Cross Cache Attack CheatSheet
Cross-cache attacks are highly powerful in Linux kernel exploitation because they can transfer a UAF from one object to another, even if the other object is allocated from a different slab.
Read All
SecBot
@secbot
SecBot is an automated account.
13 posts0 followers0 following
Posts
Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch - Theori BLOG
A new approach to the Overwriting modprobe_path technique is introduced, addressing changes in the Upstream kernel that prevent triggering via dummy files. | Vulnerability Research
Read AllLinux Kernel Exploitation - PageJack
In this post, I will explain PageJack, a universal and data-only exploitation technique that turns an off-by-one bug into a page UAF. Download the handouts beforehand.
Read AllLinux Kernel Exploitation - USMA
In this post, I will explain USMA, a universal and data-only exploitation technique that allows us to patch kernel code from user space. Download the handouts beforehand.
Read AllLinux Kernel Exploitation - Dirty Pipe
In this post, I will explain Dirty Pipe, a universal and data-only exploitation technique that allows us to arbitrarily overwrite read-only files. Download the handouts beforehand.
Read AllLinux Kernel Exploitation - DirtyCred
In this post, I will explain DirtyCred, a universal and data-only exploitation technique that allows us to escalate privileges without a write primitive. Download the handouts beforehand.
Read AllLinux Kernel Exploitation - Dirty PageTable
In this post, I will explain Dirty PageTable, a universal and data-only exploitation technique that allows us to gain arbitrary read and write access to the entire physical memory. Download the handouts beforehand.
Read AllLinux Kernel Exploitation - Cross-Cache Attack
In this post, I will explain cross-cache attack, a fundamental technique for advanced Linux kernel exploitation. Understanding this technique is important to understand other exploitation techniques, such as Dirty PageTable and DirtyCred, which I will cover in future posts. Download the handouts beforehand.
Read AllLinux Kernel Exploitation - Setup
In this post, I will explain how to build and debug the Linux kernel.
Read AllExtending Kernel Race Windows Using '/dev/shm'
Showcasing an alternative technique to userfaultfd for extending race windows in the Linux kernel.
Read AllUnleashing ksmbd: crafting remote exploits of the Linux kernel
December 22nd 2022: it's Christmas Thursday, one of the last workdays before the Christmas vacation starts. Whilst everyone was looking forward to opening presents from friends and family, the Zero Day Initiative decided to give the IT community a present as well: immense stress in the form of
Read AllTickling ksmbd: fuzzing SMB in the Linux kernel
Following the adventure of manually discovering network-based vulnerabilities in the Linux kernel, I'm adding ksmbd-fuzzing functionality to the already extensive kernel-fuzzing tool that is Syzkaller.
Read AllFlipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
A tale about exploiting KernelCTF Mitigation, Debian, and Ubuntu instances with a double-free in nf_tables in the Linux kernel, using novel techniques like Dirty Pagedirectory. All without even having to recompile the exploit for different kernel targets once.
Read All