JavaScript is not available.

Root Cause Analysis of the in the wild JIT bug (CVE-2022-42856)

VoidiStaff

@VoidiStaff

Mar 2

Root Cause Analysis of the in the wild JIT bug (CVE-2022-42856)

voidistaff.github.io

iOS Security update for CVE-2022-42856 Patch The provenType filtering in FTL’s speculateRealNumber is incorrect. Background Specu...

174

New blog post from

! Check it out!

Quote Tweet

ϻг_ϻε

@steventseeley

Feb 28

I wrote a blog post regarding the technical details of CVE-2022-31700. It's an interesting case study of attacking custom Java Bean Validators (JSR 380) for RCE: trenchant.io/vmware-workspa The original advisory can be found here: srcincite.io/advisories/src

VMWare Workspace ONE Access

Intro In 2022, I conducted research against VMWare Workspace ONE Access and was able to find a remote code execution vulnerability triggerable by an authenticated administrator. Although authentica...

237

Anand Balaji

@_d4rkkn1gh7

Jan 23

Breaking JIT range assumptions in JSC: here's my writeup for b3typer from bi0sCTF 2022! blog.bi0s.in/2023/01/23/Pwn

128

TrenchantARC

@TrenchantARC

Jan 23

We are actively hiring security researchers! Send your resume to recruiting@trenchant.io :-)

Quote Tweet

Ian Coldwater

@IanColdwater

Jan 20

So who *is* hiring in tech right now, and what are you hiring for? Asking for several tens of thousands of people

Show this thread

offensivecon

@offensive_con

Jan 12

We are proud to announce the Keynote speakers for #OffensiveCon23:

@daveaitel

and

@windknown

Replying to

and

ain't no party like a

@TrenchantARC

party

Survey of security mitigations and architectures, December 2022

Saar Amar

@AmarSaar

Dec 31, 2022

New blogpost! I put together a thorough survey of security mitigations && architectures from the past few years. HW solutions, SW mitigations, and safe languages. CHERI, MTE, Rust, Swift, kalloc_type, Firebloom, GuardedMemcpy, CastGuard, and more!

saaramar.github.io

187

543

Breaking the Chrome Sandbox with Mojo

stephen

@_tsuro

Nov 17, 2022

Breaking the Chrome Sandbox with Mojo - the recording of my black hat talk is out: youtu.be/qhhJCLy0YBA (I'm painfully aware of the red shift :) )

youtube.com

If you manage to exploit a Chrome renderer vulnerability, you find yourself in a tight sandbox. Access to OS resources like the file system are greatly restr...

158

Hexacon - Conference – Speakers

Hexacon

@hexacon_fr

Oct 19, 2022

📣 Most of the slides of #HEXACON2022 presentations have been added to our website! We will update this page as soon as we receive the missing ones. 2022.hexacon.fr/conference/spe Video recordings should follow in the coming weeks

2022.hexacon.fr

Discover the accepted talks for this edition!

163

Hexacon

@hexacon_fr

Oct 16, 2022

Already missing the crazy atmosphere of Hexacon but so proud of what we accomplished together ❤️ Thank you to everyone who put their trust in us for this first edition: speakers, committee, trainers, sponsors and attendees 🙏 Return home safely and see you at #HEXACON2023

121

jifa@infosec.exchange

@jifa

Oct 15, 2022

Huge thanks and props to the

@hexacon_fr

organization team for pulling together a top community event at the highest standard!👏👏👏🔥 See you next year in Paris! 😉

Aug 22, 2022

I just released the source code of Paracosme: a zero-click remote memory corruption exploit I demonstrated at Pwn2Own 2022 Miami 🐛🐜🪲 github.com/0vercl0k/parac

GIF

176

523

Exploiting WebKit JSPropertyNameEnumerator Out-of-Bounds Read (CVE-2021-1789)

starlabs

@starlabs_sg

Aug 19, 2022

Today, our team member,

@tuanit96

, shared his analysis on: "Exploiting CVE-2021-1789 : WebKit JSPropertyNameEnumerator Out-of-Bounds Read" - starlabs.sg/blog/2022/08-e Thanks to our other team member,

@Chocologicall

for the help in editing it.

starlabs.sg

Initially, our team member, Đỗ Minh Tuấn, wanted to write about the RCA (Root Cause Analysis) of CVE-2021-1870 which APT used. But Maddie Stone pointed it to us that it was actually CVE-2021-1789....

190

Zero Day Initiative — But You Told Me You Were Safe: Attacking the Mozilla Firefox Renderer (Part 1)

Zero Day Initiative

@thezdi

Aug 18, 2022

At #Pwn2Own Vancouver,

@_manfp

won $100K exploiting #Firefox. Now that these bugs are patched,

@hosselot

details the first part of this exploit in his most recent blog. Part 2 is to come.

zerodayinitiative.com

Vulnerabilities and exploits in common targets like browsers are often associated with memory safety issues. Typically this involves either a direct error in memory management or a way to corrupt...

186

Race against the Sandbox. Root cause analysis of a Tianfu Cup bug.

theabysslabs

@theabysslabs

Aug 12, 2022

How do you escape the Chrome Sandbox on Windows? Root cause analysis of TianfuCup 2021 bug!

theabysslabs.github.io

Introduction

230

Aug 4, 2022

Paracosme (CVE-2022-33318) is the zero-click remote code execution memory corruption exploit that I wrote to compromise ICONICS Genesis64 on stage at Pwn2Own2022 Miami 🐛🐜🪲 I hope to blog about it soon but in the meantime, go apply the patch 🔥🔥! zerodayinitiative.com/advisories/ZDI

GIF

103

The Chromium super (inline cache) type confusion | The GitHub Blog

In this post

goes through the details of CVE-2022-1134, a type confusion in Chrome, and shows how to gain remote code execution in the Chrome renderer using this bug.

github.blog

In this post I'll exploit CVE-2022-1134, a type confusion in Chrome that I reported in March 2022, which allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a...

