Xen exploitation part 1: XSA-105, from nobody to root

This blog post describes the exploitation of Xen Security Advisory 105 (XSA-105) [1] (CVE-2014-7155). This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5.

more ...

Reversing a Finite Field Multiplication Optimization

An optimization for the finite field multiplication on 128-bit elements for AES-GCM exists whose explanation was not published, preventing any further application with different parameters. We reverse engineered the result to 1) get the explanation and 2) be able to apply it with other parameters.

more ...

Implementing a Custom Directive Handler in Clang

HOW-TO: Implementing a custom directive processor in clang to drive the compilation process of our LLVM-base code obfuscator, while maintaining backward-compatibility if another compiler is used. What a good opportunity for a journey in the first compiler stages!

more ...

Binmap: a system scanner

Open sourcing binmap, a tool to scan filesystem and gather intel on which binaries are there, what are their dependencies, which symbols they are using and more. This yields a global view of a system, providing the basic block for building other tools!

more ...

Windows Filtering Platform: Persistent state under the hood

Since Windows XP SP2, the Windows firewall is deployed and enabled by default in every Microsoft Windows operating system. Starting with Windows Vista the firewall relies on a set of API and services called the Windows Filtering Platform (WFP). Although used by almost every Windows OS, WFP is still one of the relatively unknown beast that lies in the kernel. In this post we will see how the firewall manages its persistent state.

more ...

IRMA v1.3.0

This post deals with the new features in IRMA 1.3.0 released earlier this month, from both a user and a contributor point of view.

more ...

Clang Hardening Cheat Sheet

While improving the documentation (d'oh!) of our home grew obfuscator based on LLVM, we wrote a cheat sheet on clang's hardening features, and some of ld ones. It turns out existing hardening guides generally focus on GCC, while Clang also has an interesting set of hardening features. So let's share it in this blog post!

more ...

Offres de stages Quarkslab pour la saison 2015-2016

Chaque saison, des nuées de stagiaires quittent les réconfortants bancs de l'école pour rejoindre le monde sans pitié du travail. Afin de faciliter cette transition, nous, à Quarkslab, proposons des stages avec des sujets pointus, un encadrement sans complaisance mais néanmoins chaleureux, un régime alimentaire digne de sportifs de haut niveau (indispensable pour tenir le rythme), et un humour imperméable aux blagues qui ne font pas toujours un tabac. Si toi aussi tu aimes les défis, engage toi avec nous !

more ...

Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2.0)

This article explains a recently disclosed vulnerability, independently discovered by the Google's Project Zero team and by Quarkslab some months ago. To our knowledge, this vulnerability was present, on all Samsung devices using Android 5, and allowed remote code execution as system user simply by browsing a website, by downloading an email attachment or via a malicious third party application with no permission.

more ...

llvm_dev_meeting:

LLVM developer Meeting report

more ...