Saar Amar

@AmarSaar

Reversing, Exploits, Windows Internals, Virtualization, Mitigations. team member. MSRC-IL

Vrijeme pridruživanja: listopad 2016.

Medijski sadržaj

  1. 19. sij

    Someone asked me about this . So yeah, tcache has checks for those (trivial...) incorrect behaviors now on Ubuntu. BUT - my Android 10 is still vulnerable (left is Ubuntu 19.10, right is Android 10)

  2. 12. sij

    Checkout 's great writeup on md15 from CTF ( - you rock!) - . Interesting point: if we run this on WSLv1, it's immediately fail (due to different behavior in the loader) on the whole point of the chg, revealing everything ;)

  3. 10. sij

    Old news, but just for fun - the fact that the XMMs registers aren't reset (by the calling convention) is quite useful for pwns in CTFs. And not only for controlled data or heap addresses, libc as well ;) (Highly depends on compilation flags and distributions, of course)

  4. 30. pro 2019.
    Odgovor korisnicima i sljedećem broju korisnika:
  5. 27. pro 2019.

    And now in slides by !

  6. 27. pro 2019.

    I love those *amazing* primitive in iMessage in 's talk. Objc objects are very convenient for exploits (and the isa ptr is not protected by PAC, so we still can't jump to arbitrary addr, but we can do type confusion, while we control the arguments ;) )

  7. 24. pro 2019.

    The talk by is amazing. Important approach of "enforce code integrity from a non-KM code", which PPL does by dividing KM into 2 worlds, so normal KM can't corrupt page tables. Also, note that the trampolines break ROPs. Shoutout for for cover everything before!:)

    Prikaži ovu nit
  8. 16. pro 2019.

    What’s your favorite standard library vuln? I’ll start with CVE-2018-1000810 because I love && wildcopies :p fn main() { let _s = "AAAA".repeat(0xc000000000000001); }

  9. 15. pro 2019.

    Dropping a new LFH fun fact: remember the RtlpLowFragHeapRandomData, which holds the indices to be used to scan from the bitmap on each allocation? For quite some time, they aren't fixed for the process lifetime - they change as the userblocks allocated :P

  10. 23. stu 2019.

    There is a high value of fully understanding arch design. Certain behavior of a component might be used differently for different exploits. One example is the behavior of libxpc passes large data using mach_vm_map, used in 's triple_fetch and in 's GCCCred exploit

    Prikaži ovu nit
  11. 21. stu 2019.
  12. 17. stu 2019.

    Yeah pinning CR4 and CR0 is important, but still bypassable using ROP/JOP/whatever in KM. The best thing is to use virtualization - VMMs can intercept specific bits in CRx, so for example it can intercept every write into CR4.SMEP, and simply ignore it :)

  13. 28. lis 2019.
    Odgovor korisnicima

    Moreover, generic tip I liked to use - you can detect those patterns (this one clearly see meaningful pattern) in ntos/SK, and see if there is a public symbol about it :P

  14. 27. lis 2019.

    Great find by : g2h in vhost_net during live migrate flow: vhost_net uses a kernel buffer to record the dirty log, but it doesn't check the bounds of the log buffer. Therefore, a malicious guest kernel could corrupt host's kernel memory

  15. 21. lis 2019.

    Little more Xbox sumup: XVD: Xbox Virtual Disk (integrity protected and encrypted VHD) SCP: Streaming Crypto Engine (decrypts OS/Games/Videos) * XVDs are also how games are distributed (optical disks / network downloads) * All code (except early boot code) must come from XVDs

  16. 21. lis 2019.

    Yep - HVCI is a feature that started at Xbox 360 :) The (highly trivial, actually) observation that "it's bad to use millions of lines of KM code to enforce code integrity in KM" started there

  17. 21. lis 2019.

    Super important and cool point in Tony's great talk about physical attacks against Xbox One: in the Xbox field, the attacker of the product it's his owner. That increases significantly the number of components we can't trust. Check out his talk!

  18. 11. lis 2019.

    Seeing tweets about fuzzing calc.exe for bugs reminds me a really old cute nostalgia from win7 times - setting F-E on certain numbers (one instance is 1/255) triggers a way-too-long recursion and hits a guard page

  19. 8. lis 2019.
    Odgovor korisnicima

    Great job! This is a very good example for what I meant in this section of tips in my blog about Hyper-V research ( ). Looking forward for more useful tools like this for static analysis and reversing:

  20. 16. ruj 2019.

    Happy to see even pharmacies use those days :P

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·