kernel pwn — CTF task collection
A collection of Linux kernel exploitation CTF tasks and write-ups. The write-ups are in Japanese.
https://github.com/smallkirby/kernelpwn
A collection of Linux kernel exploitation CTF tasks and write-ups. The write-ups are in Japanese.
https://github.com/smallkirby/kernelpwn
GitHub
GitHub - smallkirby/kernelpwn: kernel-pwn and writeup collection
kernel-pwn and writeup collection. Contribute to smallkirby/kernelpwn development by creating an account on GitHub.
Linux Foundation Mentorship Series:
Fuzzing Linux Kernel
March 2, 2021 | 7:30 – 9:00 AM PST
by Andrey Konovalov (aka @xairy), Senior Software Engineer, Google
https://events.linuxfoundation.org/mentorship-session-fuzzing-linux-kernel/
Fuzzing Linux Kernel
March 2, 2021 | 7:30 – 9:00 AM PST
by Andrey Konovalov (aka @xairy), Senior Software Engineer, Google
https://events.linuxfoundation.org/mentorship-session-fuzzing-linux-kernel/
LF Events
Mentorship Session: Fuzzing Linux Kernel | LF Events
A complimentary live mentorship session that connects subject matter experts with attendees through a live webinar and Q&A session.
Linux Kernel Exploitation Technique by overwriting modprobe_path
A blog post with a self-explanatory name by Dang Le.
https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/
A blog post with a self-explanatory name by Dang Le.
https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/
My cool site
Linux Kernel Exploitation Technique: Overwriting modprobe_path
A popular and powerful technique to exploit the Linux kernel through modprobe_path
Dynamic Program Analysis for Fun and Profit
Dmitry Vyukov talks about dynamic bug-detection tools for the Linux kernel. Part of the Linux Foundation Mentorship Series.
Video: https://www.youtube.com/watch?v=ufcyOkgFZ2Q
Slides: https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf
Dmitry Vyukov talks about dynamic bug-detection tools for the Linux kernel. Part of the Linux Foundation Mentorship Series.
Video: https://www.youtube.com/watch?v=ufcyOkgFZ2Q
Slides: https://linuxfoundation.org/wp-content/uploads/Dynamic-program-analysis_-LF-Mentorship.pdf
YouTube
Mentorship Session: Dynamic Program Analysis for Fun and Profit
Nice analysis of futex+vfs kernel bug CVE-2020-14381, reported by Jann Horn one year ago.
Published by FrizN.
https://blog.frizn.fr/linux-kernel/cve-2020-14381
Published by FrizN.
https://blog.frizn.fr/linux-kernel/cve-2020-14381
blog.frizn.fr
FrizN - Linux kernel - The curious case of CVE-2020-14381
FrizN's blog: ctf writeups, pwnables, reverse engineering, sploits
Analysis of a working spectre (CVE-2017-5753) exploit for Linux "in the wild"
https://dustri.org/b/spectre-exploits-in-the-wild.html
https://dustri.org/b/spectre-exploits-in-the-wild.html
dustri.org
Spectre exploits in the "wild"
Personal blog of Julien (jvoisin) Voisin
Android Security Bulletin — March 2021
A bug in the
https://source.android.com/security/bulletin/2021-03-01#kernel-components
A bug in the
xt_qtaguid netfilter module and a bunch of bugs in Qualcomm drivers.https://source.android.com/security/bulletin/2021-03-01#kernel-components
Kernel Electric-Fence (KFENCE)
KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel, was merged for Linux 5.12.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/dev-tools/kfence.rst
KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel, was merged for Linux 5.12.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/dev-tools/kfence.rst
Exploiting Kernel Races Through Taming Thread Interleaving
A Black Hat talk about using interrupts to widen race windows when exploiting race conditions. By Yoochan Lee.
