253 matches found
The Windows Registry Adventure #1: Introduction and research results
Posted by Mateusz Jurczyk, Google Project Zero In the 20-month period between May 2022 and December 2023, I thoroughly audited the Windows Registry in search of local privilege escalation bugs. It all started unexpectedly: I was in the process of developing a coverage-based Windows kernel fuzzer...
FORCEDENTRY: Sandbox Escape
Posted by Ian Beer & Samuel Groß of Google Project Zero We want to thank Citizen Lab for sharing a sample of the FORCEDENTRY exploit with us, and Apple’s Security Engineering and Architecture SEAR group for collaborating with us on the technical analysis. Any editorial opinions reflected below ar...
CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers
Posted by Ian Beer, Google Project Zero This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to...
Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641
Posted by Samuel Groß, Project Zero Introduction This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 fixed in iOS 12.4.1 in August 2019. It is essentially a more detailed version of ...
SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4
Posted by Ned Williamson, 20% on Project Zero Introduction I have a somewhat unique opportunity in this writeup to highlight my experience as an iOS research newcomer. Many high quality iOS kernel exploitation writeups have been published, but those often feature weaker initial primitives combine...
Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass
Posted by Samuel Groß, Project Zero This post is the second in a series about a remote, interactionless iPhone exploit over iMessage.The first blog post, which introduced the exploited vulnerability, can be found here. The initial primitive gained from the vulnerability is an absolute address...
An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit
By Ian Beer A graph representation of the sandbox escape NSExpression payload In April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. The...
JITSploitation III: Subverting Control Flow
Posted by Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed i...
Attacking ECMAScript Engines with Redefinition
Posted by Natalie Silvanovich = function return n; ECMAScript has a property where almost all functions and variables can be dynamically redefined. This can lead to vulnerabilities in situations where native code assumes a function or variable behaves a certain way when accessed or does not have...
Analyzing a Modern In-the-wild Android Exploit
By Seth Jenkins, Project Zero Introduction In December 2022, Google’s Threat Analysis Group TAG discovered an in-the-wild exploit chain targeting Samsung Android devices. TAG’s blog post covers the targeting and the actor behind the campaign. This is a technical analysis of the final stage of one...
Exploiting the DRAM rowhammer bug to gain kernel privileges
Rowhammer blog post draft Posted by Mark Seaborn, sandbox builder and breaker, with contributions by Thomas Dullien, reverse engineer This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero blog Overview “Rowhammer” is a problem with some...
Fuzzing Closed-Source JavaScript Engines with Coverage Feedback
Posted by Ivan Fratric, Project Zero tl;dr I combined Fuzzilli an open-source JavaScript engine fuzzer, with TinyInst an open-source dynamic instrumentation library for fuzzing. I also added grammar-based mutation support to Jackalope my black-box binary fuzzer. So far, these two approaches...
Taking a page from the kernel's book: A TLB issue in mremap()
Posted by Jann Horn, Project Zero This is a technical blog post about TLB flushing bugs in kernels, intended for people interested in kernel security and memory management. Introduction: Bugs in Memory Management code There have been some pretty scary bugs in memory management in the past, like:...
In-the-wild iOS Exploit Chain 4
Posted by Ian Beer, Project Zero TL;DR This exploit chain supported iOS 12-12.1, although the two vulnerabilities were unpatched when we discovered the chain in the wild. It was these two vulnerabilities which we reported to Apple with a 7-day deadline, leading to the release of iOS 12.1.4. The...
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain
Posted by Maddie Stone, Project Zero Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device ...
Zooming in on Zero-click Exploits
Posted by Natalie Silvanovich, Project Zero Zoom is a video conferencing platform that has gained popularity throughout the pandemic. Unlike other video conferencing systems that I have investigated, where one user initiates a call that other users must immediately accept or reject, Zoom calls ar...
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
Posted by Gal Beniamini, Project Zero It’s a well understood fact that platform security is an integral part of the security of complex systems. For mobile devices, this statement rings even truer; modern mobile platforms include multiple processing units, all elaborately communicating with one...
