Saar Amar

@AmarSaar

Reversing, Exploits, Windows Internals, Virtualization, Mitigations. team member. MSRC-IL

Joined October 2016

Tweets

You blocked @AmarSaar

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @AmarSaar

  1. Retweeted

    Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't. and I wrote about these!

    Undo
  2. Retweeted
    Jan 31
    Undo
  3. Retweeted
    Jan 30

    Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy!

    Undo
  4. Retweeted
    Jan 29

    Linux on T8010 via PongoOS :) /cc

    Undo
  5. Retweeted
    Jan 29

    Windows Server 2019 securekernel live debugging demo

    Undo
  6. Jan 29

    Interesting vulnerability: may_create_in_sticky() was done when we already have dropped the ref to dir and thus dir (a struct dentry ptr) might be freed and reuse. One impact is a 1-bit infoleak oracle in open() (CVE-2020-8428)

    Undo
  7. Jan 22

    Short time after the publish of the crazy design issue, contradicting XOM on EL0 && PAN (the arch can't create ---/--x, checkout 's amazing post. TL;DR )

    Show this thread
    Undo
  8. Jan 22

    Wow, crazy issue bypasses PAN: Part of the uaccess routines (__arch_clear_user() and __arch_copy_{in,from,to}_user()) fail to re-enable PAN if they encounter an unhandled fault while accessing userspace. Check out the patch:

    Show this thread
    Undo
  9. Retweeted
    Jan 22

    Insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still isn't atomic

    Undo
  10. Jan 21

    In those CET times: It's possible to return in unwinding to any address in the SSP, causing a "type confusion" between stack frames ;) I really like the different variants of this concept :) Type confusions are on fire! (stack frames, objc for PAC bypass)

    Undo
  11. Retweeted
    Jan 21

    See you at for another round of “One Weird Trick SecureROM Hates”! I hoped to have enough material for a new talk, but my plans didn’t quite work out :X

    Undo
  12. Jan 20

    It's finally here, guys - is back! Checkout the schedule && register now!

    Undo
  13. Retweeted

    - I’ve been waiting to announce this all month; I’ll be crossing another conference off my speaking bucket list in ~2wks when I go onstage at ! I’ve been waiting for this for 2+ years - I might be a little excited about it 🤩

    Undo
  14. Jan 19

    Someone asked me about this . So yeah, tcache has checks for those (trivial...) incorrect behaviors now on Ubuntu. BUT - my Android 10 is still vulnerable (left is Ubuntu 19.10, right is Android 10)

    Undo
  15. Retweeted
    Jan 18
    Replying to

    Actually, this also made me wonder on Intel CET forward-edge protection: It only verifies that indirect branch target ends with ENDBR64. i.e. Only validates it's some valid target and not considering context/prototype-hash as RAP/XFG. Doesn't this make ENDBR64 mechanism useless?

    Undo
  16. Retweeted
    Jan 17

    New blog post: cuck00 A XNU/IOKit info leak 1day killed in iOS 13.3.1 beta 2.

    Show this thread
    Undo
  17. Retweeted
    Jan 16

    Great in-depth analysis of many of the changes that have been made thus far to support CET on Windows Looking forward to the future of CET capable CPUs :)

    Undo
  18. Jan 12

    SLOP approach is *outstanding*. Calling arbitrary objc methods is known for some time (isa not signed), but showed here a script lang. That's HIGHLY powerful, and that's exactly what I'm looking for while exploiting. Having a script lang makes the exploit much more stable

    Undo
  19. Jan 11

    Checkout 's great writeup on md15 from CTF ( - you rock!) - . Interesting point: if we run this on WSLv1, it's immediately fail (due to different behavior in the loader) on the whole point of the chg, revealing everything ;)

    Undo
  20. Retweeted
    Jan 10

    Android: ashmem readonly bypasses via remap_file_pages() and ASHMEM_UNPIN

    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·