Skip to content

Commit

Permalink
July/August updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@xairy
xairy committed Sep 7, 2022
1 parent 55ac37c commit ab732b4
Showing 1 changed file with 50 additions and 2 deletions.
52 changes: 50 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

### Exploitation

[2022: "An exploit primitive in the Linux kernel inspired by DirtyPipe"](https://github.com/veritas501/pipe-primitive) [article]

[2022: "Pawnyable: Linux Kernel Exploitation" by ptr-yudai](https://pawnyable.cafe/linux-kernel/index.html) [articles]

[2022: "DirtyCred: Cautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe"](https://i.blackhat.com/USA-22/Thursday/US-22-Lin-Cautious-A-New-Exploitation-Method.pdf) [slides] [[artifacts](https://github.com/Markakd/DirtyCred)]

[2022: "CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel"](https://syst3mfailure.io/corjail) [article]

[2022: "Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage"](https://www.willsroot.io/2022/08/reviving-exploits-against-cred-struct.html) [article]
Expand All @@ -68,7 +74,7 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

[2022: "Racing against the clock -- hitting a tiny kernel race window" by Jann Horn](https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html) [article]

[2022: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability"](https://www.usenix.org/system/files/sec22fall_zeng.pdf) [paper]
[2022: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability"](https://www.usenix.org/system/files/sec22fall_zeng.pdf) [paper] [[artifacts](https://github.com/sefcom/KHeaps)]

[2022: "Learning Linux kernel exploitation" by 0x434b](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/) [article] [[part 2](https://0x434b.dev/learning-linux-kernel-exploitation-part-2-cve-2022-0847/)]

Expand Down Expand Up @@ -201,6 +207,8 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

### Protection Bypasses

[2022: "A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data"](https://i.blackhat.com/USA-22/Thursday/US-22-Frigo-A-Dirty-Little-History.pdf) [slides]

[2022: "Tetragone: A Lesson in Security Fundamentals" by Pawel Wieczorkiewicz and Brad Spengler](https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals) [article]

[2021: "A General Approach to Bypassing Many Kernel Protections and its Mitigation" by Yueqi Chen](https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Chen-A-General-Approach-To-Bypassing-Many-Kernel-Protections-And-Its-Mitigation.pdf) [slides] [[video](https://www.youtube.com/watch?v=EIwEF3tCtg4)]
Expand Down Expand Up @@ -302,6 +310,26 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

### LPE

[2022: "SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)"](https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/) [article] [[slides](https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20Settlers%20of%20Netlink%20-%20Exploiting%20a%20Limited%20UAF%20on%20Ubuntu%2022.04%20to%20Achieve%20LPE%20-%20Aaron%20Adams.pdf)] [CVE-2022-32250]

[2022: "Linux Kernel Exploit (CVE-2022-32250) with mqueue"](https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/) [article] [CVE-2022-32250]

[2022: "N-day exploit for CVE-2022-2586: Linux kernel nft_object UAF" by Alejandro Guerrero](https://www.openwall.com/lists/oss-security/2022/08/29/5) [article] [CVE-2022-2586]

[2022: "Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021"](https://i.blackhat.com/USA-22/Wednesday/US-22-Jin-Monitoring-Surveillance-Vendors.pdf) [slides] [CVE-2021-0920]

[2022: "CVE-2022-29582: An io_uring vulnerability" by Awarau and David Bouman](https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/) [article] [CVE-2022-29582]

[2022: "Linux kernel io_uring module pbuf_ring vulnerability and privilege escalation 0day"](https://dawnslab.jd.com/linux-5.19-rc2_pbuf_ring_0day/) [article]

[2022: "Corrupting memory without memory corruption" by Man Yue Mo](https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/) [article] [CVE-2022-20186]

[2022: "[CVE-2022-34918] A crack in the Linux firewall" by Arthur Mongodin](https://www.randorisec.fr/crack-linux-firewall/) [article] [CVE-2022-34918] [[exploit](https://github.com/randorisec/CVE-2022-34918-LPE-PoC)]

