253 matches found
Taking a page from the kernel's book: A TLB issue in mremap()
Posted by Jann Horn, Project Zero This is a technical blog post about TLB flushing bugs in kernels, intended for people interested in kernel security and memory management. Introduction: Bugs in Memory Management code There have been some pretty scary bugs in memory management in the past, like:...
On VBScript
Posted by Ivan Fratric, Google Project Zero Introduction Vulnerabilities in the VBScript scripting engine are a well known way to attack Microsoft Windows. In order to reduce this attack surface, in Windows 10 Fall Creators Update, Microsoft disabled VBScript execution in Internet Explorer in the...
Searching statically-linked vulnerable library functions in executable code
Helping researchers find 0ld days Posted by Thomas Dullien, Project Zero Executive summary Software supply chains are increasingly complicated, and it can be hard to detect statically-linked copies of vulnerable third-party libraries in executables. This blog post discusses the technical details ...
Adventures in Video Conferencing Part 5: Where Do We Go from Here?
Posted by Natalie Silvanovich, Project Zero Overall, our video conferencing research found a total of 11 bugs in WebRTC, FaceTime and WhatsApp. The majority of these were found through less than 15 minutes of mutation fuzzing RTP. We were surprised to find remote bugs so easily in code that is so...
Adventures in Video Conferencing Part 4: What Didn't Work Out with WhatsApp
Posted by Natalie Silvanovich, Project Zero Not every attempt to find bugs is successful. When looking at WhatsApp, we spent a lot of time reviewing call signalling hoping to find a remote, interaction-less vulnerability. No such bugs were found. We are sharing our work with the hopes of saving...
Adventures in Video Conferencing Part 3: The Even Wilder World of WhatsApp
Posted by Natalie Silvanovich, Project Zero WhatsApp is another application that supports video conferencing that does not use WebRTC as its core implementation. Instead, it uses PJSIP, which contains some WebRTC code, but also contains a substantial amount of other code, and predates the WebRTC...
Adventures in Video Conferencing Part 2: Fun with FaceTime
Posted by Natalie Silvanovich, Project Zero FaceTime is Apple’s video conferencing application for iOS and Mac. It is closed source, and does not appear to use any third-party libraries for its core functionality. I wondered whether fuzzing the contents of FaceTime’s audio and video streams would...
Adventures in Video Conferencing Part 1: The Wild World of WebRTC
Posted by Natalie Silvanovich, Project Zero Over the past five years, video conferencing support in websites and applications has exploded. Facebook, WhatsApp, FaceTime and Signal are just a few of the many ways that users can make audio and video calls across networks. While a lot of research ha...
Injecting Code into Windows Protected Processes using COM - Part 2
Posted by James Forshaw, Project Zero In my previous blog I discussed a technique which combined numerous issues I’ve previously reported to Microsoft to inject arbitrary code into a PPL-WindowsTCB process. The techniques presented don’t work for exploiting the older, stronger Protected Processes...
Heap Feng Shader: Exploiting SwiftShader in Chrome
Posted by Mark Brand, Google Project Zero On the majority of systems, under normal conditions, SwiftShader will never be used by Chrome - it’s used as a fallback if you have a known-bad “blacklisted” graphics card or driver. However, Chrome can also decide at runtime that your graphics driver is...
Deja-XNU
Posted by Ian Beer, Google Project Zero This blog post revisits an old bug found by Pangu Team and combines it with a new, albeit very similar issue I recently found to try to build a "perfect" exploit for iOS 7.1.2. State of the art An idea I've wanted to play with for a while is to revisit old...
Injecting Code into Windows Protected Processes using COM - Part 1
Posted by James Forshaw, Google Project Zero At Recon Montreal 2018 I presented “Unknown Known DLLs and other Code Integrity Trust Violations” with Alex Ionescu. We described the implementation of Microsoft Windows’ Code Integrity mechanisms and how Microsoft implemented Protected Processes PP. A...
365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools
Posted by Ivan Fratric, Google Project Zero Around a year ago, we published the results of research about the resilience of modern browsers against DOM fuzzing, a well-known technique for finding browser bugs. Together with the bug statistics we also published Domato, our DOM fuzzing tool that wa...
A cache invalidation bug in Linux memory management
Posted by Jann Horn, Google Project Zero This blogpost describes a way to exploit a Linux kernel bug CVE-2018-17182 that exists since kernel version 3.16. While the bug itself is in code that is reachable even from relatively strongly sandboxed contexts, this blogpost only describes a way to...
OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB
Posted by Jann Horn, Google Project Zero Recently, there has been some attention around the topic of physical attacks on smartphones, where an attacker with the ability to connect USB devices to a locked phone attempts to gain access to the data stored on the device. This blogpost describes how...
