How to Compromise the Enterprise Endpoint

Posted by Tavis Ormandy. Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand. Today we’re publishing...

A year of Windows kernel font fuzzing #1: the results

Posted by Mateusz Jurczyk of Google Project Zero This post series is about how we used at-scale fuzzing to discover and report a total of 16 vulnerabilities in the handling of TrueType and OpenType fonts in the Windows kernel during the last year. In part 1 here, we present a general overview of...

Exploiting Recursion in the Linux Kernel

Posted by Jann Horn, Google Project Zero On June 1st, I reported an arbitrary recursion bug in the Linux kernel that can be triggered by a local user on Ubuntu if the system was installed with home directory encryption support. If you want to see the crasher, the exploit code and the shorter bug...

Life After the Isolated Heap

Posted by Natalie Silvanovich, Mourner of Lost Exploits Over the past few months, Adobe has introduced a number of changes to the Flash Player heap with the goal of reducing the exploitability of certain types of vulnerabilities in Flash, especially use-after-frees. I wrote an exploit involving t...

Race you to the kernel!

Posted by Ian Beer of Google Project Zero The OS X and iOS kernel code responsible for loading a setuid root binary invalidates the old task port after first swapping the new virtual memory map pointer into the old task object, leaving a short race window where you can manipulate the memory of an...

Exploiting a Leaked Thread Handle

Posted by logged on user, James Forshaw. Once in awhile you’ll find a bug that allows you to leak a handle opened in a privileged process into a lower privileged process. I found just such a bug in the Secondary Logon service on Windows, which was fixed this month as MS16-032. The bug allowed you...

The Definitive Guide on Win32 to NT Path Conversion

Posted by James Forshaw, path’ological reverse engineer. How the Win32 APIs process file paths on Windows NT is a tale filled with backwards compatibility hacks, weird behaviour, and beauty†. Incorrect handling of Win32 paths can lead to security vulnerabilities. This blog post is to try and give...

Racing MIDI messages in Chrome

This is a guest blog post by Oliver Chang from the Chrome Security team. This post is about an exceptionally bad use after free bug in Chrome’s browser process that affected Linux, Chrome OS and OS X. What makes this bug interesting is the fact that it could be directly triggered from the web...

Raising the Dead

Posted by James Forshaw, your Friendly Neighbourhood Necromancer. It’s a bit late for Halloween but the ability to resurrect the dead processes that is is an interesting type of security issue when dealing with multi-user Windows systems such as Terminal Servers. Specifically this blog is about...

FireEye Exploitation: Project Zero’s Vulnerability of the Beast

Posted by Tavis Ormandy, Chief Silver Bullet Skeptic. FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks, i.e. where traffic flows from the intranet to the internet...

Between a Rock and a Hard Link

Posted by James Forshaw, File System Enthusiast In a previous blog post I described some of the changes that Microsoft has made to the handling of symbolic links from a sandboxed process. This has an impact on the exploitation of privileged file overwrites for sandbox escapes. Windows does suppor...

Windows Sandbox Attack Surface Analysis

Posted by James Forshaw, Quartermaster of Tools Analysing the attack surface of user-mode sandboxed applications is a good way to hunt for elevation of privilege vulnerabilities. Much of the task of enumerating the attack surface could be done manually, but that’s a very tedious and error prone...

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge

Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge. We discovered and reported 11 high-impact security issues as a result. This post discusses our motivations behind the research, our approach in looking for...

Windows Drivers are True’ly Tricky

Posted by James Forshaw, Driving for Bugs Auditing a product for security vulnerabilities can be a difficult challenge, and there’s no guarantee you’ll catch all vulnerabilities even when you do. This post describes an issue I identified in the Windows Driver code for Truecrypt, which has already...

Revisiting Apple IPC: (1) Distributed Objects

Posted by Ian Beer of Google Project Zero Earlier this year I gave a talk at the inaugural Jailbreak Security Summit entitled Auditing and Exploiting Apple IPC slides | video . As part of my research for that talk I wanted to find at least one bug involving each of the available IPC mechanisms on...

Kaspersky: Mo Unpackers, Mo Problems.

Posted by the notorious Tavis Ormandy. We’ve talked before about how we use Google scale to amplify our fuzzing efforts. I’ve recently been working on applying some of these techniques to Antivirus, a vast and highly privileged attack surface. Among the products I’m working on is Kaspersky...

Stagefrightened?

Posted by Mark Brand, Bypasser of Mitigations There’s been a lot of attention recently around a number of vulnerabilities in Android’s libstagefright. There’s been a lot of confusion about the remote exploitability of the issues, especially on modern devices. In this blog post we will demonstrate...