[2022: "CVE-2022-34918: netfilter analysis notes"](https://veritas501.github.io/2022_08_02-CVE-2022-34918%20netfilter%20%E5%88%86%E6%9E%90%E7%AC%94%E8%AE%B0/) [article] [CVE-2022-34918]

[2022: "Practice of USMA-based Kernel Universal EXP Writing Ideas on CVE-2022-34918"](https://veritas501.github.io/2022_08_11_%E5%9F%BA%E4%BA%8EUSMA%E7%9A%84%E5%86%85%E6%A0%B8%E9%80%9A%E7%94%A8EXP%E7%BC%96%E5%86%99%E6%80%9D%E8%B7%AF%E5%9C%A8%20CVE-2022-34918%20%E4%B8%8A%E7%9A%84%E5%AE%9E%E8%B7%B5/) [article] [CVE-2022-34918]

[2022: "The Android kernel mitigations obstacle race" by Man Yue Mo](https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/) [article] [CVE-2022-22057]

[2022: "io_uring - new code, new bugs, and a new exploit technique" by Lam Jun Rong](https://starlabs.sg/blog/2022/06/io_uring-new-code-new-bugs-and-a-new-exploit-technique/) [article] [CVE-2021-41073]
Expand All @@ -328,6 +356,8 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

[2022: "CVE-2022-0185: A Case Study"](https://www.hackthebox.com/blog/CVE-2022-0185:_A_case_study) [article] [CVE-2022-0185]

[2022: "CVE-2022-0185: Analysis and utilization and thinking and practice of new primitives for pipe"](https://veritas501.github.io/2022_03_16-CVE_2022_0185%E5%88%86%E6%9E%90%E5%8F%8A%E5%88%A9%E7%94%A8%E4%B8%8Epipe%E6%96%B0%E5%8E%9F%E8%AF%AD%E6%80%9D%E8%80%83%E4%B8%8E%E5%AE%9E%E8%B7%B5/#%E7%9C%9F%E2%80%A2%E6%AD%A3%E6%96%87-%E6%96%B0%E5%9E%8B%E5%88%A9%E7%94%A8%E5%8E%9F%E8%AF%AD-pipe) [article] [CVE-2022-0185]

[2022: "Linux kernel Use-After-Free (CVE-2021-23134) PoC"](https://ruia-ruia.github.io/NFC-UAF/) [article] [CVE-2021-23134]

[2022: "Exploiting CVE-2021-26708 (Linux kernel) with ssh"](https://hardenedvault.net/2022/03/01/poc-cve-2021-26708.html) [article] [CVE-2021-26708]
Expand Down Expand Up @@ -637,7 +667,7 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

### RCE

[2022: "Writing a Linux Kernel Remote in 2022" by Samuel Page](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/) [article] [CVE-2022-0435]
[2022: "Writing a Linux Kernel Remote in 2022" by Samuel Page](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/) [article] [[slides](https://conference.hitb.org/hitbsecconf2022sin/materials/D1T1%20-%20Erybody%20Gettin%20TIPC%20-%20Demystifying%20Remote%20Linux%20Kernel%20Exploitation%20-%20Sam%20Page.pdf)] [CVE-2022-0435]

[2022: "Zenith: Pwn2Own TP-Link AC1750 Smart Wi-Fi Router Remote Code Execution Vulnerability" by Axel Souchet](https://github.com/0vercl0k/zenith) [article] [CVE-2022-24354]

Expand All @@ -656,6 +686,14 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

### Other

[2022: "Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free"](https://accessvector.net/2022/linux-itimers-uaf) [article]

[2022: "Android Universal Root: Exploiting xPU Drivers"](https://i.blackhat.com/USA-22/Wednesday/US-22-Jin-Android-Universal-Root.pdf) [slides] [CVE-2022-20122] [CVE-2021-39815]

