Vitaly Nikolenko @vnik5287 Twitter profile

Pinned Tweet

Vitaly Nikolenko

6 months

Registrations for the Linux kernel exploitation training are now closed . The class is full but you can join the waiting queue in case there are any cancellations 8 seats left for the advanced version

1

3

Last Seen Profiles

@Ngaziii

@_Ko3Ar_

@ka_ku81364

@Rim1ali

@indomyfess

@FunWithHypno

@BinaryCap

@ggd_game

@uxuuxuu

@aboubac01032197

@DarlenePla9217

@jandakembangstw

@Seeetfh1

@aroa__tm

@Chusidel

@Usui_oto_s

@tarheelfootball

@dspshows

@annagavvixz

@Gisela_Sex18

@hiroaki_kijima

@thegoldborns

@TSTimelines

@nrkcv

@fumou_buton

@kirispicaa

@saedvgah11

@jennydouwes

@smar1395

@BaseBDG

@DragonHeartFNF

@smar1395

@SWiP2024

@Milanella_

@Ana_Can21

@stw_pdg

Vitaly Nikolenko

@vnik5287

18 days

wtf just had 2x laptops, 4x pixel 7 test devices, 25x kernel debug adapters, uart cables, pcb boards and usb drives seized in Abu Dhabi on my way to Hexacon. the only explanation they gave me is “you have too many cables”!

56

65

2K

Vitaly Nikolenko

@vnik5287

5 years

Oracle Unbreakable Enterprise Kernel (UEK) is not that "unbreakable"

10

188

613

Vitaly Nikolenko

@vnik5287

18 days

I had my laptops, phones inspected before many times but never had my stuff actually taken away from me

1

423

Vitaly Nikolenko

@vnik5287

8 years

VMware told me this bug wasn't exploitable and now they're "requesting" me not to release the exploit!

8

231

206

Vitaly Nikolenko

@vnik5287

6 years

Linux kernel userfaultfd+setxattr heap spray writeup @bevxcon

1

118

209

Vitaly Nikolenko

@vnik5287

5 years

centos 8 / rhel 8 / ubuntu 14.04, 16.04, 18.04 poc is uploaded . The tech report is public too

6

106

210

Vitaly Nikolenko

@vnik5287

4 years

if you're not familiar with the term "defensive programming" here's an example

8

35

192

Vitaly Nikolenko

@vnik5287

7 years

uploaded my last workshop Linux kernel bug (addr_limit/set_fs bug + stack info leak) walkthrough

Linux kernel addr_limit bug / exploitation

Live workshop walkthrough for the TI addr_limit bugUsing syscalls in the kernel (or simply forgetting to reset the addr_limit value before returning to user ...

www.youtube.com

1

86

146

Vitaly Nikolenko

@vnik5287

5 years

6

22

133

Vitaly Nikolenko

@vnik5287

5 years

ROP/JOP pivoting to user space is now back in style

1

44

133

Vitaly Nikolenko

@vnik5287

8 years

Since this is public now, here's the netfilter target_offset Ubuntu 16.04 local root exploit

1

115

124

Vitaly Nikolenko

@vnik5287

7 years

Linux kASLR TSX/RTM bypass library from the last training session

GitHub - vnik5287/kaslr_tsx_bypass: Linux kASLR (Intel TSX/RTM) bypass static library

Linux kASLR (Intel TSX/RTM) bypass static library. Contribute to vnik5287/kaslr_tsx_bypass development by creating an account on GitHub.

github.com

0

60

119

Vitaly Nikolenko

@vnik5287

4 years

I'll be running my Linux kernel exploitation course (x86_64) in November - public registrations / online delivery.

2

20

108

Vitaly Nikolenko

@vnik5287

2 years

apparently what I did back then is now called DirtyCred

0

27

110

Vitaly Nikolenko

@vnik5287

5 years

I'll make my tech report and poc public soon. It was a fun bug affecting most major distributions. one exploit to rule them all w/ all kernel expl mitigation bypasses - no rop chains / hardcoded crap

3

32

91

Vitaly Nikolenko

@vnik5287

7 years

Finally Ubuntu-4.4.0-117.141 killed @bleidl bug. Still unpatched in upstream 4.4.121 (though dead code sanitisation helps). and still a 0day on Ubuntu 16.04

2

63

90

Vitaly Nikolenko

@vnik5287

4 years

samsung s21 was released recently... afaik most/all public post exploitation vectors have been fixed. 5.4 kernel with proper llvm cfi, scs, freelist ptr randomisation etc

4

10

88

Vitaly Nikolenko

@vnik5287

6 years

and slides for my beVX talk - Dissecting the 17-old kernel bug

0

44

88

Vitaly Nikolenko

@vnik5287

8 years

I've written up about that Linux kernel heap off-by-1 I was talking about before

4

60

86

Vitaly Nikolenko

@vnik5287

9 years

My writeup: Linux Kernel Return Oriented Programming. Stay tuned for part 2!