188

Offensive security conference organized by seasoned professionals, in the heart of Paris. 14-15th October 2022, save the date!

Synacktiv

@Synacktiv

Jun 15, 2022

Some of our ninjas are organizing the Hexacon cybersecurity conference and

@Synacktiv

is proud to support this adventure. If you love highly technical talks and trainings, the registration has just opened. Get on board!

hexacon.fr

Hexacon - Register

New guest blog by

and

"Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup" doar-e.github.io/blog/2022/06/1

Synacktiv

@Synacktiv

May 20, 2022

If you see two guys wearing Synacktiv t-shirts with big antennas, you should turn around with your

@Tesla

! 0-click RCE demonstration on a real vehicle, with CAN messages sent to switch on headlights, wipers and trunk 😎 #Pwn2Own

0:30

21K views

153

441

Samuel Groß

@5aelo

May 20, 2022

Feel like corrupting some memory in V8? Now there's an API for that! chromium.googlesource.com/v8/v8/+/4a12cb

291

slides/Zer0Con_2022_Tales_from_the_iOS_macOS_Kernel_Trenches.pdf at main · potmdehex/slides

John Aakerblom

@jaakerblom

May 9, 2022

Slides for the presentation “Tales from the iOS/macOS Kernel Trenches” that I recently held at Zer0Con 2022 are now publicly available here:

github.com

Slides for presentations held at conferences. Contribute to potmdehex/slides development by creating an account on GitHub.

309

New blogpost by

: "Competing in Pwn2Own 2021 Austin: Icarus at the Zenith" doar-e.github.io/blog/2022/03/2

GIF

186

Apr 8, 2022

Firefox 99 fixed a small bug 🪲I reported. Go update your browser! github.com/0vercl0k/CVE-2

Samuel Groß

@5aelo

Mar 16, 2022

I'm excited (and also a little sad) to announce that after 3 fantastic years with Project Zero, it's time for me to try something new. So starting this month, I'll be building up and leading a new V8 security team at Google!

988

Mar 14, 2022

Longue vue 🔭 is an exploit chain I wrote that is able to compromise remotely NETGEAR DGND3700v2 devices over the internet 🔥🔥 github.com/0vercl0k/longu

GIF

116

: vusec.net/projects/bhi-s

VUSec

@vu5ec

Mar 8, 2022

Spectre-v2 is back! Disclosing Branch History Injection (#BHI/#Spectre-BHB), bypassing Spectre-v2 hw defenses to leak arbitrary kernel/host memory (e.g., root password hash below). Joint work by

GIF

292

565

Slides from our (

and myself) talk „A Brief History of iMessage Exploitation“ talk

@BlueHatIL

. Recording coming soon as well! saelo.github.io/presentations/

110

290

security_analysis_mte/Security Analysis of MTE Through Examples.pdf at main · saaramar/security_a...

Saar Amar

@AmarSaar

Mar 2, 2022

Here are the slides from the "Security Analysis of MTE Through Examples" talk I presented at

@BlueHatIL

:) I hope you will like it and find it interesting!

github.com

Contribute to saaramar/security_analysis_mte development by creating an account on GitHub.

112

285

Feb 18, 2022

Zenith is an (unreliable) exploit I wrote to compromise the TP-Link AC1750 Smart Wi-Fi Router for Pwn2Own Austin 2021. It remotely exploits an integer overflow in the NetUSB kernel driver that results in a heap-buffer overflow 🔥 github.com/0vercl0k/zenith

GIF

115

357

Feb 17, 2022

Pretty cool - looks like both

@bienpnn

and I exploited remotely the NetUSB kernel driver in the TP-Link AC1750 router at Pwn2Own Austin ealier this year 👏🏽 I'll clean-up my exploit Zenith tonight and release it tomorrow 🔥! zerodayinitiative.com/advisories/ZDI

104

Feb 14, 2022

I just pushed wtf v0.3 -

@y0ny0ns0n

and I implemented multi-packets and custom mutators / generators support. Thanks to all the contributors 🙏🏽 Fuzz all the things 🛫🔥💥! github.com/0vercl0k/wtf/r

GIF

101

2019

@r3tr0spect2019

Feb 6, 2022

DiceCTF Memory Hole: how to break V8 heap sandbox mem2019.github.io/jekyll/update/

234

Patrick Ventuzelo

@Pat_Ventuzelo

Feb 7, 2022

Here are the slides of my talk "Beaconfuzz - A Journey into #Ethereum 2.0 Blockchain Fuzzing and Vulnerability Discovery" at

@offensive_con

2022. fuzzinglabs.com/wp-content/upl

172

[DiceCTF 2022] - memory hole

kylebot

@ky1ebot

Feb 7, 2022

I played DiceCTF this weekend and solved a V8 challenge. I bypassed the latest "Virtual Memory Cage" protection in V8 and here is how I achieved it XD

blog.kylebot.net

IntroductionDuring this weekend, I casually played DiceCTF 2022 with my team Shellphish. And I solved two challenges: baby-rop and memory hole during the game. It was the first time in a while that I

110

376

Samuel Groß

@5aelo

Feb 4, 2022

Here are the slides from the "Attacking JavaScript Engines in 2022" talk by

@itszn13

and myself

@offensive_con

. It's a high-level talk about JS, JIT, various bug classes, and typical exploitation flows but with lots of references for further digging! saelo.github.io/presentations/

282

763