Gregor Samsa: Exploiting Java's XML Signature Verification

By Felix Wilhelm, Project Zero Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an...

RC4 Is Still Considered Harmful

By James Forshaw, Project Zero I've been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either...

The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)

A deep dive into an in-the-wild Android exploit Guest Post by Xingyu Jin, Android Security Research This is part one of a two-part guest blog post, where first we'll look at the root cause of the CVE-2021-0920 vulnerability. In the second post, we'll dive into the in-the-wild 0-day exploitation o...

2022 0-day In-the-Wild Exploitation…so far

Posted by Maddie Stone, Google Project Zero This blog post is an overview of a talk, “ 0-day In-the-Wild Exploitation in 2022…so far”, that I gave at the FIRST conference in June 2022. The slides are available here. For the last three years, we’ve published annual year-in-review reports of 0-days...

The curious tale of a fake Carrier.app

Posted by Ian Beer, Google Project Zero NOTE: This issue was CVE-2021-30983 was fixed in iOS 15.2 in December 2021. Towards the end of 2021 Google's Threat Analysis Group TAG shared an iPhone app with me: App splash screen showing the Vodafone carrier logo and the text "My Vodafone" not the...

An Autopsy on a Zombie In-the-Wild 0-day

Posted by Maddie Stone, Google Project Zero Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a...

Release of Technical Report into the AMD Security Processor

Posted by James Forshaw, Google Project Zero Today, members of Project Zero and the Google Cloud security team are releasing a technical report on a security review of AMD Secure Processor ASP. The ASP is an isolated ARM processor in AMD EPYC CPUs that adds a root of trust and controls secure...

The More You Know, The More You Know You Don’t Know

A Year in Review of 0-days Used In-the-Wild in 2021 Posted by Maddie Stone, Google Project Zero This is our third annual year in review of 0-days exploited in-the-wild 2020, 2019. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what w...

CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers

Posted by Ian Beer, Google Project Zero This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to...

CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability

Posted by Ian Beer, Google Project Zero This blog post is my analysis of a vulnerability found by @xerub. Phrack published @xerub's writeup so go check that out first. As well as doing my own vulnerability research I also spend time trying as best as I can to keep up with the public...

FORCEDENTRY: Sandbox Escape

Posted by Ian Beer & Samuel Groß of Google Project Zero We want to thank Citizen Lab for sharing a sample of the FORCEDENTRY exploit with us, and Apple’s Security Engineering and Architecture SEAR group for collaborating with us on the technical analysis. Any editorial opinions reflected below ar...

Racing against the clock -- hitting a tiny kernel race window

TL;DR: How to make a tiny kernel race window really large even on kernels without CONFIGPREEMPT: use a cache miss to widen the race window a little bit make a timerfd expire in that window which will run in an interrupt handler - in other words, in hardirq context make sure that the wakeup...

A walk through Project Zero metrics

Posted by Ryan Schoen, Project Zero tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the average now being well below the 90-day deadline, w...

Zooming in on Zero-click Exploits

Posted by Natalie Silvanovich, Project Zero Zoom is a video conferencing platform that has gained popularity throughout the pandemic. Unlike other video conferencing systems that I have investigated, where one user initiates a call that other users must immediately accept or reject, Zoom calls ar...

A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

Posted by Ian Beer & Samuel Groß of Google Project Zero We want to thank Citizen Lab for sharing a sample of the FORCEDENTRY exploit with us, and Apple’s Security Engineering and Architecture SEAR group for collaborating with us on the technical analysis. The editorial opinions reflected below ar...

This shouldn't have happened: A vulnerability postmortem

Posted by Tavis Ormandy, Project Zero Introduction This is an unusual blog post. I normally write posts to highlight some hidden attack surface or interesting complex vulnerability class. This time, I want to talk about a vulnerability that is neither of those things. The striking thing about thi...