0

65

84

Vitaly Nikolenko

@vnik5287

5 years

KASLR/SMEP/SMAP etc

1

10

84

Vitaly Nikolenko

@vnik5287

4 years

pushed a small gdb script w/o dependencies to walk the page tables and dump the pte for kernel virtual addresses

1

23

83

Vitaly Nikolenko

@vnik5287

5 years

brief introduction to the kernel module autoloading process

2

25

78

Vitaly Nikolenko

@vnik5287

5 years

thanks to slab accounting enabled on a certain cache, a previously non-exploitable bug is now 95+% reliable =)

0

21

74

Vitaly Nikolenko

@vnik5287

2 years

changes introduced by hardened usercopy (even if it's not enabled) made a significant impact on heap-related bugs. not because of the intended mitigations but by making special- and general-purpose caches unmergeable

3

9

71

Vitaly Nikolenko

@vnik5287

5 years

uploaded my last stream - Android / Linux kernel SLUB aliasing, ie when special-purpose caches get merged with general-purpose kmalloc caches. hope it will be useful

Android / Linux SLUB aliasing for general- and special-purpose caches

null

www.youtube.com

0

12

69

Vitaly Nikolenko

@vnik5287

4 years

CVE-2019-2215 made some headlines because of P0. on the other hand something like CVE-2019-15239 went unnoticed. First reported and fixed in early 2018 the bug was present in all 4.4/4.9 android kernels for over a year after the 4.14 upstream fix

2

22

67

Vitaly Nikolenko

@vnik5287

4 years

I like to use 0xdeadbeef (x2 for 64bit ptrs) as my goto pattern to demonstrate sprays, ip control, etc. but one person apparently found it offensive. seriously.

12

8

64

Vitaly Nikolenko

@vnik5287

2 years

RIP :(

3

4

63

Vitaly Nikolenko

@vnik5287

8 years

add_key() is apparently another good candidate for a kernel heap spray. -18 bytes for the header at the beginning

2

33

59

Vitaly Nikolenko

@vnik5287

3 years

I'll be running another online Linux kernel exploitation training x86_64 in June 22. Registrations close on the 27th May

1

7

56

Vitaly Nikolenko

@vnik5287

9 years

KASLR bypass: kernel_text=$((0x80000000+0x`cat /proc/iomem|grep code|cut -d- -f1|tr -d ' '`))

1

47

54

Vitaly Nikolenko

@vnik5287

15 days

this is so cool! Hexacon champagne

3

2

56

Vitaly Nikolenko

@vnik5287

2 years

My next online Linux kernel exploitation (x86_64) training session will be 3 - 6 October 2022. Registrations are now open

2

7

54

Vitaly Nikolenko

@vnik5287

7 years

all 4.4 ubuntu aws instances are vulnerable: echo "deb xenial-proposed restricted main multiverse universe" > /etc/apt/sources.list && apt update && apt install linux-image-4.4.0-117-generic

8

49

51

Vitaly Nikolenko

@vnik5287

4 years

not sure if anyone noticed but Samsung s20 devices had no RKP protection for selinux_enforcing starting from the first release. this was addressed in the June security update

0

13

51

Vitaly Nikolenko

@vnik5287

8 years

Linux kernel race condition in drivers/tty/n_hdlc.c @a13xp0p0v will release the poc soon

0

25

50

Vitaly Nikolenko

@vnik5287

3 years

great to be back at @offensive_con after a few years of covid life!

2

3

51

Vitaly Nikolenko

@vnik5287

4 years

next online linux kernel exploitation (x86_64) training session will be in March 2021

3

5

51

Vitaly Nikolenko

@vnik5287

3 years

I'll be running another online Linux kernel exploitation training in September. Registrations close on the 1st September

0

9

47

Vitaly Nikolenko

@vnik5287

8 years

af_packet.c Ubuntu 16.04 kernel exploit with SMAP bypass

1

52

48

Vitaly Nikolenko

@vnik5287

8 years

Linux Kernel ROP part 2 is out on the #SpiderLabs blog

0

44

Vitaly Nikolenko

@vnik5287

5 years

moar fuzzing moar pi

1

3

46

Vitaly Nikolenko

@vnik5287

3 years

We used the same bug for trainings last year I’ve read both writeups and both seem to use msg_msg as a refill. We used pipe_buffer corrupting the first page ptr, refilling it with a task_struct and overwriting addr_limit to get arb r/w via a pipe

1

47

Vitaly Nikolenko

@vnik5287

6 years

this slab oob 12-byte read in memcpy is still not fixed in 4.4 upstream

0

6

46

Vitaly Nikolenko

@vnik5287

2 years

Great to be in Paris for @Hexacon !

