Blog News Exploit -
Úvod APT blog Attack blog BigBrother blog BotNet blog Bug blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog Hardware blog ICS blog Incident blog IoT blog Malware blog Phishing blog Ransomware blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
In this post I examine Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS, with a focus on how Apple has improved over the ARM standard. I then demonstrate a way to use an arbitrary kernel read/write primitive to forge kernel PAC signatures for the A keys, which is sufficient to execute arbitrary code in the kernel using JOP. The technique I discovered was (mostly) fixed in iOS 12.1.3. In fact, this fix first appeared in the 16D5032a beta while my research was still ongoing.
|voucher_swap: Exploiting MIG reference counting in iOS 12||In this post I'll describe how I discovered and exploited CVE-2019-6225, a MIG reference counting vulnerability in XNU's task_swap_mach_voucher() function. We'll see how to exploit this bug on iOS 12.1.2 to build a fake kernel task port, giving us the ability to read and write arbitrary kernel memory. (This bug was independently discovered by @S0rryMybad.) In a later post, we'll look at how to use this bug as a starting point to analyze and bypass Apple's implementation of ARMv8.3 Pointer Authentication (PAC) on A12 devices like the iPhone XS.||Exploit blog||Project Zero|
|12.12.18||Adventures in Video Conferencing Part 3: The Even Wilder World of WhatsApp||WhatsApp is another application that supports video conferencing that does not use WebRTC as its core implementation. Instead, it uses PJSIP, which contains some WebRTC code, but also contains a substantial amount of other code, and predates the WebRTC project. I fuzzed this implementation to see if it had similar results to WebRTC and FaceTime.||Exploit blog||Project Zero|
|1.12.18||Injecting Code into Windows Protected Processes using COM - Part 2||In my previous blog I discussed a technique which combined numerous issues I’ve previously reported to Microsoft to inject arbitrary code into a PPL-WindowsTCB process.||Exploit blog||Project Zero|
On the majority of systems, under normal conditions, SwiftShader will never be used by Chrome - it’s used as a fallback if you have a known-bad “blacklisted” graphics card or driver. However, Chrome can also decide at runtime that your graphics driver is having issues, and switch to using SwiftShader to give a better user experience.
|14.11.18||Deja-XNU||This blog post revisits an old bug found by Pangu Team and combines it with a new, albeit very similar issue I recently found to try to build a "perfect" exploit for iOS 7.1.2.||Exploit blog||Project Zero|
The Emergence of the
New Azorult 3.3
|During the last week, Check Point Research spotted a new version of Azorult in the wild being delivered through the RIG exploit kit, as well as other sources. Azorult is a long known information stealer and malware downloader, with this particular version being advertised in an underground forum since October 4.||Exploit blog||Checkpoint|
CeidPageLock: A Chinese RootKit
Research by: Israel Gubi Over the last few weeks, we have been observing a rootkit named CEIDPageLock being distributed by the RIG Exploit kit. The rootkit was first discovered by 360 Security Center...
|Return of the Festi Rootkit||Festi, a once popular rootkit is back in the wild, distributed mainly by the RIG exploit kit. A long known Windows rootkit, Festi dates back to 2009 where at that time it served.||Exploit blog|
|A New Rig Exploit Kit Campaign Dropping XMRig Miner||Cryptocurrency values may be tumbling but cyber criminals are still hedging their bets on its long term returns. Check Point researchers have discovered a new malvertising campaign leading to the Rig Exploit Kit..||Exploit blog|
FireEye identified a new exploit kit that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.