Registrations for the Linux kernel exploitation training are now closed . The class is full but you can join the waiting queue in case there are any cancellations
8 seats left for the advanced version
wtf just had 2x laptops, 4x pixel 7 test devices, 25x kernel debug adapters, uart cables, pcb boards and usb drives seized in Abu Dhabi on my way to Hexacon. the only explanation they gave me is “you have too many cables”!
I'll make my tech report and poc public soon. It was a fun bug affecting most major distributions. one exploit to rule them all w/ all kernel expl mitigation bypasses - no rop chains / hardcoded crap
Finally Ubuntu-4.4.0-117.141 killed
@bleidl
bug. Still unpatched in upstream 4.4.121 (though dead code sanitisation helps). and still a 0day on Ubuntu 16.04
samsung s21 was released recently... afaik most/all public post exploitation vectors have been fixed. 5.4 kernel with proper llvm cfi, scs, freelist ptr randomisation etc
changes introduced by hardened usercopy (even if it's not enabled) made a significant impact on heap-related bugs. not because of the intended mitigations but by making special- and general-purpose caches unmergeable
uploaded my last stream - Android / Linux kernel SLUB aliasing, ie when special-purpose caches get merged with general-purpose kmalloc caches. hope it will be useful
CVE-2019-2215 made some headlines because of P0. on the other hand something like CVE-2019-15239 went unnoticed. First reported and fixed in early 2018 the bug was present in all 4.4/4.9 android kernels for over a year after the 4.14 upstream fix
I like to use 0xdeadbeef (x2 for 64bit ptrs) as my goto pattern to demonstrate sprays, ip control, etc. but one person apparently found it offensive. seriously.
not sure if anyone noticed but Samsung s20 devices had no RKP protection for selinux_enforcing starting from the first release. this was addressed in the June security update
We used the same bug for trainings last year I’ve read both writeups and both seem to use msg_msg as a refill. We used pipe_buffer corrupting the first page ptr, refilling it with a task_struct and overwriting addr_limit to get arb r/w via a pipe
we'll be running two Linux kernel exploitation training sessions this year; one in Sydney, Australia 30 Sep - 3 Oct 2019 and the other one in Singapore 2 - 5 Sep 2019 - TBA
for a second I thought Pixel 5 disabled UART but they just flipped the usb-c connector. pinouts are the same but the connector is installed upside down compared to other pixel models
for the
@bevxcon
workshop we'll be doing an N-day (recent UAF) starting with analysis and then developing a fully weaponised exploit with all bypasses. The workshop is very hands-on
We are proud to announce our first Workshop - Linux Kernel Exploit Development by Vitaly Nikolenko (
@vnik5287
) - - stay tuned to our second workshop announcement
There is still time to submit CFW and of course CFP -
finally decided to redo some of my training material using beamer/latex but tikz just seems like a masochistic approach for trivial code annotations. there's probably a way to macro the crap out of this
rip orderly_poweroff() et. al. 5.4 samsung kernels are compiled with CONFIG_STATIC_USERMODEHELPER=y which sets the default binary path to an empty string