To Be Continued

Linux & Android Kernel Vulnerability research and exploitation

Environment setup

• Do not even bother using WSL2 for Kernel dev/research, you will run into many problems quite fast and it's not worth time to try and troubleshoot. Use a virtual machine instead
• Relevant Hypervisors: (VMware, Hyper-V,Xen)
  • VirtualBox seems to not support mitigations like SMEP
  • Vmware
    • Windows/Linux: VMware Workstation Pro (buy )
    • Mac: VMware Fusion
• "Kernel hacking like it's 2020" - Russell Currey (LCA 2020)

Linux kernel Exploitation tutorials & Practice Playgrounds

• Andrey Konovalov xairy collection (VERY comprehensive - Use this!)

• Lexfo Blog CVE-2017-11176: A step-by-step Linux Kernel exploitation (4 Parts) - Nice introduction LInk to notes

• pr0cf5/kernel-exploit-practice - Playground with many labs

• 0x00Sec - Point of no C3 | Linux Kernel v4.13 Exploitation

• Low-level adventures - Learning Linux kernel exploitation - Part 1 - Laying the groundwork

• Low-level adventures - Learning Linux kernel exploitation - Part 2 - CVE-2022-0847

• Linux Kernel PWN | 01 From Zero to One

• Learning Linux Kernel Exploitation by midas

• https://github.com/ocastejon/linux-kernel-learning

• Information docs index

CTF challenges

• UIUCTF23 – Corny Kernel – Writeup (Beginners)
• 3k CTF 2021 - Klibrary - Exploit linux kernel use after free with a race condition
• https://ctftime.org/tasks/?tags=&hidden-tags=kernel
  • https://t.me/ctftime_pyramid (searchable writeups)
• [pwnable.tw - death_note]

Theory

• understanding v2.3 linux kernel vulnerabilities - Richard Carback (Umbc.edu)

Academic research papers

• Hijacking the Linux Kernel - 2011
• Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel - Moshe Kol, JSOF

Tracing the Kernel

• Steven Rostedt - Learning the Linux Kernel with tracing

Kernel Bugs, vulnerabilities and exploitation techniques

• I found ANOTHER BUG IN THE LINUX KERNEL! (SPARC)
• A cache invalidation bug in Linux memory management - Jann Horn, Google Project Zero - CVE-2018-17182
• CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
• Linux Kernel universal heap spray
• EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
• Tickling ksmbd: fuzzing SMB in the Linux kernel
• Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)
• Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
• A new method for container escape using file-based DirtyCred

Linux Kernel Exploitation cve PoC/writeups & guides

• CVE-2021-22600 - USMA: Share Kernel Code with Me Yong Liu, Jun Yao, Xiaodong Wang 360 Vulnerability Research Institute

• ocastejon - linux-kernel-learning & exploitation techniques

• CVE-2022-27666: My file your memory - Erin Avllazagaj

  • PoC

• nrb547 CVE-2021-32606: CAN ISOTP local privilege escalation

• MWR Labs Whitepaper Kernel Driver mmap Handler Exploitation 2017-09-18 – Mateusz Fruba

• ww9210 FUZE project Repo

• Immunity Blog - Writing a Linux Kernel Remote in 2022

• CVE-2022-20186 GitHub Blog Corrupting memory without memory corruption - Arm Mali GPU kernel driver

• GitHub Blog - Rooting with root cause: finding a variant of a Project Zero bug - CVE-2022-46395

• PoCs by Google

• Pwning the all Google phone with a non-Google bug - CVE-2022-38181

• Exploiting CVE-2021-3490 for Container Escapes

• CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem (Alexander Popov)

• CyberArk - LPE for Razer Usb driver

Dirty COW Vulnerability

• eshard Blog - Reversing DirtyC0W
• Williams College- Dirty COW: CVE-2016-5095 A Privilege Escalation Vulnerability in the Linux Kernel- CSCI432, May 11 2022
• Dirty Cow Technical Explanation
• Huge Dirty COW (CVE-2017–1000405) - The incomplete Dirty COW patch - Bindecy
• HugeDirtyCow POC - Bindecy

StackRot (2023)

• Rezilion Blog - What You Need to Know About StackRot – CVE-2023-3269
• lrh2000 - CVE-2023-3269: Linux kernel privilege escalation vulnerability - writeup & PoC
• Openwall Mailing List - The patch for StackRot
• Aegisbyte Blog - StackRot

DirtyPipe (CVE-2022-0847)

Pwnkit (CVE-2021-4034)

Udmabuf Driver Vulnerability

• Blue Frost Security Blog

Linux Kernel MMAP Vulnerabilities

• Checkpoint Research - MMAP VULNERABILITIES – LINUX KERNEL - Eyal Itkin
• De4dCr0w - Kernel-Driver-mmap-Handler-Exploitation
• deshal3v (Omer Shalev) Blog - mmap handler exploitation
• Exploit-DB - Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem

Talks from conferences (videos)

• xairy.io Talks
• OffensiveCon23 - Alex Plaskett & Cedric Halbronn - Exploit Engineering – Attacking the Linux Kernel
• OffensiveCon23 - Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel
• #HITB2022SIN E'rybody Gettin' TIPC: Demystifying Remote Linux Kernel Exploitation - Sam Page

Major changes to source code

• VMA 2.6 -> 2.7
• Replace any vm_next use with vma_find().
• [mm/vmacache.c]
• [PATCH 6.1 14/30] mm: introduce new lock_mm_and_find_vma() page fault helper

Additional Out of context resources

• Robert Love's Quora Answers

Source code structs & fields of interest

VMA (Virtual memory areas) & Memory management

• vm_area_struct
• vm_area_struct #2
• mm/vmacache.c
  • vm_mm mm_struct
  • find_vma(), vmacache_update(), mm_struct , vmacache
• Exploiting do_page_fault()?

The backyard/garage of the Linux kernel docs

https://www.kernel.org/doc/

Linux internals

• sam4k - Linternals: Introduction

• Linux insides

• The slab allocators of past, present, and future - Vlastimil Babka

• Mentorship Session: Debugging Linux Memory Management Subsystem (The linux foundation)

  • Contained in this video playlist

• ECE-T480 - Spring 2021: Lecture 16 (the slab allocator)

• The ARM32 Scheduling and Kernelspace Userspace Boundary - Linux internals - The ARM32 Scheduling and Kernelspace Userspace Boundary by Linus Walleij

• The Linux Process Journey - Linux internals - The Linux Process Journey by Shlomi Boutnaru

Virtual memory areas datastructures (VMA)

• The Maple Tree, A Modern Data Structure for a Complex Problem

Page Tables and Process Memory internals & exploits

Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel

• Hiding Process Memory via Anti-Forensic Techniques
• Blackhat - Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache

Various open source tools

Kernel Vulnerability Scanner tools

• The-Z-Labs - linux-exploit-suggester - Linux privilege escalation auditing tool

In Chromium

• Chromium Issue

Android

• GitHub Blog (Android Kernel Mitigations obstacle race)
• linux/mm/memory.c
• abi-monitor

blogs

• https://hackmd.io/@ptr-yudai
• https://xairy.io/
• https://google.github.io/security-research/

Mitigations

• Summary of Linux Kernel Security Protections (2022)
• https://github.com/nccgroup/exploit_mitigations/blob/main/linux_mitigations.md