Video: https://www.youtube.com/watch?v=5M3WhLVLCzs
Slides: https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf
A Black Hat talk about using interrupts to widen race windows when exploiting race conditions. By Yoochan Lee.
Video: https://www.youtube.com/watch?v=5M3WhLVLCzs
Slides: https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf
YouTube
Exploiting Kernel Races through Taming Thread Interleaving
A kernel race condition vulnerability is difficult to exploit, because thread interleaving is non-deterministic and cannot be controlled. Thus, conventional exploitation techniques against kernel races simply attempt to brute force, i.e., keep exploiting…
Fuzzing the Linux kernel
The talk I gave yesterday about Linux kernel fuzzing. A part of the Linux Foundation Mentorship Series. Covers the general theory behind fuzzing and the approaches to fuzzing the Linux kernel in particular.
Video: https://youtube.com/watch?v=4IBWj21tg-c
Slides: https://linuxfoundation.org/wp-content/uploads/2021-Linux-Foundation-Mentorship-Series_-Fuzzing-the-Linux-Kernel.pdf
The talk I gave yesterday about Linux kernel fuzzing. A part of the Linux Foundation Mentorship Series. Covers the general theory behind fuzzing and the approaches to fuzzing the Linux kernel in particular.
Video: https://youtube.com/watch?v=4IBWj21tg-c
Slides: https://linuxfoundation.org/wp-content/uploads/2021-Linux-Foundation-Mentorship-Series_-Fuzzing-the-Linux-Kernel.pdf
YouTube
Mentorship Session: Fuzzing the Linux Kernel
Exploiting CVE-2020-11239 in Android
A detailed article about exploiting the Android vulnerability CVE-2020-11239, which is a use-after-free in the Qualcomm kgsl driver
https://securitylab.github.com/research/one_day_short_of_a_fullchain_android
A detailed article about exploiting the Android vulnerability CVE-2020-11239, which is a use-after-free in the Qualcomm kgsl driver
https://securitylab.github.com/research/one_day_short_of_a_fullchain_android
Exploiting CVE-2021-27365 in the Linux kernel iSCSI implementation
This vulnerability is a heap buffer overflow that was introduced to the Linux kernel 15 years ago.
https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html?m=1
This vulnerability is a heap buffer overflow that was introduced to the Linux kernel 15 years ago.
https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html?m=1
Grimm-Co
New Old Bugs in the Linux Kernel
Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to ...
Undocumented x86 instructions in Intel CPUs revealed
These instructions fully control the microarchitectural state of Intel CPUs. They can even modify the microcode!
https://twitter.com/_markel___/status/1373059797155778562?s=19
These instructions fully control the microarchitectural state of Intel CPUs. They can even modify the microcode!
https://twitter.com/_markel___/status/1373059797155778562?s=19
Twitter
Mark Ermolov
Wow, we (+@h0t_max and @_Dmit) have found two undocumented x86 instructions in Intel CPUs which completely control microarchitectural state (yes, they can modify microcode)
Android Security Bulletin — January 2021
A fix for an uninitialized memory disclosure in core files, two fixes for speculative execution bugs, and a bunch of fixes for Qualcomm drivers.
A note regarding one of the latter: "There are indications that CVE-2020-11261 may be under limited, targeted exploitation."
https://source.android.com/security/bulletin/2021-01-01#kernel-compoents
https://source.android.com/security/bulletin/2021-01-01#qualcomm-components
A fix for an uninitialized memory disclosure in core files, two fixes for speculative execution bugs, and a bunch of fixes for Qualcomm drivers.
