253 matches found
Owning Internet Printing - A Case Study in Modern Software Exploitation
Guest posted by Neel Mehta [email protected] - June 19th, 2015 Abstract Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring...
MTE As Implemented, Part 3: The Kernel
By Mark Brand, Project Zero Background In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE Memory Tagging Extensions. In Part 1 we discussed testing the technical and implementation limitations of MTE on the hardware...
A walk through Project Zero metrics
Posted by Ryan Schoen, Project Zero tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the average now being well below the 90-day deadline, w...
Deja-XNU
Posted by Ian Beer, Google Project Zero This blog post revisits an old bug found by Pangu Team and combines it with a new, albeit very similar issue I recently found to try to build a "perfect" exploit for iOS 7.1.2. State of the art An idea I've wanted to play with for a while is to revisit old...
MTE As Implemented, Part 2: Mitigation Case Studies
By Mark Brand, Project Zero Background In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE Memory Tagging Extensions. In Part 1 we discussed testing the technical and implementation limitations of MTE on the hardware...
Examining Pointer Authentication on the iPhone XS
Posted by Brandon Azad, Project Zero In this post I examine Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS, with a focus on how Apple has improved over the ARM standard. I then demonstrate a way to use an arbitrary kernel read/write primitive to forge kernel...
365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools
Posted by Ivan Fratric, Google Project Zero Around a year ago, we published the results of research about the resilience of modern browsers against DOM fuzzing, a well-known technique for finding browser bugs. Together with the bug statistics we also published Domato, our DOM fuzzing tool that wa...
Adventures in vulnerability reporting
Posted by Natalie Silvanovich, Project Zero At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of the time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into the hands of vendors. Since i...
Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge
Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge. We discovered and reported 11 high-impact security issues as a result. This post discusses our motivations behind the research, our approach in looking for...
Did the “Man With No Name” Feel Insecure?
Posted by James Forshaw, Taker of Names Sometimes when I'm doing security research I'll come across a bug which surprises me. I discovered just such a bug in the Windows version of Chrome which exposed a little-known security detail in the OS. The bug, CVE-2014-3196 was fixed in M38, so it seemed...
The Windows Registry Adventure #4: Hives and the registry layout
Posted by Mateusz Jurczyk, Google Project Zero To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit abbreviated as HKCR, HKLM, HKCU, HKU and HKCC, and each of them contains a nested tree structure that serv...
The Windows Registry Adventure #3: Learning resources
Posted by Mateusz Jurczyk, Google Project Zero When tackling a new vulnerability research target, especially a closed-source one, I prioritize gathering as much information about it as possible. This gets especially interesting when it's a subsystem as old and fundamental as the Windows registry...
OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB
Posted by Jann Horn, Google Project Zero Recently, there has been some attention around the topic of physical attacks on smartphones, where an attacker with the ability to connect USB devices to a locked phone attempts to gain access to the data stored on the device. This blogpost describes how...
One Perfect Bug: Exploiting Type Confusion in Flash
Posted by Natalie Silvanovich, Dazed and Type Confused For some attackers, it is important that an exploit be extremely reliable. That is to say, the exploit should consistently lead to code execution when it is run on a system with a known platform and Flash version. One way to create such an...
pwn4fun Spring 2014 - Safari - Part II
Posted by Ian Beer TL;DR An OS X GPU driver trusted a user-supplied kernel C++ object pointer and called a virtual function. The IOKit registry contained kernel pointers which were used defeat kASLR. A kernel ROP payload ran Calculator.app as root using a convenient kernel API. Overview of part I...
Exploiting null-dereferences in the Linux kernel
Posted by Seth Jenkins, Project Zero For a fair amount of time, null-deref bugs were a highly exploitable kernel bug class. Back when the kernel was able to access userland memory without restriction, and userland programs were still able to map the zero page, there were many easy techniques for...
task_t considered harmful
Posted by Ian Beer, Project Zero This post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS 10.1. We’ll look at the bugs, how they can be exploited to...