Using Kerberos for Authentication Relay Attacks

Posted by James Forshaw, Project Zero This blog post is a summary of some research I've been doing into relaying Kerberos authentication in Windows domain environments. To keep this blog shorter I am going to assume you have a working knowledge of Windows network authentication, and specifically...

Windows Exploitation Tricks: Relaying DCOM Authentication

Posted by James Forshaw, Project Zero In my previous blog post I discussed the possibility of relaying Kerberos authentication from a DCOM connection. I was originally going to provide a more in-depth explanation of how that works, but as it's quite involved I thought it was worthy of its own blo...

How a simple Linux kernel memory corruption bug can lead to complete system compromise

An analysis of current and potential kernel security mitigations Posted by Jann Horn, Project Zero Introduction This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Buster's 4.19.0-13-amd64 kernel. Based on that, it explores options for securit...

Fuzzing Closed-Source JavaScript Engines with Coverage Feedback

Posted by Ivan Fratric, Project Zero tl;dr I combined Fuzzilli an open-source JavaScript engine fuzzer, with TinyInst an open-source dynamic instrumentation library for fuzzing. I also added grammar-based mutation support to Jackalope my black-box binary fuzzer. So far, these two approaches...

Understanding Network Access in Windows AppContainers

Posted by James Forshaw, Project Zero Recently I've been delving into the inner workings of the Windows Firewall. This is interesting to me as it's used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network...

An EPYC escape: Case-study of a KVM breakout

Posted by Felix Wilhelm, Project Zero Introduction KVM for Kernel-based Virtual Machine is the de-facto standard hypervisor for Linux-based cloud environments. Outside of Azure, almost all large-scale cloud and hosting providers are running on top of KVM, turning it into one of the fundamental...

Fuzzing iOS code on macOS at native speed

Or how iOS apps on macOS work under the hood Posted by Samuel Groß, Project Zero This short post explains how code compiled for iOS can be run natively on Apple Silicon Macs. With the introduction of Apple Silicon Macs, Apple also made it possible to run iOS apps natively on these Macs. This is...

Designing sockfuzzer, a network syscall fuzzer for XNU

Posted by Ned Williamson, Project Zero Introduction When I started my 20% project – an initiative where employees are allocated twenty-percent of their paid work time to pursue personal projects – with Project Zero, I wanted to see if I could apply the techniques I had learned fuzzing Chrome to...

Policy and Disclosure: 2021 Edition

Posted by Tim Willis, Project Zero At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the broader industry. We aim to be a vulnerability research...

Who Contains the Containers?

Posted by James Forshaw, Project Zero This is a short blog post about a research project I conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, I describe what led to this research, my research process, and insights...

In-the-Wild Series: October 2020 0-day discovery

Posted by Maddie Stone, Project Zero In October 2020, Google Project Zero discovered seven 0-day exploits being actively used in-the-wild. These exploits were delivered via "watering hole" attacks in a handful of websites pointing to two exploit servers that hosted exploit chains for Android,...

Déjà vu-lnerability

A Year in Review of 0-days Exploited In-The-Wild in 2020 Posted by Maddie Stone, Project Zero 2020 was a year full of 0-day exploits. Many of the Internet’s most popular browsers had their moment in the spotlight. Memory corruption is still the name of the game and how the vast majority of detect...

A Look at iMessage in iOS 14

Posted By Samuel Groß, Project Zero On December 20, Citizenlab published “The Great iPwn”, detailing how “Journalists were Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit”. Of particular interest is the following note: “We do not believe that the exploit works against iOS 14 and...

Windows Exploitation Tricks: Trapping Virtual Memory Access

Posted by James Forshaw, Project Zero This blog is a continuation of my series of Windows exploitation tricks. This one describes an exploitation trick I’ve been trying to develop for years, succeeding mostly, more on that later on the latest versions of Windows 10. It’s a trick to trap access to...

The State of State Machines

Posted by Natalie Silvanovich, Project Zero On January 29, 2019, a serious vulnerability was discovered in Group FaceTime which allowed an attacker to call a target and force the call to connect without user interaction from the target, allowing the attacker to listen to the target’s surroundings...