DER Entitlements: The (Brief) Return of the Psychic Paper
Posted by Ivan Fratric, Project Zero Note: The vulnerability discussed here, CVE-2022-42855, was fixed in iOS 15.7.2 and macOS Monterey 12.6.2. While the vulnerability did not appear to be exploitable on iOS 16 and macOS Ventura, iOS 16.2 and macOS Ventura 13.1 nevertheless shipped hardening...
JITSploitation I: A JIT Bug
By Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS...
Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
Posted by Mateusz Jurczyk of Google Project Zero Patch diffing is a common technique of comparing two binary builds of the same code – a known-vulnerable one and one containing a security fix. It is often used to determine the technical details behind ambiguously-worded bulletins, and to establis...
Enabling QR codes in Internet Explorer, or a story of a cross-platform memory disclosure
Posted by Mateusz Jurczyk of Google Project Zero In the previous series of posts parts 1 2 3 4, we discussed the exploitation process of a serious “blend” vulnerability CVE-2015-0093 / CVE-2015-3052, which was special in that it provided the attacker with an extremely powerful primitive arbitrary...
Fuzzing ImageIO
Posted by Samuel Groß, Project Zero This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a newer context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the...
Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
Posted by James Forshaw, Project Zero And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll detail how I was able to exploit Issue 1550 which results in an arbitrary object directory being created by using a useful behavior of the CSRSS privileged...
Racing against the clock -- hitting a tiny kernel race window
TL;DR: How to make a tiny kernel race window really large even on kernels without CONFIGPREEMPT: use a cache miss to widen the race window a little bit make a timerfd expire in that window which will run in an interrupt handler - in other words, in hardirq context make sure that the wakeup...
Fuzzing iOS code on macOS at native speed
Or how iOS apps on macOS work under the hood Posted by Samuel Groß, Project Zero This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. With the introduction of Apple Silicon Macs, Apple also made it possible to run iOS apps natively on these Macs. This is...
Exploiting Android Messengers with WebRTC: Part 3
Posted by Natalie Silvanovich, Project Zero This is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. CVE-2020-6514 discussed in the blog post was fixed on July 14 with these CLs.This series highlights what can go wrong when applications don't apply WebRTC...
MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
Posted by Mateusz Jurczyk, Project Zero This post is the first of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published a...
Adventures in Video Conferencing Part 2: Fun with FaceTime
Posted by Natalie Silvanovich, Project Zero FaceTime is Apple’s video conferencing application for iOS and Mac. It is closed source, and does not appear to use any third-party libraries for its core functionality. I wondered whether fuzzing the contents of FaceTime’s audio and video streams would...
MMS Exploit Part 5: Defeating Android ASLR, Getting RCE
Posted by Mateusz Jurczyk, Project Zero This post is the fifth and final of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. Previous posts are...
The Many Possibilities of CVE-2019-8646
Posted by Natalie Silvanovich, Project Zero CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use thi...
Pandavirtualization: Exploiting the Xen hypervisor
Posted by Jann Horn, Project Zero On 2017-03-14, I reported a bug to Xen's security team that permits an attacker with control over the kernel of a paravirtualized x86-64 Xen guest to break out of the hypervisor and gain full control over the machine's physical memory. The Xen Project publicly...
Exploiting CVE-2022-42703 - Bringing back the stack attack
Seth Jenkins, Project Zero This blog post details an exploit for CVE-2022-42703 P0 issue 2351 - Fixed 5 September 2022, a bug Jann Horn found in the Linux kernel's memory management MM subsystem that leads to a use-after-free on struct anonvma. As the bug is very complex I certainly struggle to...
Internet Explorer EPM Sandbox Escape CVE-2014-6350
Posted by James Forshaw This month Microsoft fixed 3 different Internet Explorer Enhanced Protected Mode EPM sandbox escapes which I disclosed in August. Sandboxes are one of the main areas of interest for Project Zero and me in particular as they are choke points for an attacker successfully...
You Won't Believe what this One Line Change Did to the Chrome Sandbox
Posted by James Forshaw, Project Zero The Chromium sandbox on Windows has stood the test of time. It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the...
