sam4k

@[email protected]
290 Followers
130 Following
32 Posts
pwning kernels & blogging on os internals ๐ŸŒฑ
Bloghttps://sam4k.com
Twitterhttps://twitter.com/sam4k1
sam4kMay 8, 2025

with offensivecon around the corner, i figured id write another post on linux kernel exploitation techniques - this time i cover the world of page table exploitation! enjoy ๐Ÿค“

https://sam4k.com/page-table-kernel-exploitation/

Kernel Exploitation Techniques: Turning The (Page) Tables

This post explores attacking page tables as a Linux kernel exploitation technique for gaining powerful read/write primitives.

sam4k
sam4kDec 16, 2024

it's been a while, but here's a new post in my linternals series where i attempt to introduce the linux kernel's memory management subsystem ๐Ÿง

https://sam4k.com/linternals-exploring-the-mm-subsystem-part-1/

Linternals: Exploring The mm Subsystem via mmap [0x01]

In this series we'll explore the Linux kernel's memory management subsystem, using a simple userspace program as our starting point.

sam4k
sam4kJul 9, 2024

@kees ah, awesome! yeah i've been playing around with CodeQL on and off for a while in my workflow, but i feel like it's been rather surface level use cases compared to what could be possible with it!

one of those things that i want to find more time to dig into as there's not a tonne of in-depth public research on kernel use cases

sam4kJul 9, 2024
@kees yeah i think that's the best way to do it tbh! when i get some time to write it up, i'll chuck the source up on github in case it's useful :) (with the suitable disclaimers for reader's sanity of course ๐Ÿ˜‚)
sam4kJul 8, 2024
@kees thanks! i haven't upstreamed any of the syzkaller stuff (yet?), i fear it might need a lot of tidying first ๐Ÿ˜… it's currently a bit of a hacky mess using syzkaller descriptions for pseudo-syscalls which handle the TIPC formatting and handshake, a script for the VMs to enable a local TIPC bearer and some other small bits and pieces
sam4kJul 5, 2024
Linux Kernel SecurityJul 5, 2024

ZDI-24-821: A Remote UAF in The Kernel's net/tipc

An article by @sam4k describing a slab use-after-free in the TIPC networking stack that can be triggered by both local and remote attackers.

https://sam4k.com/zdi-24-821-a-remote-use-after-free-in-the-kernels-net-tipc/

ZDI-24-821: A Remote UAF in The Kernel's net/tipc

In this post I discuss a vulnerability which allows a local, or remote attacker, to trigger a use-after-free in the TIPC networking stack on affected installations of the Linux kernel.

sam4k
sam4kJul 4, 2024

here's the write-up for the net/tipc vuln i found while working on my talk ๐Ÿ™Œ

https://sam4k.com/zdi-24-821-a-remote-use-after-free-in-the-kernels-net-tipc/

ZDI-24-821: A Remote UAF in The Kernel's net/tipc

In this post I discuss a vulnerability which allows a local, or remote attacker, to trigger a use-after-free in the TIPC networking stack on affected installations of the Linux kernel.

sam4k
sam4kJul 4, 2024

i keep forgetting to post here, but here are my slides from a recent talk i did on how to find bugs in the linux kernel ๐Ÿค“

https://github.com/sam4k/talk-slides/blob/main/so_you_wanna_find_bugs_in_the_linux_kernel.pdf

talk-slides/so_you_wanna_find_bugs_in_the_linux_kernel.pdf at main ยท sam4k/talk-slides

Contribute to sam4k/talk-slides development by creating an account on GitHub.

GitHub
sam4kJul 5, 2023
psomasJul 5, 2023
Apparently, there's a new Linux privilege escalation exploit, StackRot, triggered by a use-after-free-by-RCU maple tree bug.
https://seclists.org/oss-sec/2023/q3/4 #linux #infosec
sam4kApr 18, 2023
Quentin Minster PicavetApr 13, 2023

Looks like I'll be presenting our work on KSMBD at OffensiveCon next month! ๐Ÿฅน

https://www.offensivecon.org/speakers/2023/guillaume-teissier-and-quentin-minster.html

https://twitter.com/offensive_con/status/1646461589908869120

Guillaume Teissier and Quentin Minster | OffensiveCon