March/April updates

xairy · May 16, 2024 · 937cd07 · 937cd07
1 parent f3a3b36
commit 937cd07
Showing 1 changed file with 62 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -52,6 +52,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Exploitation
 
+[2024: "GhostRace: Exploiting and Mitigating Speculative Race Conditions"](https://www.vusec.net/projects/ghostrace/) [paper]
+
 [2024: "K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel"](https://www.ndss-symposium.org/wp-content/uploads/2024-935-paper.pdf) [paper]
 
 [2024: "Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems"](https://arxiv.org/pdf/2401.17618.pdf) [paper]
@@ -70,7 +72,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "Breaking Hardware-Assisted Kernel Control-Flow Integrity with Page-Oriented Programming" by Seunghun Han](https://i.blackhat.com/BH-US-23/Presentations/US-23-Han-Lost-Control-Breaking-Hardware-Assisted-Kernel.pdf) [slides]
 
-[2023: "Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features" by Yong Wang](https://i.blackhat.com/BH-US-23/Presentations/US-23-WANG-The-Art-of-Rooting-Android-devices-by-GPU-MMU-features.pdf) [slides]
+[2023: "Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features" by Yong Wang](https://i.blackhat.com/BH-US-23/Presentations/US-23-WANG-The-Art-of-Rooting-Android-devices-by-GPU-MMU-features.pdf) [[video](https://www.youtube.com/watch?v=2qkwSPnQqrU)] [slides]
 
 [2023: "A new method for container escape using file-based DirtyCred" by Choo Yi Kai](https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/) [article]
 
@@ -345,6 +347,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Info-leaks
 
+[2024: "Out of the kernel, into the tokens" by Max Ammann and Emilio Lopez](https://blog.trailofbits.com/2024/03/08/out-of-the-kernel-into-the-tokens/) [article]
+
 [2023: "The code that wasn’t there: Reading memory on an Android device by accident" by Man Yue Mo](https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/) [article] [CVE-2022-25664]
 
 [2023: "EntryBleed: A Universal KASLR Bypass against KPTI on Linux"](https://dl.acm.org/doi/pdf/10.1145/3623652.3623669) [paper] [CVE-2022-4543]
@@ -392,6 +396,22 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### LPE
 
+[2024: "Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques" by notselwyn](https://pwning.tech/nftables/) [article] [[exploit](https://github.com/Notselwyn/CVE-2024-1086)] [CVE-2024-1086]
+
+[2024: "64 bytes and a ROP chain – A journey through nftables" by Davide Ornaghi](https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-1/) [article] [[part 2](https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-2/)] [[exploit](https://github.com/TurtleARM/CVE-2023-0179-PoC)] [CVE-2023-0179]
+
+[2024: "Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu" by Oriol Castejon](https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/) [CVE-2024-0582]
+
+[2024: "CVE-2022-2586 Writeup"](https://jmpeax.dev/CVE-2022-2586-writeup.html) [article] [CVE-2022-2586]
+
+[2024: "n_gsm_exploit"](https://github.com/fff-vr/n_gsm_exploit) [article]
+
+[2024: "The tale of a GSM Kernel LPE"](https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html) [article] [[exploit](https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit)] [[notes](https://mastodon.social/@gabe_k/112251322421680553)] [[discussion](https://www.openwall.com/lists/oss-security/2024/04/10/18)]
+
+[2024: "Gaining kernel code execution on an MTE-enabled Pixel 8" by Man Yue Mo](https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/) [article] [[exploit](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2023_6241)] [CVE-2023-6241]
+
+[2024: "Mali GPU Kernel LPE: Android 14 kernel exploit for Pixel7/8 Pro" by Mohamed Ghannam](https://github.com/0x36/Pixel_GPU_Exploit) [article] [CVE-2023-26083]
+
 [2023: "Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability (CVE-2023-6546)" by Nassim Asrir](https://github.com/Nassim-Asrir/ZDI-24-020/) [CVE-2023-6546]
 
 [2023: "Conquering the memory through io_uring - Analysis of CVE-2023-2598"](https://anatomic.rip/cve-2023-2598/) [article] [[exploit](https://github.com/ysanatomic/io_uring_LPE-CVE-2023-2598)] [CVE-2023-2598]
@@ -414,7 +434,7 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 [2023: "Linux Kernel Exploit (CVE-2022–32250) with mqueue"](https://blog.theori.io/linux-kernel-exploit-cve-2022-32250-with-mqueue-a8468f32aab5) [article] [CVE-2022–32250]
 
