Saar Amar

@AmarSaar

Reversing, Exploits, Windows Internals, Virtualization, Mitigations. team member. MSRC-IL

Vrijeme pridruživanja: listopad 2016.

Tweetovi

Blokirali ste korisnika/cu @AmarSaar

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @AmarSaar

  1. proslijedio/la je Tweet
    2. velj

    Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't. and I wrote about these!

    Poništi
  2. proslijedio/la je Tweet
    31. sij
    Poništi
  3. proslijedio/la je Tweet
    30. sij

    Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy!

    Poništi
  4. proslijedio/la je Tweet
    29. sij

    Linux on T8010 via PongoOS :) /cc

    Poništi
  5. proslijedio/la je Tweet
    29. sij

    Windows Server 2019 securekernel live debugging demo

    Poništi
  6. 29. sij

    Interesting vulnerability: may_create_in_sticky() was done when we already have dropped the ref to dir and thus dir (a struct dentry ptr) might be freed and reuse. One impact is a 1-bit infoleak oracle in open() (CVE-2020-8428)

    Poništi
  7. 23. sij

    Short time after the publish of the crazy design issue, contradicting XOM on EL0 && PAN (the arch can't create ---/--x, checkout 's amazing post. TL;DR )

    Prikaži ovu nit
    Poništi
  8. 23. sij

    Wow, crazy issue bypasses PAN: Part of the uaccess routines (__arch_clear_user() and __arch_copy_{in,from,to}_user()) fail to re-enable PAN if they encounter an unhandled fault while accessing userspace. Check out the patch:

    Prikaži ovu nit
    Poništi
  9. proslijedio/la je Tweet
    22. sij

    Insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still isn't atomic

    Poništi
  10. 21. sij

    In those CET times: It's possible to return in unwinding to any address in the SSP, causing a "type confusion" between stack frames ;) I really like the different variants of this concept :) Type confusions are on fire! (stack frames, objc for PAC bypass)

    Poništi
  11. proslijedio/la je Tweet
    21. sij

    See you at for another round of “One Weird Trick SecureROM Hates”! I hoped to have enough material for a new talk, but my plans didn’t quite work out :X

    Poništi
  12. 20. sij

    It's finally here, guys - is back! Checkout the schedule && register now!

    Poništi
  13. proslijedio/la je Tweet

    - I’ve been waiting to announce this all month; I’ll be crossing another conference off my speaking bucket list in ~2wks when I go onstage at ! I’ve been waiting for this for 2+ years - I might be a little excited about it 🤩

    Poništi
  14. 19. sij

    Someone asked me about this . So yeah, tcache has checks for those (trivial...) incorrect behaviors now on Ubuntu. BUT - my Android 10 is still vulnerable (left is Ubuntu 19.10, right is Android 10)

    Poništi
  15. proslijedio/la je Tweet
    18. sij
    Odgovor korisnicima

    Actually, this also made me wonder on Intel CET forward-edge protection: It only verifies that indirect branch target ends with ENDBR64. i.e. Only validates it's some valid target and not considering context/prototype-hash as RAP/XFG. Doesn't this make ENDBR64 mechanism useless?

    Poništi
  16. proslijedio/la je Tweet
    18. sij

    New blog post: cuck00 A XNU/IOKit info leak 1day killed in iOS 13.3.1 beta 2.

    Prikaži ovu nit
    Poništi
  17. proslijedio/la je Tweet
    16. sij

    Great in-depth analysis of many of the changes that have been made thus far to support CET on Windows Looking forward to the future of CET capable CPUs :)

    Poništi
  18. 13. sij

    SLOP approach is *outstanding*. Calling arbitrary objc methods is known for some time (isa not signed), but showed here a script lang. That's HIGHLY powerful, and that's exactly what I'm looking for while exploiting. Having a script lang makes the exploit much more stable

    Poništi
  19. 12. sij

    Checkout 's great writeup on md15 from CTF ( - you rock!) - . Interesting point: if we run this on WSLv1, it's immediately fail (due to different behavior in the loader) on the whole point of the chg, revealing everything ;)

    Poništi
  20. proslijedio/la je Tweet
    10. sij

    Android: ashmem readonly bypasses via remap_file_pages() and ASHMEM_UNPIN

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·