253 matches found
MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle
Posted by Mateusz Jurczyk, Project Zero This post is the fourth of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published ...
Exploiting Android Messengers with WebRTC: Part 1
Posted by Natalie Silvanovich, Project Zero This is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of security issues breaks...
The core of Apple is PPL: Breaking the XNU kernel's kernel
Posted by Brandon Azad, Project Zero While doing research for the one-byte exploit technique, I considered several ways it might be possible to bypass Apple's Page Protection Layer PPL using just a physical address mapping primitive, that is, before obtaining kernel read/write or defeating PAC...
One Byte to rule them all
Posted by Brandon Azad, Project Zero One Byte to rule them all, One Byte to type them, One Byte to map them all, and in userspace bind them -- Comment above vmmapcopyt For the last several years, nearly all iOS kernel exploits have followed the same high-level flow: memory corruption and fake Mac...
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019
Posted by Maddie Stone, Project Zero In May 2019, Project Zero released our tracking spreadsheet for 0-days used “in the wild” and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post...
Root Cause Analyses for 0-day In-the-Wild Exploits
Posted by Maddie Stone, Project Zero When a 0-day is exploited in the wild AND it is detected, we need to use that as an opportunity to learn as much as possible about the vulnerability and the exploit if we hope to make 0-day hard. One of the main methods to do that is to perform a root cause...
MMS Exploit Part 3: Constructing the Memory Corruption Primitives
Posted by Mateusz Jurczyk, Project Zero This post is the third of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published a...
MMS Exploit Part 2: Effective Fuzzing of the Qmage Codec
Posted by Mateusz Jurczyk, Project Zero This post is the second of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published ...
MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
Posted by Mateusz Jurczyk, Project Zero This post is the first of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published a...
How to unc0ver a 0-day in 4 hours or less
By Brandon Azad, Project Zero At 3 PM PDT on May 23, 2020, the unc0ver jailbreak was released for iOS 13.5 the latest signed version at the time of release using a zero-day vulnerability and heavy obfuscation. By 7 PM, I had identified the vulnerability and informed Apple. By 1 AM, I had sent App...
FF Sandbox Escape (CVE-2020-12388)
By James Forshaw, Project Zero In my previous blog post I discussed an issue with the Windows Kernel’s handling of Restricted Tokens which allowed me to escape the Chrome GPU sandbox. Originally I’d planned to use Firefox for the proof-of-concept as Firefox uses the same effective sandbox level a...
A survey of recent iOS kernel exploits
Posted by Brandon Azad, Project Zero I recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here. This post summarizes origina...
Fuzzing ImageIO
Posted by Samuel Groß, Project Zero This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a newer context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the...
You Won't Believe what this One Line Change Did to the Chrome Sandbox
Posted by James Forshaw, Project Zero The Chromium sandbox on Windows has stood the test of time. It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the...
TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln
Posted by Maddie Stone, Project Zero INTRODUCTION I’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post. On December’s...
Escaping the Chrome Sandbox with RIDL
Guest blog post by Stephen Röttger tl;dr: Vulnerabilities that leak cross process memory can be exploited to escape the Chrome sandbox. An attacker is still required to compromise the renderer prior to mounting this attack. To protect against attacks on affected CPUs make sure your microcode is u...
Mitigations are attack surface, too
Posted by Jann Horn, Project Zero Introduction This blog post discusses a bug leading to memory corruption in Samsung's Android kernel specifically the kernel of the Galaxy A50, A505FN - I haven't looked at Samsung's kernels for other devices. I will describe the bug and how I wrote a very...
A day^W^W Several months in the life of Project Zero - Part 2: The Chrome exploit of suffering
Posted by Sergei Glazunov and Mark Brand, Project Zero Introduction After we’d understood how the bug worked, and had passed on those details to Chrome to help them get started on a fix, we went back to our other projects. This bug remained a topic of discussion, and eventually we ran out of...
A day^W^W Several months in the life of Project Zero - Part 1: The Chrome bug of suffering
Posted by Sergei Glazunov and Mark Brand, Project Zero Introduction It was a normal week in the Project Zero office when we got an interesting email from the Chrome team — they’d been looking into a serious crash that was happening occasionally on Android builds of Chrome, but hadn’t made much...