The Problems and Promise of WebAssembly
Posted by Natalie Silvanovich, Project Zero WebAssembly is a format that allows code written in assembly-like instructions to be run from JavaScript. It has recently been implemented in all four major browsers. We reviewed each browser’s WebAssembly implementation and found three vulnerabilities...
Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
Posted by James Forshaw, Project Zero And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll detail how I was able to exploit Issue 1550 which results in an arbitrary object directory being created by using a useful behavior of the CSRSS privileged...
Adventures in vulnerability reporting
Posted by Natalie Silvanovich, Project Zero At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of the time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into the hands of vendors. Since i...
Drawing Outside the Box: Precision Issues in Graphic Libraries
By Mark Brand and Ivan Fratric, Google Project Zero In this blog post, we are going to write about a seldom seen vulnerability class that typically affects graphic libraries though it can also occur in other types of software. The root cause of such issues is using limited precision arithmetic in...
Detecting Kernel Memory Disclosure – Whitepaper
Posted by Mateusz Jurczyk, Project Zero Since early 2017, we have been working on Bochspwn Reloaded – a piece of dynamic binary instrumentation built on top of the Bochs IA-32 software emulator, designed to identify memory disclosure vulnerabilities in operating system kernels. Over the course of...
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge
Posted by Ivan Fratric, Project Zero With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard ACG. When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or...
Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege
Posted by James Forshaw, Project Zero Previously I presented a technique to exploit arbitrary directory creation vulnerabilities on Windows to give you read access to any file on the system. In the upcoming Spring Creators Update RS4 the abuse of mount points to link to files as I exploited in th...
Reading privileged memory with a side-channel
Posted by Jann Horn, Project Zero We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to at worst arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Variants of this...
aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript
by Ivan Fratric, Thomas Dullien, James Forshaw and Steven Vittitoe Intro Many widely-deployed technologies, viewed through 20/20 hindsight, seem like an odd or unnecessarily risky idea. Engineering decisions in IT are often made with imperfect information and under time pressure, and some odditie...
Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices
Posted by Gal Beniamini, Project Zero In this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone. After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly...
Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
Posted by Mateusz Jurczyk of Google Project Zero Patch diffing is a common technique of comparing two binary builds of the same code – a known-vulnerable one and one containing a security fix. It is often used to determine the technical details behind ambiguously-worded bulletins, and to establis...
Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices
Posted by Gal Beniamini, Project Zero In this blog post we’ll continue our journey towards over-the-air exploitation of the iPhone, by means of Wi-Fi communication alone. This part of the research will focus on the firmware running on Broadcom’s Wi-Fi SoC present on the iPhone 7. We’ll begin by...
Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices
Posted by Gal Beniamini, Project Zero Earlier this year we performed research into Broadcom’s Wi-Fi stack. Due to the ubiquity of Broadcom’s stack, we chose to conduct our prior research through the lens of one affected family of products -- the Android ecosystem. To paint a more complete picture...
The Great DOM Fuzz-off of 2017
Posted by Ivan Fratric, Project Zero Introduction Historically, DOM engines have been one of the largest sources of web browser bugs. And while in the recent years the popularity of those kinds of bugs in targeted attacks has somewhat fallen in favor of Flash which allows for cross-browser exploi...
Bypassing VirtualBox Process Hardening on Windows
Posted by James Forshaw, Project Zero Processes on Windows are securable objects, which prevents one user logged into a Windows machine from compromising another user’s processes. This is a pretty important security feature, at least from the perspective of a non-administrator user. The security...
Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read
Posted by James Forshaw, Project Zero For the past couple of months I’ve been presenting my “Introduction to Windows Logical Privilege Escalation Workshop” at a few conferences. The restriction of a 2 hour slot fails to do the topic justice and some interesting tips and tricks I would like to...
Trust Issues: Exploiting TrustZone TEEs
Posted by Gal Beniamini, Project Zero Mobile devices are becoming an increasingly privacy-sensitive platform. Nowadays, devices process a wide range of personal and private information of a sensitive nature, such as biometric identifiers, payment data and cryptographic keys. Additionally, modern...
Exploiting the Linux kernel via packet sockets
Guest blog post, posted by Andrey Konovalov Introduction Lately I’ve been spending some time fuzzing network-related Linux kernel interfaces with syzkaller. Besides the recently discovered vulnerability in DCCP sockets, I also found another one, this time in packet sockets. This post describes ho...
Exploiting .NET Managed DCOM
Posted by James Forshaw, Project Zero One of the more interesting classes of security vulnerabilities are those affecting interoperability technology. This is because these vulnerabilities typically affect any application using the technology, regardless of what the application actually does. Als...
