernel-components

Kernel Electric-Fence (KFENCE)

KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel, was merged for Linux 5.12.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/dev-tools/kfence.rst

Exploiting Kernel Races Through Taming Thread Interleaving

A Black Hat talk about using interrupts to widen race windows when exploiting race conditions. By Yoochan Lee.

Video: https://www.youtube.com/watch?v=5M3WhLVLCzs
Slides: https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf

Fuzzing the Linux kernel

The talk I gave yesterday about Linux kernel fuzzing. A part of the Linux Foundation Mentorship Series. Covers the general theory behind fuzzing and the approaches to fuzzing the Linux kernel in particular.

Video: https://youtube.com/watch?v=4IBWj21tg-c
Slides: https://linuxfoundation.org/wp-content/uploads/2021-Linux-Foundation-Mentorship-Series_-Fuzzing-the-Linux-Kernel.pdf

Exploiting CVE-2020-11239 in Android

A detailed article about exploiting the Android vulnerability CVE-2020-11239, which is a use-after-free in the Qualcomm kgsl driver

https://securitylab.github.com/research/one_day_short_of_a_fullchain_android

Exploiting CVE-2021-27365 in the Linux kernel iSCSI implementation

This vulnerability is a heap buffer overflow that was introduced to the Linux kernel 15 years ago.

https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html?m=1

Undocumented x86 instructions in Intel CPUs revealed

These instructions fully control the microarchitectural state of Intel CPUs. They can even modify the microcode!

https://twitter.com/_markel___/status/1373059797155778562?s=19

Android Security Bulletin — January 2021

A fix for an uninitialized memory disclosure in core files, two fixes for speculative execution bugs, and a bunch of fixes for Qualcomm drivers.

A note regarding one of the latter: "There are indications that CVE-2020-11261 may be under limited, targeted exploitation."

https://source.android.com/security/bulletin/2021-01-01#kernel-compoents
https://source.android.com/security/bulletin/2021-01-01#qualcomm-components

KFENCE — Detecting memory bugs in production kernels

A blog post about KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel.

https://thomasw.dev/post/kfence/

Security things in Linux v5.9

A list of security-related updates that were merged into Linux kernel version 5.9. Composed by Kees Cook.

https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/

Android Security Bulletin — April 2021

A use-after-free in the block subsystem; what looks like a side-channel info-leak in ICMP; and a couple of bugs in Qualcomm components, including a bug in sockev netlink driver.

https://source.android.com/security/bulletin/2021-04-01#kernel-components
https://source.android.com/security/bulletin/2021-04-01#qualcomm-components

BleedingTooth: Exploiting Bluetooth RCE in the Linux kernel

BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.

https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup