Lucene search
K
GoogleprojectzeroMost viewed

253 matches found

GoogleProjectZero
GoogleProjectZero
added 2024/04/18 12:0 a.m.96 views

The Windows Registry Adventure #1: Introduction and research results

Posted by Mateusz Jurczyk, Google Project Zero In the 20-month period between May 2022 and December 2023, I thoroughly audited the Windows Registry in search of local privilege escalation bugs. It all started unexpectedly: I was in the process of developing a coverage-based Windows kernel fuzzer...

7.8CVSS9.2AI score0.08698EPSS
Exploits4
GoogleProjectZero
GoogleProjectZero
added 2022/03/31 12:0 a.m.92 views

FORCEDENTRY: Sandbox Escape

Posted by Ian Beer & Samuel Groß of Google Project Zero We want to thank Citizen Lab for sharing a sample of the FORCEDENTRY exploit with us, and Apple’s Security Engineering and Architecture SEAR group for collaborating with us on the technical analysis. Any editorial opinions reflected below ar...

8.8CVSS9.1AI score0.01499EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2022/04/14 12:0 a.m.87 views

CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers

Posted by Ian Beer, Google Project Zero This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to...

8.8CVSS8.4AI score0.02222EPSS
Exploits1
GoogleProjectZero
GoogleProjectZero
added 2020/01/09 12:0 a.m.86 views

Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641

Posted by Samuel Groß, Project Zero Introduction This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 fixed in iOS 12.4.1 in August 2019. It is essentially a more detailed version of ...

9.8CVSS9.3AI score0.17444EPSS
Exploits3
GoogleProjectZero
GoogleProjectZero
added 2019/12/10 12:0 a.m.85 views

SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4

Posted by Ned Williamson, 20% on Project Zero Introduction I have a somewhat unique opportunity in this writeup to highlight my experience as an iOS research newcomer. Many high quality iOS kernel exploitation writeups have been published, but those often feature weaker initial primitives combine...

9.3CVSS8.2AI score0.2201EPSS
Exploits17
GoogleProjectZero
GoogleProjectZero
added 2020/01/09 12:0 a.m.83 views

Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass

Posted by Samuel Groß, Project Zero This post is the second in a series about a remote, interactionless iPhone exploit over iMessage.The first blog post, which introduced the exploited vulnerability, can be found here. The initial primitive gained from the vulnerability is an absolute address...

9.8CVSS9.2AI score0.17444EPSS
Exploits5
GoogleProjectZero
GoogleProjectZero
added 2023/10/13 12:0 a.m.81 views

An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit

By Ian Beer A graph representation of the sandbox escape NSExpression payload In April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. The...

8.8CVSS8.9AI score0.27076EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2020/09/01 12:0 a.m.78 views

JITSploitation III: Subverting Control Flow

Posted by Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed i...

8.8CVSS9.4AI score0.08207EPSS
Exploits4
GoogleProjectZero
GoogleProjectZero
added 2015/08/17 12:0 a.m.77 views

Attacking ECMAScript Engines with Redefinition

Posted by Natalie Silvanovich = function return n; ECMAScript has a property where almost all functions and variables can be dynamically redefined. This can lead to vulnerabilities in situations where native code assumes a function or variable behaves a certain way when accessed or does not have...

10CVSS10AI score0.99344EPSS
Exploits16
GoogleProjectZero
GoogleProjectZero
added 2023/09/19 12:0 a.m.73 views

Analyzing a Modern In-the-wild Android Exploit

By Seth Jenkins, Project Zero Introduction In December 2022, Google’s Threat Analysis Group TAG discovered an in-the-wild exploit chain targeting Samsung Android devices. TAG’s blog post covers the targeting and the actor behind the campaign. This is a technical analysis of the final stage of one...

