Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
https://pwning.tech/nftables/ [pwning.tech]
2024-03-26 23:33
tags:
best
cpu
exploit
linux
malloc
paper
programming
security
systems
In this blogpost I present several novel techniques I used to exploit a 0-day double-free bug in hardened Linux kernels (i.e. KernelCTF mitigation instances) with 93%-99% success rate. The underlying bug is input sanitization failure of netfilter verdicts. Hence, the requirements for the exploit are that nf_tables is enabled and unprivileged user namespaces are enabled. The exploit is data-only and performs an kernel-space mirroring attack (KSMA) from userland with the novel Dirty Pagedirectory technique (pagetable confusion), where it is able to link any physical address (and its permissions) to virtual memory addresses by performing just read/writes to userland addresses.
Also: https://github.com/Notselwyn/CVE-2024-1086
source: HN
Gaining kernel code execution on an MTE-enabled Pixel 8
https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/ [github.blog]
2024-03-20 07:36
tags:
android
exploit
malloc
security
systems
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported to Arm on November 15, 2023 and was fixed in the Arm Mali driver version r47p0, which was released publicly on December 14, 2023. It was fixed in Android in the March security update. When exploited, this vulnerability allows a malicious Android app to gain arbitrary kernel code execution and root on the device. The vulnerability affects devices with newer Arm Mali GPUs that use the Command Stream Frontend (CSF) feature, such as Google’s Pixel 7 and Pixel 8 phones. What is interesting about this vulnerability is that it is a logic bug in the memory management unit of the Arm Mali GPU and it is capable of bypassing Memory Tagging Extension (MTE), a new and powerful mitigation against memory corruption that was first supported in Pixel 8. In this post, I’ll show how to use this bug to gain arbitrary kernel code execution in the Pixel 8 from an untrusted user application. I have confirmed that the exploit works successfully even with kernel MTE enabled by following these instructions.
source: HN
Operation Triangulation: What You Get When Attack iPhones of Researchers
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/ [securelist.com]
2023-12-27 19:52
tags:
best
cpu
exploit
investigation
iphone
security
This presentation was also the first time we had publicly disclosed the details of all exploits and vulnerabilities that were used in the attack. We discover and analyze new exploits and attacks using these on a daily basis, and we have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is definitely the most sophisticated attack chain we have ever seen.
source: HN
npm search RCE? - Escape Sequence Injection
https://blog.solidsnail.com/posts/npm-esc-seq [blog.solidsnail.com]
2023-12-16 00:59
tags:
exploit
security
text
tty
turtles
In a previous post I went over a vulnerability I discovered in iTerm2 that allowed code execution in the shell by leveraging the output of a command. Today, We’ll focus on the other side of that interaction, the application running underneath the terminal.
"[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs
https://dgl.cx/2023/09/ansi-terminal-security [dgl.cx]
2023-10-20 19:20
tags:
exploit
security
text
tty
turtles
unix
This paper reflects work done in late 2022 and 2023 to audit for vulnerabilities in terminal emulators, with a focus on open source software. The results of this work were 10 CVEs against terminal emulators that could result in Remote Code Execution (RCE), in addition various other bugs and hardening opportunities were found. The exact context and severity of these vulnerabilities varied, but some form of code execution was found to be possible on several common terminal emulators across the main client platforms of today.
source: HN
Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
https://github.blog/2023-10-17-getting-rce-in-chrome-with-incomplete-object-initialization-in-the-maglev-compiler/ [github.blog]
2023-10-18 19:08
tags:
browser
exploit
javascript
jit
security
In this post I’ll exploit CVE-2023-4069, a type confusion vulnerability that I reported in July 2023. The vulnerability—which allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site—is found in v8, the Javascript engine of Chrome. It was filed as bug 1465326 and subsequently fixed in version 115.0.5790.170/.171.
Getting RCE in Chrome with incorrect side effect in the JIT compiler
https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/ [github.blog]
2023-09-29 00:06
tags:
browser
exploit
javascript
jit
programming
security
In this post, I’ll exploit CVE-2023-3420, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
source: R
The WebP 0day
https://blog.isosceles.com/the-webp-0day/ [blog.isosceles.com]
2023-09-21 20:29
tags:
compression
exploit
format
fuzzing
programming
security
This means that someone, somewhere, had been caught using an exploit for this vulnerability. But who discovered the vulnerability and how was it being used? How does the vulnerability work? Why wasn’t it discovered earlier? And what sort of impact does an exploit like this have?
There are still a lot of details that are missing, but this post attempts to explain what we know about the unusual circumstances of this bug, and provides a new technical analysis and proof-of-concept trigger for CVE-2023-4863 (“the WebP 0day“).
Bluesky Exploits
https://github.com/qwell/bsky-exploits [github.com]
2023-09-13 20:32
tags:
exploit
security
social
ux
web
web
I have discovered a number of security vulnerabilities in Bluesky and atproto. Each time I’ve found something new, I’ve chosen to report it to Bluesky at security@bsky.app, as requested at https://bsky.app/.well-known/security.txt, and provide them with details. Bluesky has responded to only one of these reports, one time, 4 days after submission, saying “We appreciate the report, and we’ll be taking a closer look at the issue.”. They did not follow up on that report and they have not responded to any of my other reports.
The Internet Worm Program: An Analysis
https://spaf.cerias.purdue.edu/tech-reps/823.pdf [spaf.cerias.purdue.edu]
2023-08-25 16:24
tags:
c
dupe
exploit
paper
pdf
programming
security
unix
This report gives a detailed description of the components of the worm program—data and functions. It is based on study of two completely independent reverse-compilations of the worm and a version disassembled to VAX assembly language. Almost no source code is given in the paper because of current concerns about the state of the ‘‘immune system’’ of Internet hosts, but the description should be detailed enough to allow the reader to understand the behavior of the program.