Part II: Returning to Adobe Reader symbols on macOS
Posted by Mateusz Jurczyk, Project Zero In a blog post titled "The story of Adobe Reader symbols" published in October 2019, I presented an analysis of the debug symbols shipped with some older versions of Adobe Reader for Unix-family systems released between 1997-2013. Such symbols can prove...
Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass
Posted by Samuel Groß, Project Zero This post is the second in a series about a remote, interactionless iPhone exploit over iMessage.The first blog post, which introduced the exploited vulnerability, can be found here. The initial primitive gained from the vulnerability is an absolute address...
Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution
Posted by Samuel Groß, Project Zero This is the third and last post in a series about a remote, interactionless iPhone exploit over iMessage. The first blog post introduced the exploited vulnerability, and the second blog post described a way to perform a heapspray, leaking the shared cache base...
Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641
Posted by Samuel Groß, Project Zero Introduction This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 fixed in iOS 12.4.1 in August 2019. It is essentially a more detailed version of ...
Policy and Disclosure: 2020 Edition
Posted by Tim Willis, Project Zero At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the the larger industry. We're very happy with how well our...
Calling Local Windows RPC Servers from .NET
Posted by James Forshaw, Project Zero As much as I enjoy finding security vulnerabilities in Windows, in many ways I prefer the challenge of writing the tools to make it easier for me and others to do the hunting. This blog post gives an overview of using some recent tooling I’ve released as part...
SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4
Posted by Ned Williamson, 20% on Project Zero Introduction I have a somewhat unique opportunity in this writeup to highlight my experience as an iOS research newcomer. Many high quality iOS kernel exploitation writeups have been published, but those often feature weaker initial primitives combine...
Bad Binder: Android In-The-Wild Exploit
Posted by Maddie Stone, Project Zero Introduction On October 3, 2019, we disclosed issue 1942 CVE-2019-2215, which is a use-after-free in Binder in the Android kernel. The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If chained with a...
KTRW: The journey to build a debuggable iPhone
Posted by Brandon Azad, Project Zero In my role here at Project Zero, I do not use some of the tooling used by some external iOS security researchers, in particular development-fused iPhones with hardware debugging capabilities like JTAG enabled. I believe that access to such devices puts those w...
The story of Adobe Reader symbols
Posted by Mateusz Jurczyk, Project Zero Modern day security analysis of client applications is often hindered by the inaccessibility of their source code and other aids such as debug symbols. As a result, it is necessary to perform completely black-box reverse engineering of the software, in orde...
Windows Exploitation Tricks: Spoofing Named Pipe Client PID
Posted by James Forshaw, Project Zero While researching the Access Mode Mismatch in IO Manager bug class I came across an interesting feature in named pipes which allows a server to query the connected clients PID. This feature was introduced in Vista and is exposed to servers through the...
A very deep dive into iOS Exploit chains found in the wild
Posted by Ian Beer, Project Zero Project Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere. Earlier th...
Implant Teardown
Posted by Ian Beer, Project Zero In the earlier posts we examined how the attackers gained unsandboxed code execution as root on iPhones. At the end of each chain we saw the attackers calling posixspawn, passing the path to their implant binary which they dropped in /tmp. This starts the implant...
In-the-wild iOS Exploit Chain 4
Posted by Ian Beer, Project Zero TL;DR This exploit chain supported iOS 12-12.1, although the two vulnerabilities were unpatched when we discovered the chain in the wild. It was these two vulnerabilities which we reported to Apple with a 7-day deadline, leading to the release of iOS 12.1.4. The...
In-the-wild iOS Exploit Chain 2
Posted by Ian Beer, Project Zero TL;DR This was an exploit for a known bug class which I had been auditing for since late 2016. The same anti-pattern which lead to this vulnerability, we’ll see again in Exploit Chain 3, which follows this post. This exploit chain targets iOS 10.3 through 10.3.3...
In-the-wild iOS Exploit Chain 5
Posted by Ian Beer, Project Zero TL;DR This exploit chain is a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 security. On November 17th 2018, @S0rryMybad used this vulnerability to win $200,000 USD at the TianFu Cup PWN competition...