8.8CVSS8.1AI score0.24738EPSS
Exploits4
GoogleProjectZero
GoogleProjectZero
added 2015/03/09 12:0 a.m.73 views

Exploiting the DRAM rowhammer bug to gain kernel privileges

Rowhammer blog post draft Posted by Mark Seaborn, sandbox builder and breaker, with contributions by Thomas Dullien, reverse engineer This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero blog Overview “Rowhammer” is a problem with some...

10CVSS9.3AI score0.13253EPSS
Exploits1
GoogleProjectZero
GoogleProjectZero
added 2021/09/14 12:0 a.m.72 views

Fuzzing Closed-Source JavaScript Engines with Coverage Feedback

Posted by Ivan Fratric, Project Zero tl;dr I combined Fuzzilli an open-source JavaScript engine fuzzer, with TinyInst an open-source dynamic instrumentation library for fuzzing. I also added grammar-based mutation support to Jackalope my black-box binary fuzzer. So far, these two approaches...

8.8CVSS8.4AI score0.31825EPSS
Exploits3
GoogleProjectZero
GoogleProjectZero
added 2019/01/17 12:0 a.m.72 views

Taking a page from the kernel's book: A TLB issue in mremap()

Posted by Jann Horn, Project Zero This is a technical blog post about TLB flushing bugs in kernels, intended for people interested in kernel security and memory management. Introduction: Bugs in Memory Management code There have been some pretty scary bugs in memory management in the past, like:...

7.8CVSS7AI score0.83524EPSS
Exploits85
GoogleProjectZero
GoogleProjectZero
added 2019/08/29 12:0 a.m.71 views

In-the-wild iOS Exploit Chain 4

Posted by Ian Beer, Project Zero TL;DR This exploit chain supported iOS 12-12.1, although the two vulnerabilities were unpatched when we discovered the chain in the wild. It was these two vulnerabilities which we reported to Apple with a 7-day deadline, leading to the release of iOS 12.1.4. The...

7.5CVSS8.3AI score0.11029EPSS
Exploits1
GoogleProjectZero
GoogleProjectZero
added 2022/11/04 12:0 a.m.69 views

A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

Posted by Maddie Stone, Project Zero Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device ...

7.8CVSS7.5AI score0.72105EPSS
Exploits27
GoogleProjectZero
GoogleProjectZero
added 2022/01/18 12:0 a.m.67 views

Zooming in on Zero-click Exploits

Posted by Natalie Silvanovich, Project Zero Zoom is a video conferencing platform that has gained popularity throughout the pandemic. Unlike other video conferencing systems that I have investigated, where one user initiates a call that other users must immediately accept or reject, Zoom calls ar...

9.8CVSS8.7AI score0.03207EPSS
Exploits2
GoogleProjectZero
GoogleProjectZero
added 2017/04/04 12:0 a.m.67 views

Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)

Posted by Gal Beniamini, Project Zero It’s a well understood fact that platform security is an integral part of the security of complex systems. For mobile devices, this statement rings even truer; modern mobile platforms include multiple processing units, all elaborately communicating with one...

7.4AI score
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2023/01/12 12:0 a.m.66 views

DER Entitlements: The (Brief) Return of the Psychic Paper

Posted by Ivan Fratric, Project Zero Note: The vulnerability discussed here, CVE-2022-42855, was fixed in iOS 15.7.2 and macOS Monterey 12.6.2. While the vulnerability did not appear to be exploitable on iOS 16 and macOS Ventura, iOS 16.2 and macOS Ventura 13.1 nevertheless shipped hardening...

7.1CVSS7.4AI score0.00971EPSS
Exploits3
GoogleProjectZero
GoogleProjectZero
added 2020/09/01 12:0 a.m.63 views

JITSploitation I: A JIT Bug

By Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS...

8.8CVSS9.5AI score0.08207EPSS
Exploits4
GoogleProjectZero
GoogleProjectZero
added 2017/10/05 12:0 a.m.63 views

Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs

Posted by Mateusz Jurczyk of Google Project Zero Patch diffing is a common technique of comparing two binary builds of the same code – a known-vulnerable one and one containing a security fix. It is often used to determine the technical details behind ambiguously-worded bulletins, and to establis...