Enabling QR codes in Internet Explorer, or a story of a cross-platform memory disclosure

Posted by Mateusz Jurczyk of Google Project Zero In the previous series of posts parts 1 2 3 4, we discussed the exploitation process of a serious “blend” vulnerability CVE-2015-0093 / CVE-2015-3052, which was special in that it provided the attacker with an extremely powerful primitive arbitrary...

Windows 10^H^H Symbolic Link Mitigations

Posted by James Forshaw, abusing symbolic links like it’s 1999. For the past couple of years I’ve been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I’ve used multiple times is abusing the symbolic link...

One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation

Posted by Mateusz Jurczyk of Google Project Zero This is the final part 4 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability and successfully used it to first exploit Adobe Reader, and later escape...

Three bypasses and a fix for one of Flash's Vector.<*> mitigations

Posted by Chris Evans, Cookie Monster With the release of Flash 18.0.0.209, two mitigations were introduced to combat abuse of Vector corruptions -- we covered these in a previous blog post. Flash 18.0.0.232 has just been released and it includes a change to the way one of the mitigations is...

Attacking ECMAScript Engines with Redefinition

Posted by Natalie Silvanovich = function return n; ECMAScript has a property where almost all functions and variables can be dynamically redefined. This can lead to vulnerabilities in situations where native code assumes a function or variable behaves a certain way when accessed or does not have...

One font vulnerability to rule them all #3: Windows 8.1 32-bit sandbox escape exploitation

Posted by Mateusz Jurczyk of Google Project Zero This is part 3 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability, discussed the Charstring primitives necessary to fully control the stack contents...

One font vulnerability to rule them all #2: Adobe Reader RCE exploitation

Posted by Mateusz Jurczyk of Google Project Zero This is part 2 of the “One font vulnerability to rule them all” blog post series. In part 1 “introducing the BLEND vulnerability”, we discussed how developments in the digital typography field in the last four decades shaped the various font format...

One font vulnerability to rule them all #1: Introducing the BLEND vulnerability

Posted by Mateusz Jurczyk of Google Project Zero Last month, I presented parts of my PostScript font security research at the REcon security conference in Montreal, in a talk titled “One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced...

One Perfect Bug: Exploiting Type Confusion in Flash

Posted by Natalie Silvanovich, Dazed and Type Confused For some attackers, it is important that an exploit be extremely reliable. That is to say, the exploit should consistently lead to code execution when it is run on a system with a known platform and Flash version. One way to create such an...

Significant Flash exploit mitigations are live in v18.0.0.209

Posted by Mark Brand and Chris Evans, isolators of heaps Whilst Project Zero has gained a reputation for vulnerability and exploitation research, that's not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can d...

From inter to intra: gaining reliability

Posted by Chris Evans, avoider of crossing heap lines. Part 2 of 4. In the first post in this series, we concluded with a traditional exploit for Adobe Flash bug 324, and noted that it could never be 100% reliable. We also challenged ourselves to do better! Is there some way we can leverage the...

When ‘int’ is the new ‘short’

Posted by Mark Brand, Truncator of Integers This is going to be a quick post, just describing a particularly interesting Chrome issue that I found last month; how I found it; and what is interesting about it… I was looking through some Chrome networking code; and I noticed an interesting API desi...

What is a "good" memory corruption vulnerability?

Posted by Chris Evans, register whisperer. Part 1 of 4. There are a lot of memory corruption vulnerabilities in software, but not all are created equal. To a certain degree, the “usefulness” of a given memory corruption vulnerability is determined by how reliably it might be exploited. In some...

Analysis and Exploitation of an ESET Vulnerability

Do we understand the risk vs. benefit trade-offs of security software? Tavis Ormandy, June 2015 Introduction Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied. ESET NOD32 uses a minifilter or kext to...

Owning Internet Printing - A Case Study in Modern Software Exploitation

Guest posted by Neel Mehta [email protected] - June 19th, 2015 Abstract Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring...

Dude, where’s my heap?

Guest posted by Ivan Fratric, spraying 1TB of memory The ability to place controlled content to a predictable location in memory can be an important primitive in exploitation of memory corruption vulnerabilities. A technique that is commonly used to this end in browser exploitation is heap...

In-Console-Able

Posted by James Forshaw, giving the security community a shoulder to cry on. TL;DR; this blog post describes an unfixed bug in Windows 8.1 which allows you to escape restrictive job objects in order to help to develop a sandbox escape chain in Chrome or similar sandboxes. If you’re trying to...

A Tale of Two Exploits

Posted by Natalie Silvanovich, Collision Investigator and Object Field Examiner CVE-2015-0336 is a type confusion vulnerability in the AS2 NetConnection class. I reported this issue in January and soon wrote a proof-of-concept exploit for the bug. The issue was patched by Adobe in March and less...

