For Science! - Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation

In this blog post we'll see a technique to gain code execution in SMM from a very limited write primitive.

more ...

Post-Exploitation: Abusing the KeePass Plugin Cache

This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin.

more ...

Defeating eBPF Uprobe Monitoring

This article introduces a kind of eBPF program that may be used to monitor userspace programs. It first introduces you to eBPF and uprobes and then explores the flaws that we found in uprobes.

more ...

Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898)

This blog post analyzes the vulnerability known as "Bad Neighbor" or CVE-2020-16898, a stack-based buffer overflow in the IPv6 stack of Windows, which can be remotely triggered by means of a malformed Router Advertisement packet.

more ...

CVE-2018-6924: FreeBSD ELF Header Parsing Kernel Memory Disclosure

On September 2018, FreeBSD published the security advisory FreeBSD-SA-18:12, fixing a kernel memory disclosure vulnerability affecting all the supported versions of this operating system.

more ...

Exploiting MS16-145: MS Edge TypedArray.sort Use-After-Free (CVE-2016-7288)

On February 9, 2017, Natalie Silvanovich from Google Project Zero unrestricted access to P0's issue #983 , titled "Microsoft Edge: Use-after-free in TypedArray.sort", which got assigned CVE-2016-7288 and was patched as part of Microsoft security bulletin MS16-145 during December 2016. In this blog post we discuss how I managed to exploit this UAF issue to obtain remote code execution on MS Edge.

more ...

Xen exploitation part 3: XSA-182, Qubes escape

This is the last part of our blogpost series about Xen security . This time we write about a vulnerability we found (XSA-182) (CVE-2016-6258) and his exploitation on Qubes OS project.

more ...

Xen exploitation part 2: XSA-148, from guest to host

This blog post describes the exploitation of Xen Security Advisory 148 (XSA-148) (CVE-2015-7835). It has been discovered by Shangcong Luan of Alibaba and publicly disclosed in October 2015. At the time, we were working on writing an exploit and no public proof of concept nor exploit were available. Today, the security researcher responsible of the vulnerability disclosure has given a public talk and will give conferences explaining his approach . We decided to publish this blogpost anyway because our exploitation strategy is a little bit different.

more ...

Xen exploitation part 1: XSA-105, from nobody to root

This blog post describes the exploitation of Xen Security Advisory 105 (XSA-105) (CVE-2014-7155). This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5.

more ...

Why 2FA would not have saved HT?

Nowadays, two-factor authentication is unavoidable. This blogpost details a vulnerability found in the implementation of a YubiKey OTP verification server.

more ...