Significant Flash exploit mitigations are live in v18.0.0.209
Posted by Mark Brand and Chris Evans, isolators of heaps Whilst Project Zero has gained a reputation for vulnerability and exploitation research, that's not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can d...
The Windows Registry Adventure #8: Practical exploitation of hive memory corruption
Posted by Mateusz Jurczyk, Google Project Zero In the previous blog post, we focused on the general security analysis of the registry and how to effectively approach finding vulnerabilities in it. Here, we will direct our attention to the exploitation of hive-based memory corruption bugs, i.e.,...
Announcing the Fuzzilli Research Grant Program
Posted by Samuel Groß, Project Zero Project Zero’s mission is to make 0-day hard in order to improve end-user security. We attack this problem in different ways, including supporting other security researchers. While Google currently offers research grants, they are limited to academics and those...
How to Compromise the Enterprise Endpoint
Posted by Tavis Ormandy. Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand. Today we’re publishing...
The Windows Registry Adventure #7: Attack surface analysis
Posted by Mateusz Jurczyk, Google Project Zero In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this...
Searching statically-linked vulnerable library functions in executable code
Helping researchers find 0ld days Posted by Thomas Dullien, Project Zero Executive summary Software supply chains are increasingly complicated, and it can be hard to detect statically-linked copies of vulnerable third-party libraries in executables. This blog post discusses the technical details ...
Exploiting CVE-2014-0556 in Flash
Posted by Chris Evans, Kidnapper of RIP A couple of weeks ago, Adobe released security bulletin APSB14-21, including 8 fixes for bugs reported by Project Zero. Full details of these bugs are now public in our bug tracker. Some of the more interesting ones are a double free in the RTMP protocol, o...
Welcome to the new Project Zero Blog
Posted by Natalie Silvanovich While on Project Zero, we aim for our research to be leading-edge, our blog design was … not so much. We welcome readers to our shiny new blog! For the occasion, we asked members of Project Zero to dust off old blog posts that never quite saw the light of day. And...
The Windows Registry Adventure #2: A brief history of the feature
Posted by Mateusz Jurczyk, Google Project Zero Before diving into the low-level security aspects of the registry, it is important to understand its role in the operating system and a bit of history behind it. In essence, the registry is a hierarchical database made of named "keys" and "values",...
Windows Sandbox Attack Surface Analysis
Posted by James Forshaw, Quartermaster of Tools Analysing the attack surface of user-mode sandboxed applications is a good way to hunt for elevation of privilege vulnerabilities. Much of the task of enumerating the attack surface could be done manually, but that’s a very tedious and error prone...
Policy and Disclosure: 2021 Edition
Posted by Tim Willis, Project Zero At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the broader industry. We aim to be a vulnerability research...
Enter the Vault: Authentication Issues in HashiCorp Vault
Posted by Felix Wilhelm, Project Zero Introduction In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services AWS and Google Cloud Platform GCP. These issues can lead to an authentication bypass in configurations that use the aws and gcp aut...
Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332
Posted by Lee Campbell, Graphics Pwning Unit This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero blog Background: Chrome for Android implements a very different sandbox model to that of Chrome for Linux. One of the platform features w...
Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages
Guest post by Dillon Franke, Senior Security Engineer, 20% time on Project Zero Every second, highly-privileged MacOS system daemons accept and process hundreds of IPC messages. In some cases, these message handlers accept data from sandboxed or unprivileged processes. In this blog post, I’ll...
First handset with MTE on the market
By Mark Brand, Google Project Zero Introduction It's finally time for me to fulfill a long-standing promise. Since I first heard about ARM's Memory Tagging Extensions, I've said to far too many people at this point to be able to back out… that I'd immediately switch to the first available device...
Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices
Posted by Gal Beniamini, Project Zero In this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone. After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly...
BitUnmap: Attacking Android Ashmem
Posted by Gal Beniamini, Project Zero The law of leaky abstractions states that “all non-trivial abstractions, to some degree, are leaky”. In this blog post we’ll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result i...
