Exploiting aCropalypse: Recovering Truncated PNGs
https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html [www.da.vidbuchanan.co.uk]
2023-03-18 19:40
tags:
android
compression
exploit
format
graphics
opsec
security
double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)
https://marc.info/?l=oss-security&m=167628974320957&w=2 [marc.info]
2023-02-16 20:18
tags:
exploit
malloc
openbsd
programming
security
Exploiting this vulnerability will not be easy: modern memory allocators provide protections against double frees, and the impacted sshd process is unprivileged and heavily sandboxed.
Quick update: we were able to gain arbitrary control of the “rip” register through this bug (i.e., we can jump wherever we want in sshd’s address space) on an unpatched installation of OpenBSD 7.2 (which runs OpenSSH 9.1 by default). This is by no means the end of the story: this was only step 1, bypass the malloc and double-free protections.
source: L
The curious tale of a fake Carrier.app
https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html [googleprojectzero.blogspot.com]
2022-06-23 22:55
tags:
cxx
exploit
investigation
iphone
security
turtles
Six privilege escalation exploits are bundled with this app. Five are well-known, publicly available N-day exploits for older iOS versions. The sixth is not like those others at all. This blog post is the story of the last exploit and the month-long journey to understand it.
CVE-2022-23088: Exploiting A Heap Overflow In The Freebsd Wi-Fi Stack
https://www.zerodayinitiative.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack [www.zerodayinitiative.com]
2022-06-16 18:38
tags:
exploit
freebsd
programming
security
wifi
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. This bug was originally reported to the ZDI program by a researcher known as m00nbsd and patched in April 2022 as FreeBSD-SA-22:07.wifi_meshid. The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug.
source: L
Hertzbleed Attack
https://www.hertzbleed.com/ [www.hertzbleed.com]
2022-06-16 18:36
tags:
cpu
crypto
exploit
paper
security
sidechannel
Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.
Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.
source: HN
Lend Me Your Ear: Passive Remote Physical Side Channels on PCs
https://www.usenix.org/system/files/sec22summer_genkin.pdf [www.usenix.org]
2022-05-06 00:55
tags:
crypto
exploit
opsec
paper
pdf
security
sidechannel
systems
We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often conveyed by supposedly-benign channels such as audio recordings and common Voice-over-IP applications, even after lossy compression.
We analyze the computation-dependent leakage captured by internal microphones, and empirically demonstrate its efficacy for attacks. In one scenario, an attacker steals the secret ECDSA signing keys of the counterparty in a voice call. In another, the attacker detects what web page their counterparty is loading. In the third scenario, a player in the Counter-Strike online multiplayer game can detect a hidden opponent waiting in ambush, by analyzing how the 3D rendering done by the opponent’s computer induces faint but detectable signals into the opponent’s audio feed.
The More You Know, The More You Know You Don’t Know
https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html [googleprojectzero.blogspot.com]
2022-04-20 01:49
tags:
development
exploit
security
update
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc.
Another vulnerability in the LPC55S69 ROM
https://oxide.computer/blog/another-vulnerability-in-the-lpc55s69-rom [oxide.computer]
2022-03-23 22:13
tags:
bios
exploit
hardware
security
Last year, we discovered an undocumented hardware block in the LPC55S69 (our chosen part for our product’s Root of Trust implementation) that could be used to violate security boundaries. This issue highlighted the importance of transparency as an Oxide value which is why we are bringing another recently discovered vulnerability to light today. While continuing to develop our product, we discovered a buffer overflow in the ROM of the LPC55S69. This issue exists in the In-System Programming (ISP) code for the signed update mechanism which lives in ROM. This vulnerability allows an attacker to gain non-persistent code execution with a carefully crafted update regardless of whether the update is signed.
source: HN
An unexpected Redis sandbox escape affecting only Debian, Ubuntu, and other derivatives
https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce [www.ubercomp.com]
2022-03-09 21:26
tags:
bugfix
exploit
linux
lua
security
turtles
This post describes how I broke the Redis sandbox, but only for Debian and Debian-derived Linux distributions. Upstream Redis is not affected. That makes it a Debian vulnerability, not a Redis one. The culprit, if you will, is dynamic linking, but there will be more on that later.
source: HN
The Dirty Pipe Vulnerability
https://dirtypipe.cm4all.com/ [dirtypipe.cm4all.com]
2022-03-07 20:43
tags:
exploit
linux
programming
security
unix
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs they downloaded could not be decompressed. And indeed, there was a corrupt log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I could not explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file behind. I fixed the file’s CRC manually, closed the ticket, and soon forgot about the problem.
Months later, this happened again and yet again. Every time, the file’s contents looked correct, only the CRC at the end of the file was wrong. Now, with several corrupt files, I was able to dig deeper and found a surprising kind of corruption. A pattern emerged.
source: HN
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective
https://signal.org/blog/cellebrite-vulnerabilities/ [signal.org]
2021-04-21 20:18
tags:
android
defense
exploit
iphone
security
social
storage
As just one example (unrelated to what follows), their software bundles FFmpeg DLLs that were built in 2012 and have not been updated since then. There have been over a hundred security updates in that time, none of which have been applied.