Taming the wild copy: Parallel Thread Corruption

Posted by Chris Evans, Winner of the occasional race Back in 2002, a very interesting vulnerability was found and fixed in the Apache web server. Relating to a bug in chunked encoding handing, the vulnerability caused a memcpy call with a negative length with the destination on the stack. Of...

Exploiting the DRAM rowhammer bug to gain kernel privileges

Rowhammer blog post draft Posted by Mark Seaborn, sandbox builder and breaker, with contributions by Thomas Dullien, reverse engineer This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero blog Overview “Rowhammer” is a problem with some...

Feedback and data-driven updates to Google’s disclosure policy

Posted by Chris Evans and Ben Hawkes, Project Zero; Heather Adkins, Matt Moore and Michal Zalewski, Google Security; Gerhard Eschelbeck, Vice President, Google Security Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to...

(^Exploiting)\s*(CVE-2015-0318)\s*(in)\s*(Flash$)

Posted by Mark Brand, Irregular Expressionist So; issue 199/PSIRT-3161/CVE-2015-0318. Quick summary - it’s a bug in the PCRE regex engine as used in Flash. Note that the published version of the avmplus code is significantly out of date; there are a number of other vulnerabilities present that ha...

A Token’s Tale

Posted by James Forshaw currently impersonating NT AUTHORITY\SYSTEM. Much as I enjoy the process of vulnerability research sometimes there’s a significant disparity between the difficulty of finding a vulnerability and exploiting it. The Project Zero blog contains numerous examples of complex...

Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332

Posted by Lee Campbell, Graphics Pwning Unit This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero blog Background: Chrome for Android implements a very different sandbox model to that of Chrome for Linux. One of the platform features w...

Finding and exploiting ntpd vulnerabilities

Posted by Stephen Röttger, Time Lord Foreword by Chris Evans: this post by Stephen represents the first Project Zero guest blog post. From time to time, we’ll be featuring guest blog posts for top-tier security research. In this instance, we’ve been impressed by the remotely exploitable nature of...

Internet Explorer EPM Sandbox Escape CVE-2014-6350

Posted by James Forshaw This month Microsoft fixed 3 different Internet Explorer Enhanced Protected Mode EPM sandbox escapes which I disclosed in August. Sandboxes are one of the main areas of interest for Project Zero and me in particular as they are choke points for an attacker successfully...

pwn4fun Spring 2014 - Safari - Part II

Posted by Ian Beer TL;DR An OS X GPU driver trusted a user-supplied kernel C++ object pointer and called a virtual function. The IOKit registry contained kernel pointers which were used defeat kASLR. A kernel ROP payload ran Calculator.app as root using a convenient kernel API. Overview of part I...

Project Zero Patch Tuesday roundup, November 2014

Posted by Chris Evans, Registrar of Bugs It’s been about a week since Patch Tuesday, and the Project Zero reports mentioned in the various advisories are now public. We won’t always be writing a Patch Tuesday roundup, but we often will when we believe there is a sufficiently varied and interestin...

Did the “Man With No Name” Feel Insecure?

Posted by James Forshaw, Taker of Names Sometimes when I'm doing security research I'll come across a bug which surprises me. I discovered just such a bug in the Windows version of Chrome which exposed a little-known security detail in the OS. The bug, CVE-2014-3196 was fixed in M38, so it seemed...

More Mac OS X and iPhone sandbox escapes and kernel bugs

Posted by Ian Beer A couple of weeks ago Apple released OS X 10.9.5 and iOS 8 which fixed a number of sandbox escapes and privilege escalation bugs found by Project Zero. All-bar-one of these bugs were found via manual source code auditing where there was source and binary analysis where there...

Exploiting CVE-2014-0556 in Flash

Posted by Chris Evans, Kidnapper of RIP A couple of weeks ago, Adobe released security bulletin APSB14-21, including 8 fixes for bugs reported by Project Zero. Full details of these bugs are now public in our bug tracker. Some of the more interesting ones are a double free in the RTMP protocol, o...

The poisoned NUL byte, 2014 edition

Posted by Chris Evans, Exploit Writer Underling to Tavis Ormandy Back in this 1998 post to the Bugtraq mailing list, Olaf Kirch outlined an attack he called “The poisoned NUL byte”. It was an off-by-one error leading to writing a NUL byte outside the bounds of the current stack frame. On i386...

What does a pointer look like, anyway?

Posted by Chris Evans, Renderer of Modern Art In Adobe’s August 2014 Flash Player security update, we see: These updates resolve memory leakage vulnerabilities that could be used to bypass memory address randomization CVE-2014-0540, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545. I...