JSC Exploits
Posted by Samuel Groß, Project Zero In this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process WebContent on iOS...
In-the-wild iOS Exploit Chain 1
Posted by Ian Beer, Project Zero TL;DR This exploit provides evidence that these exploit chains were likely written contemporaneously with their supported iOS versions; that is, the exploit techniques which were used suggest that this exploit was written around the time of iOS 10. This suggests...
In-the-wild iOS Exploit Chain 3
Posted by Ian Beer, Project Zero TL;DR This chain targeted iOS 11-11.4.1, spanning almost 10 months. This is the first chain we observed which had a separate sandbox escape exploit. The sandbox escape vulnerability was a severe security regression in libxpc, where refactoring lead to a bounds che...
The Many Possibilities of CVE-2019-8646
Posted by Natalie Silvanovich, Project Zero CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use thi...
Down the Rabbit-Hole...
Posted by Tavis Ormandy, Security Research Over-Engineer. “Sometimes, hacking is just someone spending more time on something than anyone else might reasonably expect.”1 I often find it valuable to write simple test cases confirming things work the way I think they do. Sometimes I can’t explain t...
The Fully Remote Attack Surface of the iPhone
Posted by Natalie Silvanovich, Project Zero While there have been several rumours and reports of fully remote vulnerabilities affecting the iPhone being used by attackers in the last couple of years, limited information is available about the technical details of these vulnerabilities, as well as...
Trashing the Flow of Data
Posted by Stephen Röttger In this blog post I want to present crbug.com/944062, a vulnerability in Chrome’s JavaScript compiler TurboFan that was discovered independently by Samuel saelo@ via fuzzing with fuzzilli, and by myself via manual code auditing. The bug was found in beta and was fixed...
Windows Exploitation Tricks: Abusing the User-Mode Debugger
Posted by James Forshaw, Google Project Zero I've recently been adding native user-mode debugger support to NtObjectManager. Whenever I add new functionality I have to do some research and reverse engineering to better understand how it works. In this case I wondered what access you need to debug...
Virtually Unlimited Memory: Escaping the Chrome Sandbox
Posted by Mark Brand, Exploit Technique Archaeologist. Introduction After discovering a collection of possible sandbox escape vulnerabilities in Chrome, it seemed worthwhile to exploit one of these issues as a full-chain exploit together with a renderer vulnerability to get a better understanding...
Splitting atoms in XNU
Posted by Ian Beer, Google Project Zero TL;DR A locking bug in the XNU virtual memory subsystem allowed violation of the preconditions required for the correctness of an optimized virtual memory operation. This was abused to create shared memory where it wasn't expected, allowing the creation of ...
Windows Kernel Logic Bug Class: Access Mode Mismatch in IO Manager
Posted by James Forshaw, Project Zero This blog post is an in-depth look at an interesting logic bug class in the Windows Kernel and what I did to try to get it fixed with our partners at Microsoft. The maximum impact of the bug class is local privilege escalation if kernel and driver developers...
Android Messaging: A Few Bugs Short of a Chain
Posted by Natalie Silvanovich, Project Zero About a year and a half ago, I did some research into Android messaging and mail clients. At the time, I didn’t blog about it, because though I found bugs, I wasn’t able to assemble them into a credible attack. However, in the spirit of writing about...
The Curious Case of Convexity Confusion
Posted by Ivan Fratric, Google Project Zero Intro Some time ago, I noticed a tweet about an externally reported vulnerability in Skia graphics library used by Chrome, Firefox and Android, among others. The vulnerability caught my attention for several reasons: Firstly, I looked at Skia before...
Examining Pointer Authentication on the iPhone XS
Posted by Brandon Azad, Project Zero In this post I examine Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS, with a focus on how Apple has improved over the ARM standard. I then demonstrate a way to use an arbitrary kernel read/write primitive to forge kernel...
voucher_swap: Exploiting MIG reference counting in iOS 12
Posted by Brandon Azad, Project Zero In this post I'll describe how I discovered and exploited CVE-2019-6225, a MIG reference counting vulnerability in XNU's taskswapmachvoucher function. We'll see how to exploit this bug on iOS 12.1.2 to build a fake kernel task port, giving us the ability to re...