5.5CVSS6AI score0.0427EPSS
Exploits6
GoogleProjectZero
GoogleProjectZero
added 2015/09/14 12:0 a.m.63 views

Enabling QR codes in Internet Explorer, or a story of a cross-platform memory disclosure

Posted by Mateusz Jurczyk of Google Project Zero In the previous series of posts parts 1 2 3 4, we discussed the exploitation process of a serious “blend” vulnerability CVE-2015-0093 / CVE-2015-3052, which was special in that it provided the attacker with an extremely powerful primitive arbitrary...

10CVSS8AI score0.2121EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2020/04/28 12:0 a.m.61 views

Fuzzing ImageIO

Posted by Samuel Groß, Project Zero This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a newer context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the...

9.3CVSS7.3AI score0.09219EPSS
Exploits8
GoogleProjectZero
GoogleProjectZero
added 2018/08/14 12:0 a.m.59 views

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

Posted by James Forshaw, Project Zero And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll detail how I was able to exploit Issue 1550 which results in an arbitrary object directory being created by using a useful behavior of the CSRSS privileged...

7.4AI score
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2022/03/24 12:0 a.m.58 views

Racing against the clock -- hitting a tiny kernel race window

TL;DR: How to make a tiny kernel race window really large even on kernels without CONFIGPREEMPT: use a cache miss to widen the race window a little bit make a timerfd expire in that window which will run in an interrupt handler - in other words, in hardirq context make sure that the wakeup...

6.9CVSS7.2AI score0.00811EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2021/05/20 12:0 a.m.58 views

Fuzzing iOS code on macOS at native speed

Or how iOS apps on macOS work under the hood Posted by Samuel Groß, Project Zero This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. With the introduction of Apple Silicon Macs, Apple also made it possible to run iOS apps natively on these Macs. This is...

6.9AI score
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2020/08/06 12:0 a.m.59 views

Exploiting Android Messengers with WebRTC: Part 3

Posted by Natalie Silvanovich, Project Zero This is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. CVE-2020-6514 discussed in the blog post was fixed on July 14 with these CLs.This series highlights what can go wrong when applications don't apply WebRTC...

6.5CVSS8AI score0.0779EPSS
Exploits6
GoogleProjectZero
GoogleProjectZero
added 2020/07/16 12:0 a.m.58 views

MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface

Posted by Mateusz Jurczyk, Project Zero This post is the first of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published a...

10CVSS9.4AI score0.05711EPSS
Exploits2
GoogleProjectZero
GoogleProjectZero
added 2018/12/05 12:0 a.m.58 views

Adventures in Video Conferencing Part 2: Fun with FaceTime

Posted by Natalie Silvanovich, Project Zero FaceTime is Apple’s video conferencing application for iOS and Mac. It is closed source, and does not appear to use any third-party libraries for its core functionality. I wondered whether fuzzing the contents of FaceTime’s audio and video streams would...

9.8CVSS7.8AI score0.06498EPSS
Exploits3
GoogleProjectZero
GoogleProjectZero
added 2020/08/12 12:0 a.m.57 views

MMS Exploit Part 5: Defeating Android ASLR, Getting RCE

Posted by Mateusz Jurczyk, Project Zero This post is the fifth and final of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. Previous posts are...

10CVSS9.4AI score0.05711EPSS
Exploits2
GoogleProjectZero
GoogleProjectZero
added 2019/08/22 12:0 a.m.55 views

The Many Possibilities of CVE-2019-8646

Posted by Natalie Silvanovich, Project Zero CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use thi...

7.5CVSS8AI score0.11029EPSS
Exploits1
GoogleProjectZero
GoogleProjectZero
added 2017/04/07 12:0 a.m.55 views

Pandavirtualization: Exploiting the Xen hypervisor

Posted by Jann Horn, Project Zero On 2017-03-14, I reported a bug to Xen's security team that permits an attacker with control over the kernel of a paravirtualized x86-64 Xen guest to break out of the hypervisor and gain full control over the machine's physical memory. The Xen Project publicly...

