An introduction to Udev: The Linux subsystem for managing device events

Linux subsystem for managing device events
Create a script that triggers your computer to do a specific action when a specific device is plugged in.
13 Nov 2018
Seth Kenlon (Red Hat)

Udev is the Linux subsystem that supplies your computer with device events. In plain English, that means it’s the code that detects when you have things plugged into your computer, like a network card, external hard drives (including USB thumb drives), mouses, keyboards, joysticks and gamepads, DVD-ROM drives, and so on. That makes it a potentially useful utility, and it’s well-enough exposed that a standard user can manually script it to do things like performing certain tasks when a certain hard drive is plugged in. This article teaches you how to create a udev script triggered by some udev event, such as plugging in a specific thumb drive. Once you understand the process for working with udev, you can use it to do all manner of things, like loading a specific driver when a gamepad is attached, or performing an automatic backup when you attach your backup drive.[…]

https://opensource.com/article/18/11/udev?sc_cid=70160000001273HAAQ

VirtualBox E1000 Guest-to-Host Escape zero day

https://github.com/MorteNoir1/virtualbox_e1000_0day

Linux Unattended Installation – Tools to create an unattended installation of a minimal setup of Linux

This project provides all you need to create an unattended installation of a minimal setup of Linux, whereas minimal translates to the most lightweight setup – including an OpenSSH service and Python – which you can derive from the standard installer of a Linux distribution. The idea is, you will do all further deployment of your configurations and services with the help of Ansible or similar tools once you completed the minimal setup. Use the build-iso.sh script to create an ISO file based on the netsetup image of Ubuntu. Use the build-disk.sh script to create a cloneable preinstalled disk image based on the output of build-iso.sh. […]UEFI and BIOS mode supported.[…]

https://github.com/core-process/linux-unattended-installation

 

Linux Security Summit Europe 2018 videos uploaded

Linux Security Summit Europe 2018 videos have been uploaded to YouTube:

https://events.linuxfoundation.org/events/linux-security-summit-europe-2018/

And slides are here:

https://events.linuxfoundation.org/events/linux-security-summit-europe-2018/program/slides/

Ubuntu bug 1798863, CVE-2018-18653, UEFI Secure Boot vuln

The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.[…]

Source: MITRE
Description Last Modified: 10/25/2018

https://nvd.nist.gov/vuln/detail/CVE-2018-18653

[…]This flaw is introduced by certain configuration options in combination with this out-of-tree patch from the Lockdown patchset[…]

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863/comments/23

https://vuldb.com/?id.125976
Current Exploit Price (≈) $5k-$25k

Android Security: Control Flow Integrity in the Android kernel

by Sami Tolvanen, Staff Software Engineer, Android Security

Android’s security model is enforced by the Linux kernel, which makes it a tempting target for attackers. We have put a lot of effort into hardening the kernel in previous Android releases and in Android 9, we continued this work by focusing on compiler-based security mitigations against code reuse attacks. Google’s Pixel 3 will be the first Android device to ship with LLVM’s forward-edge Control Flow Integrity (CFI) enforcement in the kernel, and we have made CFI support available in Android kernel versions 4.9 and 4.14. This post describes how kernel CFI works and provides solutions to the most common issues developers might run into when enabling the feature.[…]

https://android-developers.googleblog.com/2018/10/control-flow-integrity-in-android-kernel.html

 

UEFI-Stub-Loader: Load the Linux EFI Stub (or any EFI application) with command line boot options on systems that don’t support UEFI firmware command lines

Features:
* UEFI 2.x support for PCs, and it also works on Macs with 64-bit EFI (e.g. MacBook Pro Late 2013)
* Loads and executes kernels compiled as native 64-bit UEFI applications (like the Linux kernel)
* Passes user-written commands (from a plain UTF16 text file) to loaded EFI applications
* Allows arbitrary placement of itself in addition to kernel images on the EFI system partition
* Fits on a floppy diskette, and some systems can actually boot it from a floppy
* Minimal UEFI development environment tuned for Windows, Mac, and Linux included in repository (1)

https://github.com/KNNSpeed/UEFI-Stub-Loader

 

libelfmaster: Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools

https://github.com/elfmaster/libelfmaster

See-also:
http://www.bitlackeys.org/
https://www.eventbrite.com/o/bitlackeys-17575943369
https://www.eventbrite.com/e/elf-voodoo-binary-analysis-workshop-brought-to-you-by-the-elfmaster-leviathan-tickets-48427221122

SALT – SLUB ALlocator Tracer for the Linux kernel (including GDB plugin)

Welcome to salt, a tool to reverse and learn kernel heap memory management. It can be useful to develop an exploit, to debug your own kernel code, and, more importantly, to play with the kernel heap allocations and learn its inner workings.

This tool helps tracing allocations and the current state of the SLUB allocator in modern linux kernels.

It is written as a gdb plugin, and it allows you to trace and record memory allocations and to filter them by process name or by cache. The tool can also dump the list of active caches and print relevant information.

This repository also includes a playground loadable kernel module that can trigger allocations and deallocations at will, to serve both as a debugging tool and as a learning tool to better understand how the allocator works.

https://github.com/PaoloMonti42/salt

https://github.com/PaoloMonti42/salt/blob/master/presentation.pdf

screenshot

 

Qubes announces U2F Proxy

Today we’d like to announce the Qubes U2F Proxy. It is a secure proxy intended to make use of U2F two-factor authentication devices with web browsers without exposing the browser to the full USB stack, not unlike the USB keyboard and mouse proxies we’ve already implemented in Qubes.[…]

https://www.qubes-os.org/news/2018/09/11/qubes-u2f-proxy/

https://github.com/QubesOS/qubes-app-u2f

Lenovo ThinkPad X1 6en: Enabling S3 Sleep for Linux after Firmware Update

https://brauner.github.io/2018/09/08/thinkpad-6en-s3.html

sb-kmod-signload.sh: UEFI Secure Boot sign and load utility for Linux kernel modules

This script provides commands to sign a designated list of kernel modules and loads them via modprobe into the linux kernel. This was built to specfically address the issue of having to re-sign and reload kernel modules after upgrading the linux kernel, so they are not rejected by UEFI Secure Boot. (e.g. virtualbox kernel modules). As an example, this script is defaulted to load virtualbox kernel modules and will look for the private key and x509 cert in a specific directory. Please change these values inside the script as needed.[…]

https://github.com/plyint/sb-kmod-signload.sh

 

 

Spectre & Meltdown vulnerability/mitigation checker for Linux

A shell script to tell if your system is vulnerable against the several “speculative execution” CVEs that were made public in 2018.

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
CVE-2018-3640 [rogue system register read] aka ‘Variant 3a’
CVE-2018-3639 [speculative store bypass] aka ‘Variant 4’
CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 [L1 terminal fault] aka ‘Foreshadow & Foreshadow-

https://www.cnx-software.com/2018/08/17/check-spectre-meltdown-l1-terminal-fault-linux/amp/

https://github.com/speed47/spectre-meltdown-checker/