A note regarding one of the latter: "There are indications that CVE-2020-11261 may be under limited, targeted exploitation."
https://source.android.com/security/bulletin/2021-01-01#kernel-compoents
https://source.android.com/security/bulletin/2021-01-01#qualcomm-components
👍1
KFENCE — Detecting memory bugs in production kernels
A blog post about KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel.
https://thomasw.dev/post/kfence/
A blog post about KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel.
https://thomasw.dev/post/kfence/
Thomas
KFENCE - Detecting memory bugs in production kernels
On February 26 this year KFENCE was merged into the upstream kernel source, ready for release in Linux 5.12. KFENCE is basically a low-overhead address sanitizer, but actually so low-overhead that it can run in production kernels on live systems whereas the…
Security things in Linux v5.9
A list of security-related updates that were merged into Linux kernel version 5.9. Composed by Kees Cook.
https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/
A list of security-related updates that were merged into Linux kernel version 5.9. Composed by Kees Cook.
https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/
Android Security Bulletin — April 2021
A use-after-free in the block subsystem; what looks like a side-channel info-leak in ICMP; and a couple of bugs in Qualcomm components, including a bug in sockev netlink driver.
https://source.android.com/security/bulletin/2021-04-01#kernel-components
https://source.android.com/security/bulletin/2021-04-01#qualcomm-components
A use-after-free in the block subsystem; what looks like a side-channel info-leak in ICMP; and a couple of bugs in Qualcomm components, including a bug in sockev netlink driver.
https://source.android.com/security/bulletin/2021-04-01#kernel-components
https://source.android.com/security/bulletin/2021-04-01#qualcomm-components
BleedingTooth: Exploiting Bluetooth RCE in the Linux kernel
BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.
https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup
BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.
https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup
security-research
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel
I've published the article about exploiting CVE-2021-26708 for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP.
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
PoC exploit demo video: https://www.youtube.com/watch?v=EC8PFOYOUgU
I've published the article about exploiting CVE-2021-26708 for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP.
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
PoC exploit demo video: https://www.youtube.com/watch?v=EC8PFOYOUgU
Alexander Popov
Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel
CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. I discovered and fixed them in January 2021. In this article I describe how to exploit them for local privilege escalation on Fedora 33 Server…
Rust in the Linux kernel
An RFC patch series that adds Rust support to the kernel has been posted. It aims to provide wrappers for the core kernel APIs and allow implementing kernel modules in safe Rust.
The series includes a work-in-progress Rust implementation of the Android binder driver.
See the cover letter for the high-level design outline and the blog post for a deeper explanation of the implementation of an example module.
Cover letter: https://lore.kernel.org/lkml/20210414184604.23473-1-ojeda@kernel.org/
Blog post: https://security.googleblog.com/2021/04/rust-in-linux-kernel.html
An RFC patch series that adds Rust support to the kernel has been posted. It aims to provide wrappers for the core kernel APIs and allow implementing kernel modules in safe Rust.
The series includes a work-in-progress Rust implementation of the Android binder driver.
See the cover letter for the high-level design outline and the blog post for a deeper explanation of the implementation of an example module.
Cover letter: https://lore.kernel.org/lkml/20210414184604.23473-1-ojeda@kernel.org/
Blog post: https://security.googleblog.com/2021/04/rust-in-linux-kernel.html
Google Online Security Blog
Rust in the Linux kernel
Posted by Wedson Almeida Filho, Android Team In our previous post , we announced that Android now supports the Rust programming language...
Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits
A research about introducing vulnerabilities into the kernel while pretending to fix bugs. The researchers succeeded.
This research was done last year, but subsequent (seemingly unrelated) work by the same authors is now causing a lot of drama in the Linux kernel community.
Paper: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Drama: https://twitter.com/gregkh/status/1384785747874656257
A research about introducing vulnerabilities into the kernel while pretending to fix bugs. The researchers succeeded.
This research was done last year, but subsequent (seemingly unrelated) work by the same authors is now causing a lot of drama in the Linux kernel community.
Paper: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Drama: https://twitter.com/gregkh/status/1384785747874656257
GitHub
qiushiwu.github.io/papers/OpenSourceInsecurity.pdf at main · QiushiWu/qiushiwu.github.io
Contribute to QiushiWu/qiushiwu.github.io development by creating an account on GitHub.