6.9CVSS6.2AI score0.00406EPSS
Exploits4
GoogleProjectZero
GoogleProjectZero
added 2022/12/08 12:0 a.m.54 views

Exploiting CVE-2022-42703 - Bringing back the stack attack

Seth Jenkins, Project Zero This blog post details an exploit for CVE-2022-42703 P0 issue 2351 - Fixed 5 September 2022, a bug Jann Horn found in the Linux kernel's memory management MM subsystem that leads to a use-after-free on struct anonvma. As the bug is very complex I certainly struggle to...

5.5CVSS7.5AI score0.00971EPSS
Exploits3
GoogleProjectZero
GoogleProjectZero
added 2014/12/01 12:0 a.m.54 views

Internet Explorer EPM Sandbox Escape CVE-2014-6350

Posted by James Forshaw This month Microsoft fixed 3 different Internet Explorer Enhanced Protected Mode EPM sandbox escapes which I disclosed in August. Sandboxes are one of the main areas of interest for Project Zero and me in particular as they are choke points for an attacker successfully...

4.3CVSS8.9AI score0.20558EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2020/04/21 12:0 a.m.51 views

You Won't Believe what this One Line Change Did to the Chrome Sandbox

Posted by James Forshaw, Project Zero The Chromium sandbox on Windows has stood the test of time. It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the...

8.8CVSS8.5AI score0.01243EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2019/04/11 12:0 a.m.51 views

Virtually Unlimited Memory: Escaping the Chrome Sandbox

Posted by Mark Brand, Exploit Technique Archaeologist. Introduction After discovering a collection of possible sandbox escape vulnerabilities in Chrome, it seemed worthwhile to exploit one of these issues as a full-chain exploit together with a renderer vulnerability to get a better understanding...

8.8CVSS8.1AI score0.12879EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2016/06/27 12:0 a.m.51 views

A year of Windows kernel font fuzzing #1: the results

Posted by Mateusz Jurczyk of Google Project Zero This post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the last year. In part 1 here, we present a general overview of...

9.3CVSS8.4AI score0.8669EPSS
Exploits9
GoogleProjectZero
GoogleProjectZero
added 2015/08/25 12:0 a.m.51 views

Windows 10^H^H Symbolic Link Mitigations

Posted by James Forshaw, abusing symbolic links like it’s 1999. For the past couple of years I’ve been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I’ve used multiple times is abusing the symbolic link...

10CVSS7.6AI score0.12974EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2020/09/08 12:0 a.m.50 views

Attacking the Qualcomm Adreno GPU

Posted by Ben Hawkes, Project Zero When writing an Android exploit, breaking out of the application sandbox is often a key step. There are a wide range of remote attacks that give you code execution with the privileges of an application like the browser or a messaging application, but a sandbox...

7.8CVSS7.8AI score0.00316EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2017/04/18 12:0 a.m.50 views

Exception-oriented exploitation on iOS

Posted by Ian Beer, Project Zero This post covers the discovery and exploitation of CVE-2017-2370, a heap buffer overflow in the machvoucherextractattrrecipetrap mach trap. It covers the bug, the development of an exploitation technique which involves repeatedly and deliberately crashing and how ...

9.3CVSS7.4AI score0.11364EPSS
Exploits1
GoogleProjectZero
GoogleProjectZero
added 2017/08/23 12:0 a.m.48 views

Bypassing VirtualBox Process Hardening on Windows

Posted by James Forshaw, Project Zero Processes on Windows are securable objects, which prevents one user logged into a Windows machine from compromising another user’s processes. This is a pretty important security feature, at least from the perspective of a non-administrator user. The security...