Windows Drivers are True’ly Tricky
Posted by James Forshaw, Driving for Bugs Auditing a product for security vulnerabilities can be a difficult challenge, and there’s no guarantee you’ll catch all vulnerabilities even when you do. This post describes an issue I identified in the Windows Driver code for Truecrypt, which has already...
One font vulnerability to rule them all #3: Windows 8.1 32-bit sandbox escape exploitation
Posted by Mateusz Jurczyk of Google Project Zero This is part 3 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability, discussed the Charstring primitives necessary to fully control the stack contents...
Heap Feng Shader: Exploiting SwiftShader in Chrome
Posted by Mark Brand, Google Project Zero On the majority of systems, under normal conditions, SwiftShader will never be used by Chrome - it’s used as a fallback if you have a known-bad “blacklisted” graphics card or driver. However, Chrome can also decide at runtime that your graphics driver is...
aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript
by Ivan Fratric, Thomas Dullien, James Forshaw and Steven Vittitoe Intro Many widely-deployed technologies, viewed through 20/20 hindsight, seem like an odd or unnecessarily risky idea. Engineering decisions in IT are often made with imperfect information and under time pressure, and some odditie...
One font vulnerability to rule them all #2: Adobe Reader RCE exploitation
Posted by Mateusz Jurczyk of Google Project Zero This is part 2 of the “One font vulnerability to rule them all” blog post series. In part 1 “introducing the BLEND vulnerability”, we discussed how developments in the digital typography field in the last four decades shaped the various font format...
A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby
Posted by Natalie Silvanovich Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to...
MTE As Implemented, Part 1: Implementation Testing
By Mark Brand, Project Zero Background In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE Memory Tagging Extensions. Through mid-2022 and early 2023, Project Zero had access to pre-production hardware implementing thi...
Oops, I missed it again!
Written by Brandon Azad, when working at Project Zero This is a quick anecdotal post describing one of the more frustrating aspects of vulnerability research: realizing that you missed a bug that was staring you in the face only once you see the patched version! Some suspicious code After writing...
Calling Local Windows RPC Servers from .NET
Posted by James Forshaw, Project Zero As much as I enjoy finding security vulnerabilities in Windows, in many ways I prefer the challenge of writing the tools to make it easier for me and others to do the hunting. This blog post gives an overview of using some recent tooling I’ve released as part...
Chrome OS exploit: one byte overflow and symlinks
The following article is an guest blog post from an external researcher i.e. the author is not a Project Zero or Google researcher. This post is about a Chrome OS exploit I reported to Chrome VRP in September. The Project Zero folks were nice to let me do a guest post about it, so here goes. The...
Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529
Posted by Dillon Franke, Google Information Security Engineering, 20% time on Project Zero In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability CVE-2024-54529 and a double-free vulnerability CVE-2025-312...
Blasting Past Webp
An analysis of the NSO BLASTPASS iMessage exploit Posted by Ian Beer, Google Project Zero On September 7, 2023 Apple issued an out-of-band security update for iOS: Around the same time on September 7th 2023, Citizen Lab published a blog post linking the two CVEs fixed in iOS 16.6.1 to an "NSO Gro...
Summary: MTE As Implemented
By Mark Brand, Project Zero In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the...
MMS Exploit Part 2: Effective Fuzzing of the Qmage Codec
Posted by Mateusz Jurczyk, Project Zero This post is the second of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published ...
The story of Adobe Reader symbols
Posted by Mateusz Jurczyk, Project Zero Modern day security analysis of client applications is often hindered by the inaccessibility of their source code and other aids such as debug symbols. As a result, it is necessary to perform completely black-box reverse engineering of the software, in orde...
A year of Windows kernel font fuzzing #2: the techniques
Posted by Mateusz Jurczyk of Google Project Zero In part 1 of the series see here, we discussed the motivation and outcomes of our year long fuzzing effort against the Windows kernel font engine, followed by an analysis of two bug collisions with Keen Team and Hacking Team that ensued as a result...