Exception-oriented exploitation on iOS
Posted by Ian Beer, Project Zero This post covers the discovery and exploitation of CVE-2017-2370, a heap buffer overflow in the machvoucherextractattrrecipetrap mach trap. It covers the bug, the development of an exploitation technique which involves repeatedly and deliberately crashing and how ...
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)
Posted by Gal Beniamini, Project Zero In this blog post we'll continue our journey into gaining remote kernel code execution, by means of Wi-Fi communication alone. Having previously developed a remote code execution exploit giving us control over Broadcom’s Wi-Fi SoC, we are now left with the ta...
Notes on Windows Uniscribe Fuzzing
Posted by Mateusz Jurczyk of Google Project Zero Among the total of 119 vulnerabilities with CVEs fixed by Microsoft in the March Patch Tuesday a few weeks ago, there were 29 bugs reported by us in the font-handling code of the Uniscribe library. Admittedly the subject of font-related security ha...
Pandavirtualization: Exploiting the Xen hypervisor
Posted by Jann Horn, Project Zero On 2017-03-14, I reported a bug to Xen's security team that permits an attacker with control over the kernel of a paravirtualized x86-64 Xen guest to break out of the hypervisor and gain full control over the machine's physical memory. The Xen Project publicly...
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
Posted by Gal Beniamini, Project Zero It’s a well understood fact that platform security is an integral part of the security of complex systems. For mobile devices, this statement rings even truer; modern mobile platforms include multiple processing units, all elaborately communicating with one...
Project Zero Prize Conclusion
Posted by Natalie Silvanovich, Project Zero On September 13, 2016 we announced the Project Zero Prize. It concluded last week with no prizes awarded. The purpose of this post is to discuss what happened and what we learned about hacking contest design. Throughout the contest, we did not receive a...
Attacking the Windows NVIDIA Driver
Posted by Oliver Chang Modern graphic drivers are complicated and provide a large promising attack surface for EoPs and sandbox escapes from processes that have access to the GPU e.g. the Chrome GPU process. In this blog post we’ll take a look at attacking the NVIDIA kernel mode Windows drivers,...
Lifting the (Hyper) Visor: Bypassing Samsung’s Real-Time Kernel Protection
Posted by Gal Beniamini, Project Zero Traditionally, the operating system’s kernel is the last security boundary standing between an attacker and full control over a target system. As such, additional care must be taken in order to ensure the integrity of the kernel. First, when a system boots, t...
Chrome OS exploit: one byte overflow and symlinks
The following article is an guest blog post from an external researcher i.e. the author is not a Project Zero or Google researcher. This post is about a Chrome OS exploit I reported to Chrome VRP in September. The Project Zero folks were nice to let me do a guest post about it, so here goes. The...
BitUnmap: Attacking Android Ashmem
Posted by Gal Beniamini, Project Zero The law of leaky abstractions states that “all non-trivial abstractions, to some degree, are leaky”. In this blog post we’ll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result i...
Breaking the Chain
Posted by James Forshaw, Wielder of Bolt Cutters. Much as we’d like it to be true, it seems undeniable that we’ll never fix all security bugs just by looking for them. One of most productive ways to dealing with this fact is to implement exploit mitigations. Project Zero considers mitigation work...
task_t considered harmful
Posted by Ian Beer, Project Zero This post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS 10.1. We’ll look at the bugs, how they can be exploited to...
Announcing the Project Zero Prize
Posted by Natalie Silvanovich, Exploit Enthusiast Despite the existence of vulnerability rewards programs at Google and other companies, many unique, high-quality security bugs have been discovered as a result of hacking contests. Hoping to continue the stream of great bugs, we’ve decided to star...
Return to libstagefright: exploiting libutils on Android
Posted by Mark Brand, Invalidator of Unic�o�d�e I’ve been investigating different fuzzing approaches on some Android devices recently, and this turned up the following rather interesting bug CVE 2016-3861 fixed in the most recent Android Security Bulletin, deep in the bowels of the usermode Andro...
A Shadow of our Former Self
Posted by James Forshaw of Google Project Zero “Necessity is the Mother of Invention” as it’s said, and this is no more true than when looking for and exploiting security vulnerabilities. When new exploit mitigations are introduced, either a way of bypassing the mitigation is needed or an...
A year of Windows kernel font fuzzing #2: the techniques
Posted by Mateusz Jurczyk of Google Project Zero In part 1 of the series see here, we discussed the motivation and outcomes of our year long fuzzing effort against the Windows kernel font engine, followed by an analysis of two bug collisions with Keen Team and Hacking Team that ensued as a result...