8.8CVSS8.7AI score0.01643EPSS
Exploits8
GoogleProjectZero
GoogleProjectZero
added 2015/01/02 12:0 a.m.48 views

Finding and exploiting ntpd vulnerabilities

Posted by Stephen Röttger, Time Lord Foreword by Chris Evans: this post by Stephen represents the first Project Zero guest blog post. From time to time, we’ll be featuring guest blog posts for top-tier security research. In this instance, we’ve been impressed by the remotely exploitable nature of...

7.5CVSS8.5AI score0.7809EPSS
Exploits1
GoogleProjectZero
GoogleProjectZero
added 2022/11/02 12:0 a.m.47 views

Gregor Samsa: Exploiting Java's XML Signature Verification

By Felix Wilhelm, Project Zero Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an...

7.5CVSS8.2AI score0.17673EPSS
Exploits2
GoogleProjectZero
GoogleProjectZero
added 2015/09/28 12:0 a.m.46 views

Revisiting Apple IPC: (1) Distributed Objects

Posted by Ian Beer of Google Project Zero Earlier this year I gave a talk at the inaugural Jailbreak Security Summit entitled Auditing and Exploiting Apple IPC slides | video . As part of my research for that talk I wanted to find at least one bug involving each of the available IPC mechanisms on...

9.3CVSS9.5AI score0.09027EPSS
Exploits2
GoogleProjectZero
GoogleProjectZero
added 2015/08/21 12:0 a.m.46 views

One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation

Posted by Mateusz Jurczyk of Google Project Zero This is the final part 4 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability and successfully used it to first exploit Adobe Reader, and later escape...

9.3CVSS7.2AI score0.19835EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2024/06/13 12:0 a.m.45 views

Driving forward in Android drivers

Posted by Seth Jenkins, Google Project Zero Introduction Android's open-source ecosystem has led to an incredible diversity of manufacturers and vendors developing software that runs on a broad variety of hardware. This hardware requires supporting drivers, meaning that many different codebases...

7.8CVSS6.9AI score0.00392EPSS
Exploits0
GoogleProjectZero
GoogleProjectZero
added 2022/11/22 12:0 a.m.45 views

Mind the Gap

By Ian Beer, Project Zero Note: The vulnerabilities discussed in this blog post CVE-2022-33917 are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices including Pixel, Samsung, Xiaomi, Oppo and others. Devices with ...

7.8CVSS7.9AI score0.01216EPSS
Exploits4
GoogleProjectZero
GoogleProjectZero
added 2015/12/04 12:0 a.m.45 views

Between a Rock and a Hard Link

Posted by James Forshaw, File System Enthusiast In a previous blog post I described some of the changes that Microsoft has made to the handling of symbolic links from a sandboxed process. This has an impact on the exploitation of privileged file overwrites for sandbox escapes. Windows does suppor...

7.5CVSS8.5AI score0.05065EPSS
Exploits1
GoogleProjectZero
GoogleProjectZero
added 2019/04/01 12:0 a.m.44 views

Splitting atoms in XNU

Posted by Ian Beer, Google Project Zero TL;DR A locking bug in the XNU virtual memory subsystem allowed violation of the preconditions required for the correctness of an optimized virtual memory operation. This was abused to create shared memory where it wasn't expected, allowing the creation of ...

9.3CVSS7.8AI score0.05424EPSS
Exploits5
GoogleProjectZero
GoogleProjectZero
added 2018/01/03 12:0 a.m.44 views

Reading privileged memory with a side-channel

Posted by Jann Horn, Project Zero We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to at worst arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Variants of this...

5.6CVSS6.2AI score0.93838EPSS
Exploits12
GoogleProjectZero
GoogleProjectZero
added 2017/07/24 12:0 a.m.44 views

Trust Issues: Exploiting TrustZone TEEs

Posted by Gal Beniamini, Project Zero Mobile devices are becoming an increasingly privacy-sensitive platform. Nowadays, devices process a wide range of personal and private information of a sensitive nature, such as biometric identifiers, payment data and cryptographic keys. Additionally, modern...

9.3CVSS7.9AI score0.06906EPSS
Exploits3
Total number of security vulnerabilities253