Follow
Click to Follow j00ru
j00ru//vx
@j00ru
(Mostly) Windows hacker & vulnerability researcher. Google Project Zero.
j00ru//vx’s Tweets
New blog post: Zooming in on Zero-click exploits
googleprojectzero.blogspot.com//2022/01/zoomi
5
184
505
Congrats to the winners of this year's Dragon CTF, and the 5⃣ teams that solved my small Linux pwnable "Nim" challenge!
As usual, I've uploaded my write-up and exploit on GitHub: github.com/j00ru/ctf-task
Quote Tweet
Dragon CTF 2021 is officially over!
Congratulations to the winners:
1. Balsn (@balsnctf)
2. organizers (@0rganizers)
3. More Smoked Leet Chicken (@leetmore)
Thank you for playing - GG!
4
11
59
Dragon CTF 2021 has started!
ctf.dragonsector.pl
Have Fun, Good Luck!
Reminder: This is a 24h CTF so start early :)
read image description
ALT
1
24
73
"Can you still relay authentication in a Windows domain if NTLM is disabled?", I asked myself. "Perhaps I should research that" I said. Here's a blog post about what I found out. googleprojectzero.blogspot.com/2021/10/using-
12
459
966
Show this thread
This week we are starting an experiment that enables V8's Virtual Memory Cage in Chrome on Desktop (currently only on Dev + Canary channels, then Beta and finally Stable). Here is how that'll work:
3
71
263
Show this thread
new blogpost:
"How a simple Linux kernel memory corruption bug can lead to complete system compromise: An analysis of current and potential kernel security mitigations"
I'll post a copy to the kernel-hardening list later in case folks want to discuss it.
googleprojectzero.blogspot.com/2021/10/how-si
6
216
529
weggli, my attempt at writing a fast and robust semantic search tool for C and C++ code is now open source: github.com/googleprojectz. Please take a look and let me know what you think.
GIF
15
148
500
Show this thread
After almost a full year I've scheduled the next livestream - Friday, 6PM CEST, Google Beginners Quest CTF 2021 - solving all tasks :)
9
30
190
New Project Zero blog post: Fuzzing Closed-Source JavaScript Engines with Coverage Feedback, googleprojectzero.blogspot.com/2021/09/fuzzin
4
201
449
I've released Seventh Inferno vulnerability report (some NETGEAR smart switches):
gynvael.coldwind.pl/?lang=en&id=742
This vuln is interesting technically: it starts with a \n injection in the pwd field, goes through being able to write a file with constant uncontrolled content of "2"
...
read image description
ALT
4
33
105
Show this thread
Faster fuzzing on macOS! If you're using Jackalope/TinyInst on macOS and need -pathch_return_addresses flag, you should now be able to replace it with -generate_unwind and enjoy fuzzing without slowdowns. Thanks for working on this!
Quote Tweet
My second internship at Project Zero brings macOS stack unwinding support in TinyInst (and implicitly in Jackalope). If you fuzz macOS targets that throw exceptions, you can now use the -generate_unwind flag (instead of the -patch_return_addresses flag) for a ~10x speed-up.
Show this thread
2
50
My second internship at Project Zero brings macOS stack unwinding support in TinyInst (and implicitly in Jackalope). If you fuzz macOS targets that throw exceptions, you can now use the -generate_unwind flag (instead of the -patch_return_addresses flag) for a ~10x speed-up.
3
19
182
Show this thread
I've published the reports for 2 of 3 recently patched NETGEAR vulnerabilities:
gynvael.coldwind.pl/?id=740
gynvael.coldwind.pl/?id=741
1st is just an auth bypass, but the 2nd - while not that risky - is pretty fun (in a facepalm kind of way).
3rd will be published on Sept 13th.
1
35
116
Another set of NETGEAR vulnerabilities were patched yesterday - patch now.
kb.netgear.com/000063978/Secu
Affected models in reply...
1
19
52
Show this thread
I’m looking for a new position (remote work while being based in Germany or local, based near Bodensee).
Any pointers?
32
145
170
My friends told me I got nominated to for my Windows 7 blind TCP/IP hijacking research. That's a great start of the day ;-)
Btw. On a side note, this already 9-year-old bug still doesn't have an allocated CVE ;-)
pwnies.com/windows-7-blin
1
24
141
Jackalope (github.com/googleprojectz) now supports fuzzing Linux targets with Sanitizer Coverage, see github.com/googleprojectz. Probably not super exciting at the moment as there are plenty of other fuzzers on Linux, but with some upcoming mutators, who knows ;-)
1
45
116
Project Zero's 2021 Disclosure Policy Update. Biggest changes:
1) if a bug is fixed under deadline, the technical details are released 30 days after the fix
2) we're planning to reduce the 90 day deadline starting next year
Full post & reasoning here: googleprojectzero.blogspot.com/2021/04/policy
5
106
265
Fixed this month: CVE-2021-26863, a race condition/use-after-free in win32k.sys demonstrating 's excellent Memory Access Trapping technique in Windows (googleprojectzero.blogspot.com/2021/01/window). It was a fun exercise to do some auditing in search of the specific code pattern.