1

45

Vitaly Nikolenko

@vnik5287

8 years

Linux kernel BPF UAF exploit

0

41

44

Vitaly Nikolenko

@vnik5287

2 years

want early access to the qualcomm security advisory? why not use this URL instead

2

3

40

Vitaly Nikolenko

@vnik5287

10 years

If anyone is interested, here's a PoC for the recent ptrace\sysret bug (CVE-2014-4699) http://t.co/5Dj5uFwmsm

1

34

43

Vitaly Nikolenko

@vnik5287

5 years

doesn't seem like ubuntu 4.4 LTS kernels want to pull the upstream patch. can still rip <-- 0 with syscall(__NR_clock_gettime, 10, 0)

3

7

42

Vitaly Nikolenko

@vnik5287

6 years

CVE-2018-2892 - Kernel Level Privilege Escalation in Oracle Solaris

0

34

40

Vitaly Nikolenko

@vnik5287

5 years

we'll be running two Linux kernel exploitation training sessions this year; one in Sydney, Australia 30 Sep - 3 Oct 2019 and the other one in Singapore 2 - 5 Sep 2019 - TBA

Linux kernel exploitation techniques x86_64

The number of user-land exploitation countermeasures outweighs the kernel protection mechanisms implemented by most modern distributions. Due to the complexity associated with exploiting user-land...

www.eventbrite.com.au

0

11

40

Vitaly Nikolenko

@vnik5287

5 years

another cool epbf bug

Zero Day Initiative — CVE-2020-8835: Linux Kernel Privilege Escalation via Improper eBPF Program...

During the recent Pwn2Own 2020 competition, Manfred Paul ( @_manfp ) of RedRocket CTF used an improper input validation bug in the Linux kernel to go from a standard user to root. Manfred used this...

www.thezdi.com

1

15

39

Vitaly Nikolenko

@vnik5287

10 years

Linux kernel ptrace/sysret (CVE-2014-4699) analysis http://t.co/OeR59ooRLr

1

24

35

Vitaly Nikolenko

@vnik5287

5 years

null-ptr-deref trigger in nfnetlink on upstream 4.4 kernels

0

5

36

Vitaly Nikolenko

@vnik5287

4 years

if you're trying to find a pgd on android, it's 2 pages below the kernel image size

2

31

Vitaly Nikolenko

@vnik5287

5 years

and just tested the boards with our firmware.. we're all set for tomorrow. thanks again to @offensive_con for providing hardware

0

4

31

Vitaly Nikolenko

@vnik5287

4 years

for a second I thought Pixel 5 disabled UART but they just flipped the usb-c connector. pinouts are the same but the connector is installed upside down compared to other pixel models

0

6

27

Vitaly Nikolenko

@vnik5287

4 years

always liked the etc option when downloading samsung kernel source

3

1

30

Vitaly Nikolenko

@vnik5287

5 years

received my rootkits & bootkits copy and up to chapter 8 now. great book @matrosov love it!

1

4

30

Vitaly Nikolenko

@vnik5287

4 years

damnit, North Korea stop it!

0

29

Vitaly Nikolenko

@vnik5287

1 year

rip addr_limit

3

27

Vitaly Nikolenko

@vnik5287

8 years

This was an interesting read on exploiting uninitialised Linux kernel stack variables

0

11

27

Vitaly Nikolenko

@vnik5287

7 years

for the @bevxcon workshop we'll be doing an N-day (recent UAF) starting with analysis and then developing a fully weaponised exploit with all bypasses. The workshop is very hands-on

TyphoonCon🌪️

@typhooncon

7 years

We are proud to announce our first Workshop - Linux Kernel Exploit Development by Vitaly Nikolenko ( @vnik5287 ) - - stay tuned to our second workshop announcement There is still time to submit CFW and of course CFP -

0

10

30

2

9

27

Vitaly Nikolenko

@vnik5287

4 years

finally decided to redo some of my training material using beamer/latex but tikz just seems like a masochistic approach for trivial code annotations. there's probably a way to macro the crap out of this

1

2

26

Vitaly Nikolenko

@vnik5287

4 years

a better explanation what I was trying to say

Vitaly Nikolenko

@vnik5287

4 years

if you're trying to find a pgd on android, it's 2 pages below the kernel image size

2

31

1

5

27

Vitaly Nikolenko

@vnik5287

4 years

rip orderly_poweroff() et. al. 5.4 samsung kernels are compiled with CONFIG_STATIC_USERMODEHELPER=y which sets the default binary path to an empty string

0

2

27

Vitaly Nikolenko

@vnik5287

6 months

Next advanced Linux kernel exploitation training will be 24 - 26 June Registrations are now open

0

2

24

Vitaly Nikolenko

@vnik5287

7 years

thank you @offensive_con for a great conference! one of the most technical conferences I've been to. see you next year!