-[2023: "Bad io_uring: A New Era of Rooting for Android" by Zhenpeng Lin](https://i.blackhat.com/BH-US-23/Presentations/US-23-Lin-bad_io_uring.pdf) [slides] [CVE-2022-20409]
+[2023: "Bad io_uring: A New Era of Rooting for Android" by Zhenpeng Lin](https://i.blackhat.com/BH-US-23/Presentations/US-23-Lin-bad_io_uring.pdf) [slides] [[video](https://www.youtube.com/watch?v=fhx3W1z7YD0)] [CVE-2022-20409]
 
 [2023: "CVE-2023-3389 - LinkedPoll" by Querijn Voet](https://qyn.app/posts/CVE-2023-3389/) [article] [CVE-2023-3389]
 
@@ -856,6 +876,8 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ### Other
 
+[2024: "Notes about ZDI-24-195 in ksmbd"](https://twitter.com/Shiftreduce/status/1773385937893896206) [thread] [ZDI-24-195]
+
 [2024: "PowerVR GPU - GPU Firmware may overwrite arbitrary kernel pages by RGXCreateFreeList"](https://bugs.chromium.org/p/apvi/issues/detail?id=140) [report]
 
 [2024: "PowerVR GPU - UAF race conditon by DevmemIntPFNotify and DevmemIntCtxRelease"](https://bugs.chromium.org/p/apvi/issues/detail?id=141) [report]
@@ -933,6 +955,14 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ## Finding Bugs
 
+[2024: "Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller" by Alon Zavahi](https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller) [article] [[slides](https://download.scrt.ch/insomnihack/ins24-slides/Syzkaller%20NVMe-oF.pdf)] [[video](https://www.youtube.com/watch?v=Jc25CM1Ppgo)]
+
+[2024: "Structure-Aware linux kernel Fuzzing with libFuzzer"](https://r00tkitsmm.github.io/fuzzing/2024/03/27/libffuzzerkernel.html) [article]
+
+[2024: "Enhancing Kernel Bug Discovery with Large Language Models" by Zahra Tarkhani](https://static.sched.com/hosted_files/lssna24/ed/LSSNA-Enhancing%20Kernel%20Bug%20Discovery%20with%20Large%20Language%20Models%20%E2%80%8B.pdf) [slides] [[video](https://www.youtube.com/watch?v=ewv3kX-p7-o)]
+
+[2024: "SyzRisk: A Change-Pattern-Based Continuous Kernel Regression Fuzzer"](https://nebelwelt.net/files/24AsiaCCS.pdf) [paper]
+
 [2024: "SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem"](https://zhyfeng.github.io/files/2024-NDSS-SyzBridge.pdf) [paper]
 
 [2024: "SyzRetrospector: A Large-Scale Retrospective Study of Syzbot"](https://arxiv.org/pdf/2401.11642.pdf) [paper]
@@ -1196,6 +1226,16 @@ See [xairy.io/trainings/](https://xairy.io/trainings/).
 
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
 
+[2024: "Mitigating Integer Overflow in C" by Kees Cook](https://outflux.net/slides/2024/lss-na/) [slides] [[video](https://www.youtube.com/watch?v=PLcZkgHCk90)]
+
+[2024: "Gaining bounds-checking on trailing arrays in the Upstream Linux Kernel" by Gustavo A. R. Silva](https://embeddedor.com/slides/2024/eo/eo2024.pdf) [slides]
+
+[2024: "A Hybrid Alias Analysis Framework and Its Application to Protecting the Linux Kernel" by Guoren Li](https://www.youtube.com/watch?v=F4L2mBqnh30) [video]
+
+[2024: "Hardening the kernel against heap-spraying attacks" by Jonathan Corbet](https://lwn.net/Articles/965837/) [article]
+
+[2024: "Notes on the 'slab: Introduce dedicated bucket allocator' series" by Julien Voisin](https://dustri.org/b/notes-on-the-slab-introduce-dedicated-bucket-allocator-series.html) [article]
+
 [2023: "Exploring Linux's New Random Kmalloc Caches" by sam4k](https://sam4k.com/exploring-linux-random-kmalloc-caches/) [article]
 