And some modern commentary: https://infosec.exchange/@hovav/110950949212380779
Smashing the state machine: the true potential of web race conditions
https://portswigger.net/research/smashing-the-state-machine [portswigger.net]
2023-08-10 16:24
tags:
concurrency
exploit
networking
security
web
HTTP request processing isn’t atomic - any endpoint might be sending an application through invisible sub-states. This means that with race conditions, everything is multi-step. The single-packet attack solves network jitter, making it as though every attack is on a local system. This exposes vulnerabilities that were previously near-impossible to detect or exploit.
source: L
Zenbleed
https://lock.cmpxchg8b.com/zenbleed.html [lock.cmpxchg8b.com]
2023-07-25 01:47
tags:
cpu
exploit
programming
security
sidechannel
systems
What should happen if the processor speculatively executed a vzeroupper, but then discovers that there was a branch misprediction? Well, we will have to revert that operation and put things back the way they were… maybe we can just unset that z-bit?
If we return to the analogy of malloc and free, you can see that it can’t be that simple - that would be like calling free() on a pointer, and then changing your mind!
That would be a use-after-free vulnerability, but there is no such thing as a use-after-free in a CPU… or is there?
source: L
CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt [www.qualys.com]
2023-07-21 20:31
tags:
best
c
exploit
library
linux
security
turtles
While browsing through ssh-agent’s source code, we noticed that a remote attacker, who has access to the remote server where Alice’s ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib on Alice’s workstation (via her forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default).
Surprisingly, by chaining four common side effects of shared libraries from official distribution packages, we were able to transform this very limited primitive (the dlopen() and dlclose() of shared libraries from /usr/lib) into a reliable, one-shot remote code execution in ssh-agent (despite ASLR, PIE, and NX). Our best proofs of concept so far exploit default installations of Ubuntu Desktop plus three extra packages from Ubuntu’s “universe” repository. We believe that even better results can be achieved (i.e., some operating systems might be exploitable in their default installation):
source: HN
CAN Injection: keyless car theft
https://kentindell.github.io/2023/04/03/can-injection/ [kentindell.github.io]
2023-04-07 15:28
tags:
cars
exploit
hardware
hoipolloi
investigation
security
solder
This is a detective story about how a car was stolen - and how it uncovered an epidemic of high-tech car theft.
Now that people know how a relay attack works generally possible to defeat it: car owners keep their keys in a metal box (blocking the radio message from the car) and some car makers now supply keys that go to sleep if motionless for a few minutes (and so won’t receive the radio message from the car). Faced with this defeat but being unwilling to give up a lucrative activity, thieves moved to a new way around the security: by-passing the entire smart key system. They do this with a new attack: CAN Injection.
The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders
https://wrv.github.io/h26forge.pdf [wrv.github.io]
2023-03-28 18:51
tags:
exploit
format
fuzzing
paper
pdf
security
turtles
video
Modern video encoding standards such as H.264 are a marvel of hidden complexity. But with hidden complexity comes hidden security risk. Decoding video in practice means interacting with dedicated hardware accelerators and the proprietary, privileged software components used to drive them. The video decoder ecosystem is obscure, opaque, diverse, highly privileged, largely untested, and highly exposed—a dangerous combination.
We introduce and evaluate H26FORGE, domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files. Using H26FORGE, we uncover insecurity in depth across the video decoder ecosystem, including kernel memory corruption bugs in iOS, memory corruption bugs in Firefox and VLC for Windows, and video accelerator and application processor kernel memory bugs in multiple Android devices.
https://github.com/h26forge/h26forge
Exploiting aCropalypse: Recovering Truncated PNGs
https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html [www.da.vidbuchanan.co.uk]
2023-03-18 19:40
tags:
android
compression
exploit
format
graphics
opsec
security
double-free vulnerability in OpenSSH server 9.1 (CVE-2023-25136)
https://marc.info/?l=oss-security&m=167628974320957&w=2 [marc.info]
2023-02-16 20:18
tags:
exploit
malloc
openbsd
programming
security
Exploiting this vulnerability will not be easy: modern memory allocators provide protections against double frees, and the impacted sshd process is unprivileged and heavily sandboxed.
Quick update: we were able to gain arbitrary control of the “rip” register through this bug (i.e., we can jump wherever we want in sshd’s address space) on an unpatched installation of OpenBSD 7.2 (which runs OpenSSH 9.1 by default). This is by no means the end of the story: this was only step 1, bypass the malloc and double-free protections.
source: L
The curious tale of a fake Carrier.app
https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html [googleprojectzero.blogspot.com]
2022-06-23 22:55
tags:
cxx
exploit
investigation
iphone
security
turtles
Six privilege escalation exploits are bundled with this app. Five are well-known, publicly available N-day exploits for older iOS versions. The sixth is not like those others at all. This blog post is the story of the last exploit and the month-long journey to understand it.
CVE-2022-23088: Exploiting A Heap Overflow In The Freebsd Wi-Fi Stack
https://www.zerodayinitiative.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack [www.zerodayinitiative.com]
2022-06-16 18:38
tags:
exploit
freebsd
programming
security
wifi
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. This bug was originally reported to the ZDI program by a researcher known as m00nbsd and patched in April 2022 as FreeBSD-SA-22:07.wifi_meshid. The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug.
source: L
Hertzbleed Attack
https://www.hertzbleed.com/ [www.hertzbleed.com]
2022-06-16 18:36
tags:
cpu
crypto
exploit
paper
security
sidechannel
Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.
Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.
source: HN