1

4

26

Vitaly Nikolenko

@vnik5287

5 years

another year, another @offensive_con . thank you!

2

26

Vitaly Nikolenko

@vnik5287

6 years

I've built a small arm64 fuzzing cluster with these boards. Pretty good value for $$

1

2

26

Vitaly Nikolenko

@vnik5287

8 years

0

13

25

Vitaly Nikolenko

@vnik5287

9 years

CVE-2016-0728 Linux Kernel UAF exploitation by Perception Point

1

29

24

Vitaly Nikolenko

@vnik5287

4 years

0xdeadbeef is a valid page frame number pointing to physmap :)

0

2

24

Vitaly Nikolenko

@vnik5287

9 years

My write-up on exploiting CVE-2014-2851 group_info UAF

0

9

22

Vitaly Nikolenko

@vnik5287

4 years

Pixel 5 decided to be clever and enable CONFIG_TRIM_UNUSED_KSYMS. all those juicy symbols are now removed

0

8

23

Vitaly Nikolenko

@vnik5287

4 years

not cool Pixel 5.. not cool

1

22

Vitaly Nikolenko

@vnik5287

5 years

Advanced ghetto cooling system

1

3

21

Vitaly Nikolenko

@vnik5287

4 years

gotta rethink your life choices once you start finding resistors in your shoes

0

2

22

Vitaly Nikolenko

@vnik5287

9 years

My Ruxcon slides on practical SMEP bypasses on Linux

1

14

20

Vitaly Nikolenko

@vnik5287

5 years

ARM boards collection Odroid, HiKey, Rock64, Firefly

0

1

21

Vitaly Nikolenko

@vnik5287

8 years

looks like a heap off-by-1 (overwriting the first byte of the next object with 0) how's that exploitable?

3

20

Vitaly Nikolenko

@vnik5287

6 years

still have seats and there's time to register for the Linux kernel exploitation workshop at @bevxcon in Hong Kong #nday

0

11

20

Vitaly Nikolenko

@vnik5287

3 years

pulling 63G of googles crap via repo (single branch) just to compile the kernel :/

3

0

20

Vitaly Nikolenko

@vnik5287

7 years

The next Linux kernel exploitation training will be at Syscan360 in Singapore - March 19th.

0

4

20

Vitaly Nikolenko

@vnik5287

3 years

when you're messing with file descriptor ownership in the kernel (starting from Android 11 / ANDROID_FDSAN_ERROR_LEVEL_FATAL)

0

1

19

Vitaly Nikolenko

@vnik5287

4 years

cissp is now equivalent to a Master's degree. what's next? oscp is equivalent to PhD?

0

5

19

Vitaly Nikolenko

@vnik5287

8 years

very excited to run my Linux kernel exploit dev course again. this time at HITB in Singapore! hope to see you there

0

18

Vitaly Nikolenko

@vnik5287

8 years

vmware + linux 3.x poc

0

11

18

Vitaly Nikolenko

@vnik5287

9 years

Linux Kernel >= 3.13 espfix64 NMI handlers exploit http://t.co/amSIZ38UB2

0

18

Vitaly Nikolenko

@vnik5287

5 years

just noticed this trivial user enumeration over ssh on Ubuntu 18.04

1

17

Vitaly Nikolenko

@vnik5287

8 years

Really looking forward to attending @offensive_con and doing a 3-day course on Linux kernel exploitation in Berlin!

offensivecon

@offensive_con

8 years

Training on Linux Kernel Exploitation Techniques by @vnik5287 has been added to the lineup. More to come!

0

28

48

0

4

17

Vitaly Nikolenko

@vnik5287

5 years

Ksplice for detecting exploitation attempts

Using Ksplice To Detect Exploit Attempts

A new feature of Ksplice is Known Exploit Detection. When you patch your system with Ksplice, not only is the security vulnerability closed, but also tripwires are laid down for privilege escalation...

blogs.oracle.com

0

11

17

Vitaly Nikolenko

@vnik5287

7 years

ah these bugs are nice

0

20

16

Vitaly Nikolenko