Exploiting MS16-145: MS Edge TypedArray.sort Use-After-Free (CVE-2016-7288)

On February 9, 2017, Natalie Silvanovich from Google Project Zero unrestricted access to P0's issue #983 , titled "Microsoft Edge: Use-after-free in TypedArray.sort", which got assigned CVE-2016-7288 and was patched as part of Microsoft security bulletin MS16-145 during December 2016. In this blog post we discuss how I managed to exploit this UAF issue to obtain remote code execution on MS Edge.

more ...

Xen exploitation part 3: XSA-182, Qubes escape

This is the last part of our blogpost series about Xen security . This time we write about a vulnerability we found (XSA-182) (CVE-2016-6258) and his exploitation on Qubes OS project.

more ...

Xen exploitation part 2: XSA-148, from guest to host

This blog post describes the exploitation of Xen Security Advisory 148 (XSA-148) (CVE-2015-7835). It has been discovered by Shangcong Luan of Alibaba and publicly disclosed in October 2015. At the time, we were working on writing an exploit and no public proof of concept nor exploit were available. Today, the security researcher responsible of the vulnerability disclosure has given a public talk and will give conferences explaining his approach . We decided to publish this blogpost anyway because our exploitation strategy is a little bit different.

more ...

Xen exploitation part 1: XSA-105, from nobody to root

This blog post describes the exploitation of Xen Security Advisory 105 (XSA-105) (CVE-2014-7155). This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5.

more ...

Why 2FA would not have saved HT?

Nowadays, two-factor authentication is unavoidable. This blogpost details a vulnerability found in the implementation of a YubiKey OTP verification server.

more ...

TCP backdoor 32764 or how we could patch the Internet (or part of it ;))

Eloi Vanderbéken recently found a backdoor on some common routers, which is described on his GitHub here. Basically, a process that listens on the 32764 TCP port runs, sometimes accessible from the WAN interface. We scanned the v4 Internet to look for the routers that have this backdoor wild open, and gathered some statistics about them. We will also present a way to permanently remove this backdoor on Linksys WAG200G routers.

more ...

Evasi0n Jailbreak: Precisions on Stage 3

The new jailbreak for iOS 6.1, named Evasi0n, is detailed in this article, thanks to Braden Thomas. A few more details are needed regarding the very end on the page signing cancelation. Actually, in order to evade code signed verification, the amfi.dylib is cleverly structured. The idea is as follow: force the MISValidateSignature (which returns the status of code signing verification) to always return 0. That way, one will be able to execute any unsigned code. Hence, this raises 2 questions: How to force MISValidateSignature to always return 0? How to pass the code signed verification for amfy.dylib?

more ...