Grant Hernandez

@Digital_Cold

PhD candidate at , firmware analyst, reverse engineer, and binary breaker.

The Swamp
Joined October 2012

Tweets

You blocked @Digital_Cold

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @Digital_Cold

  1. Pinned Tweet
    9 Dec 2018

    A writeup for HITCON's Super Hexagon challenge (part1). A detailed look into AArch64 custom kernel exploitation.

    Undo
  2. Jan 31

    Another stat to add: I estimate AT LEAST 4.4 million lines of code (see repo for the calculation). Absolutely insane!

    Show this thread
    Undo
  3. Jan 24

    Check out how my CTF team, Kernel Sanders and I approached CSAW's embedded security competition using angr and how we leveraged a buffer overflow to print arbitrary messages to the serial port using RFID shellcode

    Undo
  4. Jan 24

    Looks like a bug, and almost a vulnerability, but not quite. Maybe some better pwners can take this to an exploit?

    Show this thread
    Undo
  5. Jan 24

    This is the allowed check that is passed to the lack of error handling on fopen: And this is as far as the program gets with the new ulimit:

    Show this thread
    Undo
  6. Jan 24

    Normally it would say this: $ crontab newtab You (grant) are not allowed to use this program (crontab) See crontab(1) for more information

    Show this thread
    Undo
  7. Jan 24

    In vixie-cron, SUID crontab prevents crontab editing if /etc/cron.allow is empty. If you force the ulimit for open files to be 4, auth check is bypassed but you hit another error lower down :( $ bash -c 'ulimit -n 4; crontab newtab' /var/spool/cron/: mkstemp: Too many open files

    Show this thread
    Undo
  8. 14 Nov 2019
    Undo
  9. Retweeted

    Success! The duo got the Galaxy S10 to connect to their rogue base station and then pushed a file to the phone. Third year in a row. Off to the disclosure room to get all the details.

    Undo
  10. 6 Nov 2019

    How complicated is cellular baseband firmware? At least this complicated: over 150K debugging messages across 932 directories and 2,775 files! Rebuilding the source code skeleton from Samsung S10's Shannon S5000 baseband debugging messages.

    Show this thread
    Undo
  11. Retweeted

    Gathered some of my proof-of-concepts and analysis notes on zero day vulnerabilities that I discovered or researched in the past few years, on my github: . Enjoy

    Show this thread
    Undo
  12. 18 Oct 2019

    That patch set did a major refactor of binder from a single global lock to incorporate more fine-grained locking (performance reasons). It's possible that binder was free from most cross-thread races before this and the epoll race window was missed during the refactor

    Show this thread
    Undo
  13. 18 Oct 2019

    I wonder how long CVE-2019-2215 has been exploitable. Trying to read through the kernel sources to figure out if there was a specific date. I notice that earlier kernels called `binder_free_thread` instead of `binder_thread_release`.

    Show this thread
    Undo
  14. 15 Oct 2019

    The writeup and release is here! Tailoring CVE-2015-2215 to Achieve Root -

    Undo
  15. 9 Oct 2019

    If people are interested, I can release the source/blog on making Qu1ckR00t

    Show this thread
    Undo
  16. 9 Oct 2019

    Rooting a Pixel 2 with Magisk from an untrusted app using CVE-2019-2215, no OEM unlock needed

    Show this thread
    Undo
  17. 8 Oct 2019

    Disabling SECCOMP with a kernel R/W is quite fun! You need to clear the TIF_SECCOMP flag first in thread_info, then the task->seccomp.filter, and finally task->seccomp.mode. Any other combination leads to kernel panics

    Undo
  18. 4 Oct 2019

    Sweet, got my non-debug Pixel 2 into SELinux permissive by modding the P0 PoC!

    Undo
  19. 3 Oct 2019

    Trying to modify the Android kernel exploit PoC to change my cred->security->sid to init (7). When I do this the process locks up even without any syscalls. This talk slide 13 mentions this technique. Any thoughts?

    Undo
  20. Retweeted
    3 Oct 2019

    I always wanted to do this :-)

    Undo
  21. Retweeted
    2 Oct 2019

    There’s also a format string bug going the opposite direction (when your phones name is %p%p%p...)

    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·