Blasting Past Webp - An analysis of the NSO BLASTPASS iMessage exploit
https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html [googleprojectzero.blogspot.com]
2025-03-27 16:45
tags:
exploit
iphone
malloc
security
Whilst the Isosceles and Dark Navy posts explained the underlying memory corruption vulnerability in great detail, they were unable to solve another fascinating part of the puzzle: just how exactly do you land an exploit for this vulnerability in a one-shot, zero-click setup? As we’ll soon see, the corruption primitive is very limited. Without access to the samples it was almost impossible to know.
source: HN
CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers
https://mastersplinter.work/research/passkey/ [mastersplinter.work]
2025-03-20 05:23
tags:
auth
browser
exploit
security
web
An attacker within bluetooth range is able to trigger navigation to a FIDO:/ URI from an attacker controlled page on a mobile browser, allowing them to initiate a legitimate PassKeys authentication intent which will be received on the attacker’s device. This results in the attacker being able to “phish” PassKeys credentials, completely breaking this assumption that PassKeys are impossible to phish.
source: HN
Travertine (CVE-2025-24118) - An absolutely wild race condition in the macOS kernel
https://jprx.io/cve-2025-24118/ [jprx.io]
2025-03-14 23:14
tags:
auth
c
concurrency
exploit
macos
security
systems
It involves a combination of several cutting-edge features in the macOS kernel (XNU)- Safe Memory Reclamation (SMR), read-only page mappings, per-thread credentials, memcpy implementation details, and of course, a race condition tying everything all together. This bug allows for corruption of thread’s kauth_cred_t credential pointer. Specifically, the SMR-protected p_ucred field of a process’s read-only struct can be corrupted to point to invalid memory, or potentially to a different (maybe even more privileged) credential.
https://github.com/jprx/CVE-2025-24118
source: trivium
Zen and the Art of Microcode Hacking
https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking [bughunters.google.com]
2025-03-08 06:03
tags:
bios
cpu
exploit
hash
programming
security
systems
In this post, we first discuss the background of what microcode is, why microcode patches exist, why the integrity of microcode is important for security, and how AMD attempts to prevent tampering with microcode. Next, we focus on the microcode patch signature validation process and explain in detail the vulnerability present (using CMAC as a hash function). Finally, we discuss how to use some of the tools we’ve released today which can help researchers reproduce and expand on our work (skip to the Zentool section of this blogpost for a “how to” on writing your own microcode).
source: HN
AMD: Microcode Signature Verification Vulnerability
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w [github.com]
2025-02-03 19:53
tags:
bios
cpu
exploit
hash
security
systems
virtualization
This vulnerability allows an adversary with local administrator privileges (ring 0 from outside a VM) to load malicious microcode patches. We have demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs. The vulnerability is that the CPU uses an insecure hash function in the signature validation for microcode updates. This vulnerability could be used by an adversary to compromise confidential computing workloads protected by the newest version of AMD Secure Encrypted Virtualization, SEV-SNP or to compromise Dynamic Root of Trust Measurement.
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
source: HN
WorstFit: Unveiling Hidden Transformers in Windows ANSI!
https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/ [blog.orange.tw]
2025-01-10 14:54
tags:
exploit
programming
security
text
turtles
windows
The research unveils a new attack surface in Windows by exploiting Best-Fit, an internal charset conversion feature. Through our work, we successfully transformed this feature into several practical attacks, including Path Traversal, Argument Injection, and even RCE, affecting numerous well-known applications!
source: HN
AES-GCM and breaking it on nonce reuse
https://frereit.de/aes_gcm/ [frereit.de]
2024-12-04 23:58
tags:
article
crypto
exploit
math
random
security
In this post, we will look at how the security of the AES-GCM mode of operation can be completely compromised when a nonce is reused.