Hunting for Bugs in Windows Mini-Filter Drivers

Posted by James Forshaw, Project Zero In December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter WOF drivers CVE-2020-17103, CVE-2020-17134, CVE-2020-17136, CVE-2020-17139. These 4 issues were 3 local privilege escalations and a security feature bypass, and the...

In-the-Wild Series: Chrome Exploits

This is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the introduction post. Posted by Sergei Glazunov, Project Zero Introduction As we continue the series on the watering hole attack...

In-the-Wild Series: Chrome Infinity Bug

This is part 2 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the introduction post. Posted by Sergei Glazunov, Project Zero This post only covers one of the exploits, specifically a renderer...

In-the-Wild Series: Android Exploits

This is part 4 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the introduction post. Posted by Mark Brand, Project Zero A survey of the exploitation techniques used by a high-tier attacker against...

Introducing the In-the-Wild Series

This is part 1 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, head to the bottom of this post. At Project Zero we often refer to our goal simply as “make 0-day hard”. Members of the team approach this...

In-the-Wild Series: Android Post-Exploitation

This is part 5 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the introduction post. Posted by Maddie Stone, Project Zero A deep-dive into the implant used by a high-tier attacker against Android...

In-the-Wild Series: Windows Exploits

This is part 6 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the introduction post. Posted by Mateusz Jurczyk and Sergei Glazunov, Project Zero In this post we'll discuss the exploits for...

An iOS hacker tries Android

Written by Brandon Azad, when working at Project Zero One of the amazing aspects of working at Project Zero is having the flexibility to direct my own research agenda. My prior work has almost exclusively focused on iOS exploitation, but back in August, I thought it could be interesting to try...

An iOS zero-click radio proximity exploit odyssey

Posted by Ian Beer, Project Zero NOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 13.5 in May 2020. In this demo I remotely trigger an unauthenticated kernel memory corruption vulnerability which causes all iOS devices in radio-proximity to reboot...

Oops, I missed it again!

Written by Brandon Azad, when working at Project Zero This is a quick anecdotal post describing one of the more frustrating aspects of vulnerability research: realizing that you missed a bug that was staring you in the face only once you see the patched version! Some suspicious code After writing...

Enter the Vault: Authentication Issues in HashiCorp Vault

Posted by Felix Wilhelm, Project Zero Introduction In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services AWS and Google Cloud Platform GCP. These issues can lead to an authentication bypass in configurations that use the aws and gcp aut...

Announcing the Fuzzilli Research Grant Program

Posted by Samuel Groß, Project Zero Project Zero’s mission is to make 0-day hard in order to improve end-user security. We attack this problem in different ways, including supporting other security researchers. While Google currently offers research grants, they are limited to academics and those...

Attacking the Qualcomm Adreno GPU

Posted by Ben Hawkes, Project Zero When writing an Android exploit, breaking out of the application sandbox is often a key step. There are a wide range of remote attacks that give you code execution with the privileges of an application like the browser or a messaging application, but a sandbox...

JITSploitation III: Subverting Control Flow

Posted by Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed i...

JITSploitation II: Getting Read/Write

Posted by Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed i...

JITSploitation I: A JIT Bug

By Samuel Groß, Project Zero This three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS...

MMS Exploit Part 5: Defeating Android ASLR, Getting RCE

Posted by Mateusz Jurczyk, Project Zero This post is the fifth and final of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. Previous posts are...

Exploiting Android Messengers with WebRTC: Part 3

Posted by Natalie Silvanovich, Project Zero This is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. CVE-2020-6514 discussed in the blog post was fixed on July 14 with these CLs.This series highlights what can go wrong when applications don't apply WebRTC...

Exploiting Android Messengers with WebRTC: Part 2

Posted by Natalie Silvanovich, Project Zero This is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of security issues breaks...