[2022: "The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)" by Xingyu Jin](https://googleprojectzero.blogspot.com/2022/08/the-quantum-state-of-linux-kernel.html) [article] [CVE-2021-0920]

[2022: "Finding bugs in the Linux Kernel Bluetooth Subsystem" by Itay Iellin](https://itayie.me/linux/2022/07/29/finding-bugs-in-the-linux-kernel-bt-subsystem-part-1.html) [https://itayie.me/linux/2022/07/29/finding-bugs-in-the-linux-kernel-bt-subsystem-part-1.html] [article] [[part 2](https://itayie.me/linux/2022/07/29/finding-bugs-in-the-linux-kernel-bt-subsystem-part-2.html)]

[2022: "CVE-2022-0435: A Remote Stack Overflow in The Linux" by Samuel Page](https://blog.immunityinc.com/p/a-remote-stack-overflow-in-the-linux-kernel/) [article] [CVE-2022-0435]

[2022: "CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers" by Max Van Amernngen](https://www.sentinelone.com/labs/cve-2021-45608-netusb-rce-flaw-in-millions-of-end-user-routers/) [article] [CVE-2021-45608]
Expand Down Expand Up @@ -703,6 +741,8 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

## Finding Bugs

[2022: "Technical analysis of syzkaller based fuzzers: It's not about VaultFuzzer!"](https://hardenedvault.net/blog/2022-08-07-state-based-fuzzer-update/) [article]

[2022: "GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs"](https://zplin.me/papers/GREBE.pdf) [paper]

[2022: "An In-depth Analysis of Duplicated Linux Kernel Bug Reports"](https://zplin.me/papers/bug_analysis.pdf) [paper]
Expand Down Expand Up @@ -908,6 +948,8 @@ December 5–6th: [Attacking the Linux Kernel](https://www.blackhat.com/eu-22/tr

["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)

[2022: "Return to sender: Detecting kernel exploits with eBPF" by Guillaume Fournier at Black Hat USA](https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf) [slides] [[code](https://github.com/Gui774ume/krie)]

[2022: "Meaningful Bounds Checking in the Linux Kernel" by Kees Cook](https://outflux.net/slides/2022/lss-na/) [slides]

[2022: "Compilers: The Old New Security Frontier" by Brad Spengler](https://grsecurity.net/Compilers_The_Old_New_Security_Frontier_BlueHat_IL_2022.pdf) [slides]
Expand Down Expand Up @@ -1143,6 +1185,8 @@ https://github.com/tr3ee/CVE-2022-23222

https://github.com/tr3ee/CVE-2021-4204

[Linux Kernel SCTP FORWARD-TSN Chunk Memory Corruption Remote Exploit](https://subreption.com/offensive-security/exploits/sctp_thermite/) [CVE-2009-0065]


## Tools

Expand Down Expand Up @@ -1395,6 +1439,8 @@ https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting

## Misc

[2022: "So You Wanna Pwn The Kernel?" by Samuel Page](https://sam4k.com/so-you-wanna-pwn-the-kernel/) [article]

[2022: "Automated RE of Kernel Configurations" by zznop](https://zznop.com/2022/01/02/automated-re-of-kernel-build-configs/) [article]

[2021: "An Investigation of the Android Kernel Patch Ecosystem" at USENIX](https://www.usenix.org/system/files/sec21-zhang-zheng.pdf) [paper] [[slides](https://www.usenix.org/system/files/sec21_slides_zhang-zheng.pdf)] [[video](https://www.youtube.com/watch?v=sx2unUrsQhc)]
Expand Down Expand Up @@ -1436,3 +1482,5 @@ https://github.com/PaoloMonti42/salt
https://github.com/davidmalcolm/antipatterns.ko

https://kernel.dance/

https://github.com/0xricksanchez/like-dbg

0 comments on commit ab732b4

Please sign in to comment.