A foray into Linux kernel exploitation on Android

An article describing an attempt to exploit the pvrsrvkm driver on an Alcatel 1S 2019.

https://mcyoloswagham.github.io/linux/

Android Security Bulletin — May 2021

A bug in TTY reported by Jann Horn a while ago and a bunch of bugs in Qualcomm drivers as usual.

https://source.android.com/security/bulletin/2021-05-01#kernel-components
https://bugs.chromium.org/p/project-zero/issues/detail?id=2125&can=1&q=linux%20kernel&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids&sort=-id
https://source.android.com/security/bulletin/2021-05-01#qualcomm-components

CVE-2021-32606: CAN ISOTP local privilege escalation

Exploiting a race condition in ISOTP CAN sockets.

https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md

Fuzzing the Linux kernel

The talk I gave about Linux kernel fuzzing at PHDays 2021. Roughly the same content as the Linux Foundation Mentorship talk, but organized differently.

Slides: https://docs.google.com/presentation/d/19JaXHFMT-R2le6x-vPKw5D1Cxlw2aLtxHEIDwWBNXCQ/edit?usp=sharing
Video: https://standoff365.com/phdays10/schedule/tech/fuzzing-the-linux-kernel/

Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux Kernel

I've published the video of my talk for Zer0Con 2021: https://m.youtube.com/watch?v=EMcjHfceX44

And I gave this talk in Russian for live audience at PHDays 2021. Video: https://standoff365.com/phdays10/schedule/tech/4-bytes-of-power-exploiting-cve-2021-26708-in-the-linux-kernel

A Nerve-Racking Bug Collision in Samsung's NPU Driver

An exploit write-up by Gyorgy Miru for another bug in the Samsung NPU driver. Unlike the vmalloc-based exploits published by P0 and others, this one relies on a race condition leading to a slab-out-of-bounds write.

https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/

CVE-2021–20226: a reference counting bug which leads to local privilege escalation in io_uring

An article describing a bug in the io_uring subsystem. Improper handling of files_struct references leading to a use-after-free.

https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a

An EPYC escape: Case-study of a KVM breakout by Felix Wilhelm

KVM guest-to-host breakout via access to the host MSRs.

https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html?m=1

Linux Kernel Heap Out-Of-Bounds Write in xt_compat_target_from_user()

Very old vulnerability, it can be exploited for LPE. Kernels starting from v2.6.19 are affected.

https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528

KMSAN, a look under the hood

A talk about the internals of KernelMemorySanitizer — a tool that finds uses of uninitialized memory and information leaks. By Alexander Potapenko.

Recording: https://www.youtube.com/watch?v=LNs2U-3m3yg
Slides: https://github.com/ramosian-glider/talks-and-presentations/blob/master/2021/KernelMemorySanitizer_a_look_under_the_hood.pdf

Exploitation of a double free vulnerability in Ubuntu shiftfs driver

A very detailed article by Vincent Dehors. The author describes his exploit for Pwn2Own Vancouver, where he got LPE on Ubuntu Groovy 20.10.

https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html

CVE-2021-22555: Turning \x00\x00 into 10000$ by Andy Nguyen

CVE-2021-22555 is a 15 years old heap out-of-bounds write vulnerability in Linux Netfilter that is powerful enough to bypass all modern security mitigations and achieve kernel code execution. It was used to break the kubernetes pod isolation of the kCTF cluster and won 10000$.

https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html

Amazingly, Andy independently reinvented the msgsnd() exploitation technique, that I created in January for my CVE-2021-26708 exploit:
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html

Sequoia: A deep root in Linux's filesystem layer (CVE-2021-33909)

Qualys security advisory about a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer.

By creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

Report: https://www.openwall.com/lists/oss-security/2021/07/20/1

Kernel Pwning with eBPF: a Love Story by Valentina Palmiotti

The detailed overview of eBPF from the exploit developer's perspective and the analysis of the CVE-2021-3490 exploit for Ubuntu 20.10.

https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story

[BugTales] Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver by Gyorgy Miru

A detailed article about exploiting vulnerabilities in the Linux kernel driver for Huawei Neural-network Processing Unit.

https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/

Variant analysis of the 'Sequoia' bug

Using CodeQL to rediscover the Sequoia bug recently disclosed by Qualys. As well as finding a few other ones. By Jordy Zomer.

https://pwning.systems/posts/sequoia-variant-analysis/

Fuzzing Linux with Xen

A DEF CON talk about fuzzing the Linux kernel over DMA-based interfaces with Xen. By Tamas K Lengyel.

Video: https://www.youtube.com/watch?v=_dXC_I2ybr4
Slides: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf

Linux Security Summit 2021

The schedule for Linux Security Summit has been published. The summit will be happening from Sep 29th to Oct 1st.

I'll be giving a talk about the new MTE-based KASAN mode on the last day.

Two DEF CON talks about eBPF-based rootkits

#1: "eBPF, I thought we were friends!" (video) by Guillaume Fournier and Sylvain Afchain
#2: "Warping Reality: Creating and Countering the Next Generation of Linux Rootkits" (video) by Pat Hogan

Both are about building a rootkit via malicious eBPF programs. The programs are constrained to what the verifier permits (i.e., no AARW), but the allowed functionality is enough to mess with userspace daemons for LPE and with network packets for C&C.

Big improvements in my Linux Kernel Defence Map showing:
🔴Vulnerability classes
🟠Exploitation techniques
🟣Bug detection mechanisms
🟢Defence technologies
Now it represents Linux v5.12.
I added KASAN_HW_TAGS with ARM64_MTE, AUTOSLAB, KFENCE and many more
https://github.com/a13xp0p0v/linux-kernel-defence-map

How AUTOSLAB Changes the Memory Unsafety Game

An article about AUTOSLAB — a grsecurity hardening feature, which prevents certain heap-based exploitation scenarios.

Besides having purely grsecurity-related info, it contains an analysis of the techniques used in the heap-based exploits from the last 5 years.

By Zhenpeng Lin.