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
https://pwning.tech/nftables/ [pwning.tech]
2024-03-26 23:33
tags:
best
cpu
exploit
linux
malloc
paper
programming
security
systems
In this blogpost I present several novel techniques I used to exploit a 0-day double-free bug in hardened Linux kernels (i.e. KernelCTF mitigation instances) with 93%-99% success rate. The underlying bug is input sanitization failure of netfilter verdicts. Hence, the requirements for the exploit are that nf_tables is enabled and unprivileged user namespaces are enabled. The exploit is data-only and performs an kernel-space mirroring attack (KSMA) from userland with the novel Dirty Pagedirectory technique (pagetable confusion), where it is able to link any physical address (and its permissions) to virtual memory addresses by performing just read/writes to userland addresses.
Also: https://github.com/Notselwyn/CVE-2024-1086
source: HN
Gaining kernel code execution on an MTE-enabled Pixel 8
https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/ [github.blog]
2024-03-20 07:36
tags:
android
exploit
malloc
security
systems
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported to Arm on November 15, 2023 and was fixed in the Arm Mali driver version r47p0, which was released publicly on December 14, 2023. It was fixed in Android in the March security update. When exploited, this vulnerability allows a malicious Android app to gain arbitrary kernel code execution and root on the device. The vulnerability affects devices with newer Arm Mali GPUs that use the Command Stream Frontend (CSF) feature, such as Google’s Pixel 7 and Pixel 8 phones. What is interesting about this vulnerability is that it is a logic bug in the memory management unit of the Arm Mali GPU and it is capable of bypassing Memory Tagging Extension (MTE), a new and powerful mitigation against memory corruption that was first supported in Pixel 8. In this post, I’ll show how to use this bug to gain arbitrary kernel code execution in the Pixel 8 from an untrusted user application. I have confirmed that the exploit works successfully even with kernel MTE enabled by following these instructions.
source: HN
Operation Triangulation: What You Get When Attack iPhones of Researchers
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/ [securelist.com]
2023-12-27 19:52
tags:
best
cpu
exploit
investigation
iphone
security
This presentation was also the first time we had publicly disclosed the details of all exploits and vulnerabilities that were used in the attack. We discover and analyze new exploits and attacks using these on a daily basis, and we have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is definitely the most sophisticated attack chain we have ever seen.
source: HN
npm search RCE? - Escape Sequence Injection
https://blog.solidsnail.com/posts/npm-esc-seq [blog.solidsnail.com]
2023-12-16 00:59
tags:
exploit
security
text
tty
turtles
In a previous post I went over a vulnerability I discovered in iTerm2 that allowed code execution in the shell by leveraging the output of a command. Today, We’ll focus on the other side of that interaction, the application running underneath the terminal.
"[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs
https://dgl.cx/2023/09/ansi-terminal-security [dgl.cx]
2023-10-20 19:20
tags:
exploit
security
text
tty
turtles
unix
This paper reflects work done in late 2022 and 2023 to audit for vulnerabilities in terminal emulators, with a focus on open source software. The results of this work were 10 CVEs against terminal emulators that could result in Remote Code Execution (RCE), in addition various other bugs and hardening opportunities were found. The exact context and severity of these vulnerabilities varied, but some form of code execution was found to be possible on several common terminal emulators across the main client platforms of today.
source: HN
Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
https://github.blog/2023-10-17-getting-rce-in-chrome-with-incomplete-object-initialization-in-the-maglev-compiler/ [github.blog]
2023-10-18 19:08
tags:
browser
exploit
javascript
jit
security
In this post I’ll exploit CVE-2023-4069, a type confusion vulnerability that I reported in July 2023. The vulnerability—which allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site—is found in v8, the Javascript engine of Chrome. It was filed as bug 1465326 and subsequently fixed in version 115.0.5790.170/.171.