Quote Tweet
Windows Kernel win32k UAF of the PDEVOBJ object via a race condition in NtGdiGetDeviceCapsAll bugs.chromium.org/p/project-zero
1
76
193
Really loving this collaboration with font guru , who knows typography inside out, far beyond just the exploitation-specific bits. So much potential for learning from each other 🤓 and finding some cool multi-browser memory corruption bugs in the meantime!
Quote Tweet
With more powerful font formats, it's important to keep browsers and apps safe. @j00ru and I found a #vulnerability in #DirectWrite when processing variable fonts: RCE on visiting a page with a specially crafted font. bugs.chromium.org/p/project-zero msrc.microsoft.com/update-guide/v
1
5
49
With more powerful font formats, it's important to keep browsers and apps safe. and I found a #vulnerability in #DirectWrite when processing variable fonts: RCE on visiting a page with a specially crafted font. bugs.chromium.org/p/project-zero msrc.microsoft.com/update-guide/v
1
31
89
New blog post out on the in-the-wild (ITW) vulnerabilities that Project Zero saw back in March/April 2020: googleprojectzero.blogspot.com/2021/01/introd.
2
80
165
Show this thread
Excited to share these amazing posts by , Mark Brand and Sergei Glazunov covering four 0-day vulnerabilities found in the wild googleprojectzero.blogspot.com/2021/01/introd
91
204
Jackalope, my binary, coverage-guided, customizable, distributed fuzzer for Windows and macOS is now open-source. Happy fuzzing and happy holidays! :-)
5
267
715
Show this thread
Excited to finally publish my lockdown project from earlier this year: an iOS zero-click radio proximity exploit odyssey.
googleprojectzero.blogspot.com/2020/12/an-ios
61
1,163
2,874
Show this thread
Also check out Perfect Guesser's blog about the task, which has much more detail and better story telling :)
Quote Tweet
We won Dragon CTF 2020! Perfect 
Guesser is pretty strong :D
A bunch of us spent around ~30-40 hours total to solve @j00ru's BitmapManager. Here is a writeup: faraz.faith/2020-11-23-dra
Guesser is pretty strong :D
A bunch of us spent around ~30-40 hours total to solve @j00ru's BitmapManager. Here is a writeup: faraz.faith/2020-11-23-dra
13
Show this thread
GG! I pushed my Windows x64 pwnable binary together with a brief write-up and exploit code on GitHub: github.com/j00ru/ctf-task
Quote Tweet
The Dragon CTF 2020 is now over!
Congratulations to the winners:
Perfect Guesser (@pb_ctf + @GuesserSuper)
ALLES! (@allesctf)
hxp (@hxpctf)
Thanks to all participating teams, and to our prize sponsor, @SumoLogic!
Full scoreboard: ctf.dragonsector.pl/?scoreboard
Perfect Guesser (@pb_ctf + @GuesserSuper)
ALLES! (@allesctf)
hxp (@hxpctf)
Thanks to all participating teams, and to our prize sponsor, @SumoLogic!
Full scoreboard: ctf.dragonsector.pl/?scoreboardShow this thread
1
28
124
Show this thread
Dragon CTF 2020 is happening this weekend!
ctf.dragonsector.pl
ctftime.org/event/1082
Start: Fr, 20 Nov. 2020, 22:00 CET
End: So, 22 Nov. 2020, 22:00 CET
CTFTime Weight: 98
Prizes: $2000/$1500/$1000 for Top1/2/3
Sponsors:
(prizes)
(infra)
𝓗𝓕 𝓖𝓛!
3
55
163
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: bugs.chromium.org/p/project-zero
3
200
347
Show this thread
Scam warning:
We were just informed that a third party is impersonating us under the dragonsector_org domain, and they are trying to scam people who are trying to recover their lost cryptocurrencies.
To state the obvious, Dragon Sector isn't related in any way to this activity.
4
19
28
Show this thread
GIF
read image description
ALT
3
68
262
Show this thread
Project Zero blog: "Attacking the Qualcomm Adreno GPU" -- googleprojectzero.blogspot.com/2020/09/attack
2
150
322
Show this thread
"What fascinates me in Hacking" by
16
108
Official Release ➡️ osw_fs_windows:
github.com/Wenzel/osw-fs-
A git history of Windows filesystems
What's available:
➡️ Win98
➡️ WinXP
➡️ Windows 10 (up to 20H1)
cc , , , , ,
5
89
186
Show this thread
The bug report is now public at bugs.chromium.org/p/project-zero
Quote Tweet
For Samsung, there are new vulnerabilities in the custom Qmage codec fixed as SVE-2020-17675 (no CVE yet), which have similar severity to the Qmg bugs exploited in April. Full details in the P0 tracker are restricted until 90 days elapse under our 2020 disclosure policy trial.
Show this thread
28
78
A direct link to the exploit is here: github.com/googleprojectz
And a visualization of the ASLR bypass #3 mentioned in the post is shown in the GIF below (relevant frames 33-57):
GIF
10
45
Show this thread
The final part 5 of my Samsung MMS exploit blog series is out 🎉 It covers bypassing Android 10 ASLR and getting RCE. Also comes with the exploit source code!
googleprojectzero.blogspot.com/2020/08/mms-ex
4
236
511
Show this thread