修炼之法，不外乎阅读古代或者大辽传入的真经，以及实操真练。如The art of software assessment, Understanding the Linux Kernel, Windows Internals，A Guide to kernel exploitation, 抑或是一个叫Phrack的布经之地偶尔贴出的口诀，都是修众必读之经。自我感觉内力到达一定程度之后，便去练习地打小怪，比较出名的包括名为pwnable.kr的擂台，听说是上古神童Lokihart出道之地。大辽众喜分享，咕果修道院一名为Project Zero的修道团每每会放出真经注解，亦会万人空巷前去围观。修炼到一定程度之后，就会下山去打一个叫CTF的系列怪，最高级别叫DEFCON CTF，每年都有一批修众远渡重洋去那拉斯维加斯挑战，与卡耐基梅隆修院之PPP门派和宇宙棒子国之DEFKOR门派过招。
Download this theme pack, pwned with system shell?
Android users may be familiar with theme packs, which is a major advantage for Android over iOS. Two years ago we conducted a cooperation project with Huawei for digging vulnerabilities in Huawei’s EMUI3.1 and 4.0, with some vulnerabilities discovered, which of course had already been reported during the cooperation project and fixed.
Some of these bugs are quite interesting though, so I’d like to share it in a series of blogs. This blog will cover a vulnerability which can be initiated from both local and remote to get system privilege via malicious theme packs. If you download and install such a specially-crafted malicious theme from a third party channel, you will get pwned.
Racing for everyone: descriptor describes TOCTOU in Apple’s core
This blog post is about a new type of vulnerabilities in IOKit I discovered and submitted to Apple in 2016. I did a brief scan using a IDA script on MacOS and found at least four bugs with 3 CVEs assigned (CVE-2016-7620/4/5), see https://support.apple.com/kb/HT207423. I was told afterwards that there’re even more issues of this type on iOS’/OSX’s IOKit drivers and fortunately Apple fixed them also.
Recently as KASLR is slowly adopted into Android and because of the requirements of exploitation stability of previous bugs, kernel infoleak bugs are becoming more and more important. Here I want to explain two infoleak bugs on Android, one found by me and is fixed now, and other one is a known and fixed bug but very useful as it exists on all android platforms.
The Journey of a complete OSX privilege escalation with a single vulnerability – Part 1
In previous blog posts Liang talked about the userspace privilege escalation vulnerability we found in WindowServer. Now in following articles I will talk about the Blitzard kernel bug we used in this year’s pwn2own to escape the Safari renderer sandbox, existing in the blit operation of graphics pipeline. From a exploiter’s prospective we took advantage of an vector out-of-bound access which under carefully prepared memory situations will lead to write-anywhere-but-value-restricted to achieve both infoleak and RIP control. In this article we will introduce the exploitation methods we played with mainly in kalloc.48 and kalloc.4096.
First we will first introduce the very function which the overflow occurs, what we can control and how these affect our following exploitation.