Virtually Unlimited Memory: Escaping the Chrome Sandbox
Posted by Mark Brand, Exploit Technique Archaeologist. Introduction After discovering a collection of possible sandbox escape vulnerabilities in Chrome, it seemed worthwhile to exploit one of these issues as a full-chain exploit together with a renderer vulnerability to get a better understanding...
A year of Windows kernel font fuzzing #1: the results
Posted by Mateusz Jurczyk of Google Project Zero This post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the last year. In part 1 here, we present a general overview of...
Windows 10^H^H Symbolic Link Mitigations
Posted by James Forshaw, abusing symbolic links like it’s 1999. For the past couple of years I’ve been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I’ve used multiple times is abusing the symbolic link...
Attacking the Qualcomm Adreno GPU
Posted by Ben Hawkes, Project Zero When writing an Android exploit, breaking out of the application sandbox is often a key step. There are a wide range of remote attacks that give you code execution with the privileges of an application like the browser or a messaging application, but a sandbox...
Exception-oriented exploitation on iOS
Posted by Ian Beer, Project Zero This post covers the discovery and exploitation of CVE-2017-2370, a heap buffer overflow in the machvoucherextractattrrecipetrap mach trap. It covers the bug, the development of an exploitation technique which involves repeatedly and deliberately crashing and how ...
Bypassing VirtualBox Process Hardening on Windows
Posted by James Forshaw, Project Zero Processes on Windows are securable objects, which prevents one user logged into a Windows machine from compromising another user’s processes. This is a pretty important security feature, at least from the perspective of a non-administrator user. The security...
Finding and exploiting ntpd vulnerabilities
Posted by Stephen Röttger, Time Lord Foreword by Chris Evans: this post by Stephen represents the first Project Zero guest blog post. From time to time, we’ll be featuring guest blog posts for top-tier security research. In this instance, we’ve been impressed by the remotely exploitable nature of...
Gregor Samsa: Exploiting Java's XML Signature Verification
By Felix Wilhelm, Project Zero Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an...
Revisiting Apple IPC: (1) Distributed Objects
Posted by Ian Beer of Google Project Zero Earlier this year I gave a talk at the inaugural Jailbreak Security Summit entitled Auditing and Exploiting Apple IPC slides | video . As part of my research for that talk I wanted to find at least one bug involving each of the available IPC mechanisms on...
One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation
Posted by Mateusz Jurczyk of Google Project Zero This is the final part 4 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability and successfully used it to first exploit Adobe Reader, and later escape...
Driving forward in Android drivers
Posted by Seth Jenkins, Google Project Zero Introduction Android's open-source ecosystem has led to an incredible diversity of manufacturers and vendors developing software that runs on a broad variety of hardware. This hardware requires supporting drivers, meaning that many different codebases...
Mind the Gap
By Ian Beer, Project Zero Note: The vulnerabilities discussed in this blog post CVE-2022-33917 are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices including Pixel, Samsung, Xiaomi, Oppo and others. Devices with ...
Between a Rock and a Hard Link
Posted by James Forshaw, File System Enthusiast In a previous blog post I described some of the changes that Microsoft has made to the handling of symbolic links from a sandboxed process. This has an impact on the exploitation of privileged file overwrites for sandbox escapes. Windows does suppor...
Splitting atoms in XNU
Posted by Ian Beer, Google Project Zero TL;DR A locking bug in the XNU virtual memory subsystem allowed violation of the preconditions required for the correctness of an optimized virtual memory operation. This was abused to create shared memory where it wasn't expected, allowing the creation of ...
Reading privileged memory with a side-channel
Posted by Jann Horn, Project Zero We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to at worst arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Variants of this...
Trust Issues: Exploiting TrustZone TEEs
Posted by Gal Beniamini, Project Zero Mobile devices are becoming an increasingly privacy-sensitive platform. Nowadays, devices process a wide range of personal and private information of a sensitive nature, such as biometric identifiers, payment data and cryptographic keys. Additionally, modern...