Getting RCE in Chrome with incorrect side effect in the JIT compiler
https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/ [github.blog]
2023-09-29 00:06
tags:
browser
exploit
javascript
jit
programming
security
In this post, I’ll exploit CVE-2023-3420, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
source: R
The WebP 0day
https://blog.isosceles.com/the-webp-0day/ [blog.isosceles.com]
2023-09-21 20:29
tags:
compression
exploit
format
fuzzing
programming
security
This means that someone, somewhere, had been caught using an exploit for this vulnerability. But who discovered the vulnerability and how was it being used? How does the vulnerability work? Why wasn’t it discovered earlier? And what sort of impact does an exploit like this have?
There are still a lot of details that are missing, but this post attempts to explain what we know about the unusual circumstances of this bug, and provides a new technical analysis and proof-of-concept trigger for CVE-2023-4863 (“the WebP 0day“).
Bluesky Exploits
https://github.com/qwell/bsky-exploits [github.com]
2023-09-13 20:32
tags:
exploit
security
social
ux
web
web
I have discovered a number of security vulnerabilities in Bluesky and atproto. Each time I’ve found something new, I’ve chosen to report it to Bluesky at security@bsky.app, as requested at https://bsky.app/.well-known/security.txt, and provide them with details. Bluesky has responded to only one of these reports, one time, 4 days after submission, saying “We appreciate the report, and we’ll be taking a closer look at the issue.”. They did not follow up on that report and they have not responded to any of my other reports.
The Internet Worm Program: An Analysis
https://spaf.cerias.purdue.edu/tech-reps/823.pdf [spaf.cerias.purdue.edu]
2023-08-25 16:24
tags:
c
dupe
exploit
paper
pdf
programming
security
unix
This report gives a detailed description of the components of the worm program—data and functions. It is based on study of two completely independent reverse-compilations of the worm and a version disassembled to VAX assembly language. Almost no source code is given in the paper because of current concerns about the state of the ‘‘immune system’’ of Internet hosts, but the description should be detailed enough to allow the reader to understand the behavior of the program.
And some modern commentary: https://infosec.exchange/@hovav/110950949212380779
Smashing the state machine: the true potential of web race conditions
https://portswigger.net/research/smashing-the-state-machine [portswigger.net]
2023-08-10 16:24
tags:
concurrency
exploit
networking
security
web
HTTP request processing isn’t atomic - any endpoint might be sending an application through invisible sub-states. This means that with race conditions, everything is multi-step. The single-packet attack solves network jitter, making it as though every attack is on a local system. This exposes vulnerabilities that were previously near-impossible to detect or exploit.
source: L
Zenbleed
https://lock.cmpxchg8b.com/zenbleed.html [lock.cmpxchg8b.com]
2023-07-25 01:47
tags:
cpu
exploit
programming
security
sidechannel
systems
What should happen if the processor speculatively executed a vzeroupper, but then discovers that there was a branch misprediction? Well, we will have to revert that operation and put things back the way they were… maybe we can just unset that z-bit?
If we return to the analogy of malloc and free, you can see that it can’t be that simple - that would be like calling free() on a pointer, and then changing your mind!
That would be a use-after-free vulnerability, but there is no such thing as a use-after-free in a CPU… or is there?
source: L
CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt [www.qualys.com]
2023-07-21 20:31
tags:
best
c
exploit
library
linux
security
turtles
While browsing through ssh-agent’s source code, we noticed that a remote attacker, who has access to the remote server where Alice’s ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib on Alice’s workstation (via her forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default).
Surprisingly, by chaining four common side effects of shared libraries from official distribution packages, we were able to transform this very limited primitive (the dlopen() and dlclose() of shared libraries from /usr/lib) into a reliable, one-shot remote code execution in ssh-agent (despite ASLR, PIE, and NX). Our best proofs of concept so far exploit default installations of Ubuntu Desktop plus three extra packages from Ubuntu’s “universe” repository. We believe that even better results can be achieved (i.e., some operating systems might be exploitable in their default installation):
source: HN