Medijski sadržaj
- Tweetovi
- Tweetovi i odgovori
- Medijski sadržaj, trenutna stranica.
-
Someone asked me about this https://twitter.com/AmarSaar/status/977116492226494464 …. So yeah, tcache has checks for those (trivial...) incorrect behaviors now on Ubuntu. BUT - my Android 10 is still vulnerable (left is Ubuntu 19.10, right is Android 10)pic.twitter.com/KW8SEubh87
-
Checkout
@Oranav's great writeup on md15 from#36C3 CTF (@hxpctf - you rock!) - https://github.com/oranav/ctf-writeups/tree/master/36c3/md15 …. Interesting point: if we run this on WSLv1, it's immediately fail (due to different behavior in the loader) on the whole point of the chg, revealing everything ;)pic.twitter.com/8sjSUQYosb
-
Old news, but just for fun - the fact that the XMMs registers aren't reset (by the calling convention) is quite useful for pwns in CTFs. And not only for controlled data or heap addresses, libc as well ;) (Highly depends on compilation flags and distributions, of course)pic.twitter.com/3h3wcsNp5Z
-
Thx! didn't know that. Yeah, I see it now. Ref for others: https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf …pic.twitter.com/J3o2lqc3bS
-
-
I love those *amazing* primitive in iMessage in
@5aelo's talk. Objc objects are very convenient for exploits (and the isa ptr is not protected by PAC, so we still can't jump to arbitrary addr, but we can do type confusion, while we control the arguments ;) )pic.twitter.com/3ifOLUz1gw
-
The talk by
@radian is amazing. Important approach of "enforce code integrity from a non-KM code", which PPL does by dividing KM into 2 worlds, so normal KM can't corrupt page tables. Also, note that the trampolines break ROPs. Shoutout for@s1guza for cover everything before!:)pic.twitter.com/vRtCARfPC7
Prikaži ovu nit -
What’s your favorite standard library vuln? I’ll start with CVE-2018-1000810 because I love
@rustlang && wildcopies :p fn main() { let _s = "AAAA".repeat(0xc000000000000001); }pic.twitter.com/E9oLAgPlP7
-
Dropping a new LFH fun fact: remember the RtlpLowFragHeapRandomData, which holds the indices to be used to scan from the bitmap on each allocation? For quite some time, they aren't fixed for the process lifetime - they change as the userblocks allocated :Ppic.twitter.com/b3p640S4Dd
-
There is a high value of fully understanding arch design. Certain behavior of a component might be used differently for different exploits. One example is the behavior of libxpc passes large data using mach_vm_map, used in
@i41nbeer's triple_fetch and in@_bazad's GCCCred exploitpic.twitter.com/yydDg4LLHi
Prikaži ovu nit -
Yeah pinning CR4 and CR0 is important, but still bypassable using ROP/JOP/whatever in KM. The best thing is to use virtualization - VMMs can intercept specific bits in CRx, so for example it can intercept every write into CR4.SMEP, and simply ignore it :) https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/ …pic.twitter.com/2vaV7DXasj
-
Moreover, generic tip I liked to use - you can detect those patterns (this one clearly see meaningful pattern) in ntos/SK, and see if there is a public symbol about it :Ppic.twitter.com/XgTOT5laVo
-
Great find by
@tencent_blade: g2h in vhost_net during live migrate flow: vhost_net uses a kernel buffer to record the dirty log, but it doesn't check the bounds of the log buffer. Therefore, a malicious guest kernel could corrupt host's kernel memory https://www.openwall.com/lists/oss-security/2019/09/17/1 …pic.twitter.com/i8Bm12lALA
-
Little more Xbox sumup: XVD: Xbox Virtual Disk (integrity protected and encrypted VHD) SCP: Streaming Crypto Engine (decrypts OS/Games/Videos) * XVDs are also how games are distributed (optical disks / network downloads) * All code (except early boot code) must come from XVDspic.twitter.com/2tq9h1vpeG
-
Yep - HVCI is a feature that started at Xbox 360 :) The (highly trivial, actually) observation that "it's bad to use millions of lines of KM code to enforce code integrity in KM" started therepic.twitter.com/IivOBz783W
-
Super important and cool point in Tony's great talk about physical attacks against Xbox One: in the Xbox field, the attacker of the product it's his owner. That increases significantly the number of components we can't trust. Check out his talk! https://www.youtube.com/watch?v=U7VwtOrwceo …pic.twitter.com/58Z9izTh8J
-
Seeing
@gamozolabs tweets about fuzzing calc.exe for bugs reminds me a really old cute nostalgia from win7 times - setting F-E on certain numbers (one instance is 1/255) triggers a way-too-long recursion and hits a guard pagepic.twitter.com/XXZfQT8J7m
-
Great job! This is a very good example for what I meant in this section of tips in my blog about Hyper-V research ( https://msrc-blog.microsoft.com/2018/12/10/first-steps-in-hyper-v-research/ … ). Looking forward for more useful tools like this for static analysis and reversing:pic.twitter.com/JS2way8bWZ
-
Happy to see even pharmacies use
@rustlang those days :Ppic.twitter.com/pb6eBcdFq9
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.