Davide Ornaghi

LPE for CVE-2023-0179 is live! Compatibility with other versions should be just a matter of offsets. It was nice not having to deal with stack offset randomization. github.com/TurtleARM/CVE-…

Here is a more up-to-date syz description of your favorite subsystem nftables, happy fuzzing! github.com/google/syzkall…

🎫 No hat Computer Security Conference 2024 tickets are NOW AVAILABLE on nohat.it 🎫 See you in Bergamo, Italy on Oct 19th! #NoHat #Computer #Security #Conference #Community #Cybersecurity #NoHat2024

While testing and fixing a couple of NPDs in nftables, I found that reusing the subsystem after crashing triggers a UAF read on the previously freed task_struct when reacquiring the commit mutex, maybe worth a look? github.com/torvalds/linux…

Syzkaller being mad about my custom grammar

I've written my first blog post on exploiting the Linux kernel, with bonus digressions on internals and rabbit holes. Hope you enjoy the fancy graphics! betrusted.it/blog/64-bytes-… betrusted.it/blog/64-bytes-…

Exciting news! 🚀 Just dropped my blogpost unveiling the universal Linux kernel LPE PoC for CVE-2024-1086 (working on v5.14 - v6.7) used for pwning Debian, Ubuntu, and KernelCTF Mitigation instances, including novel techniques like Dirty Pagedirectory 🧵 pwning.tech/nftables

Added two less known PE payloads to the project: core_pattern overwrite and syscall hooking (inspired by CVE-2022-0435)! github.com/TurtleARM/CVE-…

Experimenting with mappable zero pages and privesc techniques for my DECnet vuln, still a WIP github.com/TurtleARM/CVE-…

CVE-2023-3338 represents a series of issues I found in the Linux DECnet Layer (a 20-year-old protocol) that caused it to be removed from all LTS releases, the most obvious one being this NPD openwall.com/lists/oss-secu…

Quick gdb tip to access per-cpu variables in case lx_per_cpu doesn't work: x __per_cpu_offset[$lx_current().cpu] + (unsigned long) var

Great opportunity to have fun with Linux pwning in the beautiful Bergamo!

Spent hours trying to mask timer interrupts on gdb to prevent LAPIC events when all I had to do was update QEMU

#HITB2023AMS #VIDEO #COMMSEC D2 - The Return of Stack Overflows in the Linux Kernel - Davide Ornaghi - conference.hitb.org/hitbsecconf202…

Writing CodeQL queries that actually do what you expect feels like magic

When your UAF read reallocation isn't behaving

@pimskeks @planetbeing @kernelpool @p0sixninja @Helthydriver @onlyxwings @embyte @bl4sty @l33tdawg @LinusHenze @EranShimony @OmerTsarfati @alexjplaskett @tihmstar It was awesome finally meeting you in person! Thanks again for making hacking even more fun

#HITB2023AMS was a blast! Great talks and great people! It was really nice seeing everyone @planetbeing @kernelpool @p0sixninja @Helthydriver @onlyxwings @embyte @bl4sty @l33tdawg @LinusHenze @EranShimony @OmerTsarfati @alexjplaskett @TurtleARM97 @tihmstar

Why is SystemTap so hard to run on custom kernels ☹️

I will be at @HITBSecConf #HITB2023AMS this week, if you are around, pull up, they have a free CommSec track too!

#HITB2023AMS COMMSEC: The Return of Stack Overflows in the Linux Kernel - Davide Ornaghi - conference.hitb.org/hitbsecconf202…

Looks like I’ll be speaking at @HITBSecConf about kernel (in)security and other exciting stuff!