 [2023: "Toolchain security features status update"](https://outflux.net/slides/2023/lpc/features.pdf) [slides] [[video](https://www.youtube.com/watch?v=OEFFqhP5sts)]
@@ -1479,14 +1519,16 @@ https://www.openwall.com/lists/oss-security/2023/05/15/5 [CVE-2023-32233]
 
 https://github.com/Liuk3r/CVE-2023-32233
 
-https://github.com/TurtleARM/CVE-2023-0179-PoC
-
 https://github.com/lanleft/CVE2023-1829
 
 https://github.com/TurtleARM/CVE-2023-3338-DECPwn
 
 https://github.com/kungfulon/nf-tables-lpe
 
+https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582
+
+https://github.com/YuriiCrimson/ExploitGSM/ [[notes](https://mastodon.social/@gabe_k/112251322421680553)] [[discussion](https://www.openwall.com/lists/oss-security/2024/04/10/18)]
+
 
 ## Tools
 
@@ -1585,14 +1627,20 @@ https://github.com/nccgroup/libslub
 
 https://github.com/a13xp0p0v/kernel-hardening-checker
 
-https://github.com/marin-m/vmlinux-to-elf
-
 https://github.com/heki-linux
 
 https://github.com/oswalpalash/linux-kernel-regression-tests
 
 https://github.com/google/security-research/blob/master/analysis/kernel/heap-exploitation/README.md [CodeQL] [[dashboard](https://lookerstudio.google.com/reporting/68b02863-4f5c-4d85-b3c1-992af89c855c/page/n92nD)]
 
+https://github.com/milabs/kiddy
+
+https://github.com/androidoffsec/art-kernel-toolkit
+
+https://github.com/notselwyn/get-sig
+
+https://github.com/gsingh93/linux-exploit-dev-env
+
 
 ## Practice
 
@@ -1623,6 +1671,8 @@ corCTF 2023 (sysruption): [writeup](https://www.willsroot.io/2023/08/sysruption.
 
 corCTF 2023 (zeroday, kcipher): [writeup](https://blog.libh0ps.so/2023/08/02/corCTF2023.html)
 
+hxp CTF 2022 (one_byte): [writeup](https://hxp.io/blog/99/hxp-CTF-2022-one_byte-writeup/)
+
 BFS Ekoparty 2022 (blunder): [writeup](https://klecko.github.io/posts/bfs-ekoparty-2022/)
 
 D^3CTF 2022 (d3bpf): [writeup](https://stdnoerr.github.io/writeup/2022/08/21/eBPF-exploitation-(ft.-D-3CTF-d3bpf).html), [writeup 2](https://github.com/chujDK/d3ctf2022-pwn-d3bpf-and-v2)
@@ -1796,6 +1846,10 @@ https://github.com/0xor0ne/awesome-list/
 
 ## Misc
 
+[2024: "Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config" by Vegard Nossum](https://www.openwall.com/lists/oss-security/2024/04/17/3) [article]
+
+[2024: "Demo showing Claude Opus does not find CVE-2023-0266" by Sean Heelan](https://github.com/SeanHeelan/claude_opus_cve_2023_0266) [article]
+
 [2024: "Linux is a CNA" by Greg Kroah-Hartman](http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/) [article]
 
 [2024: "An Investigation of Patch Porting Practices of the Linux Kernel Ecosystem"](https://arxiv.org/pdf/2402.05212.pdf) [paper]
@@ -1838,6 +1892,8 @@ https://github.com/0xor0ne/awesome-list/
 
 [Syzkaller Coverage Dashboard](https://lookerstudio.google.com/reporting/41ae4a20-9826-4f7f-be14-a934a04686fe/page/4EOpD)
 
+[kernel vulns missing stable backports](https://docs.google.com/spreadsheets/d/1JzRy4amgEn98KvyNs1yB4H_R08TovFZH0nutWx2tvZg/view#gid=0) [[source](https://twitter.com/sirdarckcat/status/1779894891608220052)]
+
 https://github.com/nccgroup/exploit_mitigations
 
 https://github.com/bsauce/kernel-security-learning