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
This Man Thought Opening a TXT File Is Fine, He Thought Wrong. MacOS CVE-2019-8761
https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html [www.paulosyibelo.com]
2021-04-03 00:44
tags:
exploit
html
mac
security
text
turtles
This research originated when I realized the default text reader on OSX, TextEdit is used to open files with TXT extension by default. On the interface of TextEdit, it looked like you can do basic customization to your text (you can turn text bold, italic, change color etc...), so I was wondering how a TXT file was storing and parsing this information. It seems it uses RTF format instead of TXT if we add customizations to the text.
source: HN
Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical
https://arxiv.org/abs/2103.03443 [arxiv.org]
2021-03-08 18:36
tags:
cpu
exploit
paper
security
sidechannel
We introduce the first microarchitectural side channel attacks that leverage contention on the CPU ring interconnect. There are two challenges that make it uniquely difficult to exploit this channel. First, little is known about the ring interconnect’s functioning and architecture. Second, information that can be learned by an attacker through ring contention is noisy by nature and has coarse spatial granularity. To address the first challenge, we perform a thorough reverse engineering of the sophisticated protocols that handle communication on the ring interconnect. With this knowledge, we build a cross-core covert channel over the ring interconnect with a capacity of over 4 Mbps from a single thread, the largest to date for a cross-core channel not relying on shared memory. To address the second challenge, we leverage the fine-grained temporal patterns of ring contention to infer a victim program’s secrets. We demonstrate our attack by extracting key bits from vulnerable EdDSA and RSA implementations, as well as inferring the precise timing of keystrokes typed by a victim user.
source: HN
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 [medium.com]
2021-02-11 14:14
tags:
development
exploit
security
turtles
KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card
https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08 [medium.com]
2021-01-22 04:16
tags:
email
exploit
ioshit
malware
security
Some time ago, we noticed at Realmode Labs that Amazon Kindle has an interesting feature called “Send to Kindle”. This feature allows Kindle users to send e-books to their device as email attachments. We immediately thought of the potential security concerns of this feature: what if we can send malicious e-books to unsuspecting users?
source: R
BitLocker Lockscreen bypass
https://secret.club/2021/01/15/bitlocker-bypass.html [secret.club]
2021-01-18 00:41
tags:
auth
exploit
security
turtles
windows
BitLocker is a modern data protection feature that is deeply integrated in the Windows kernel. It is used by many corporations as a means of protecting company secrets in case of theft. Microsoft recommends that you have a Trusted Platform Module which can do some of the heavy cryptographic lifting for you.
If we smash shift 5 times in quick succession, a link to open the Settings app appears, and the link actually works. We cannot see the launched Settings app. Giving the launched app focus is slightly tricky; you have to click the link and then click a place where the launched app would be visible with the correct timing. The easiest way to learn to do it is, keep clicking the link roughly 2 times a second. The sticky keys windows will disappear. Keep clicking! You will now see a focus box is drawn in the middle of the screen. That was the Settings app, and you have to stop clicking when it gets focus.
Accessibility UX wins again.
source: HN
Introducing the In-the-Wild Series
https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html [googleprojectzero.blogspot.com]
2021-01-13 07:29
tags:
admin
android
browser
exploit
malware
programming
security
series
windows
windows
Leaking silhouettes of cross-origin images
https://blog.mozilla.org/attack-and-defense/2021/01/11/leaking-silhouettes-of-cross-origin-images/ [blog.mozilla.org]
2021-01-13 06:07
tags:
browser
exploit
graphics
security
sidechannel
turtles
web
This is a writeup of a vulnerability I found in Chromium and Firefox that could allow a malicious page to read some parts of an image located on an origin it is not supposed to be able to access. Although technically interesting, it is quite limited in scope—I am not aware of any major websites it could’ve been used against. As of November 17th, 2020, the vulnerability has been fixed in the most recent versions of both browsers.
The time that it takes CanvasRenderingContext2D.drawImage to draw a pixel depends on whether it is fully transparent, opaque, or semi-transparent. By timing a bunch of calls to drawImage, we can reliably infer the transparency of each pixel in a cross-origin image, which is enough to, for example, read text on a transparent background, like this:
source: HN
PLATYPUS With Great Power comes Great Leakage
https://platypusattack.com/ [platypusattack.com]
2020-12-11 06:55
tags:
cpu
energy
exploit
paper
security
sidechannel
With classical power side-channel attacks, an adversary typically attaches an oscilloscope to monitor the energy consumption of a device. Since Intel Sandy Bridge CPUs, the Intel Running Average Power Limit (RAPL) interface allows monitoring and controlling the power consumption of the CPU and DRAM in software. Hence, the CPU basically comes with its own power meter. With the current implementation of the Linux driver, every unprivileged user has access to its measurements.
Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values. PLATYPUS can further infer intra-cacheline control flow of applications, break KASLR, leak AES-NI keys from Intel SGX enclaves and the Linux kernel, and establish a timing-independent covert channel.
With SGX, Intel released a security feature to create isolated environments, so-called enclaves, that are secure even if the operating system is compromised. In our work, we combine PLATYPUS with precise execution control of SGX-Step. As a result, we overcome the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, we recover RSA keys processed by mbed TLS from an SGX enclave.
source: trivium
PAM Bypass: when null(is not)ok
https://linderud.dev/blog/pam-bypass-when-nullis-notok/ [linderud.dev]
2020-11-25 01:55
tags:
auth
exploit
linux
security
turtles
The commit attempts to avoid a timing attack against PAM. Some attacker can know valid user names by timing how quickly PAM returns an error, so the fix is to use an existing user in the system we always validate against to ensure a consistent timing. But which user is always present on a Linux system? root!
The code does not check if root has any valid passwords set. An invalid user would fail, loop over to root and try validate. root has no password. It’s blank. We have nullok set. And we have pam_permit.so. The invalid user is authenticated. We have enough information to do a quick POC.
1 + 1 = 3.
source: L