Update: Huawei has assigned CVE-2017-2692, CVE-2017-2693
Download this theme pack, pwned with system shell?
Android users may be familiar with theme packs, which is a major advantage for Android over iOS. Two years ago we conducted a cooperation project with Huawei for digging vulnerabilities in Huawei’s EMUI3.1 and 4.0, with some vulnerabilities discovered, which of course had already been reported during the cooperation project and fixed.
Some of these bugs are quite interesting though, so I’d like to share it in a series of blogs. This blog will cover a vulnerability which can be initiated from both local and remote to get system privilege via malicious theme packs. If you download and install such a specially-crafted malicious theme from a third party channel, you will get pwned.
Racing for everyone: descriptor describes TOCTOU，苹果iOS/OSX内核中的新型漏洞
这篇文章是关于我们在苹果内核IOKit驱动中找到的一类新攻击面。之前写了个IDA脚本做了个简单扫描，发现了至少四个驱动都存在这类问题并报告给了苹果，苹果分配了3个CVE(CVE-2016-7620/4/5), 见 https://support.apple.com/kb/HT207423。 后来我和苹果的安全工程师聊天，他们告诉我他们根据这个pattern修复了十多个漏洞，包括iOS内核中多个可以利用的漏洞。
Racing for everyone: descriptor describes TOCTOU in Apple’s core
This blog post is about a new type of vulnerabilities in IOKit I discovered and submitted to Apple in 2016. I did a brief scan using a IDA script on MacOS and found at least four bugs with 3 CVEs assigned (CVE-2016-7620/4/5), see https://support.apple.com/kb/HT207423. I was told afterwards that there’re even more issues of this type on iOS’/OSX’s IOKit drivers and fortunately Apple fixed them also.
Recently as KASLR is slowly adopted into Android and because of the requirements of exploitation stability of previous bugs, kernel infoleak bugs are becoming more and more important. Here I want to explain two infoleak bugs on Android, one found by me and is fixed now, and other one is a known and fixed bug but very useful as it exists on all android platforms.
This is the writeup for CVE-2016-4697 which I reported and get credit from Apple at https://support.apple.com/en-us/HT207170
Buffer overrun in AppleHSSPIHIDDriver
一个矩形pwn掉整个内核系列之一 – zone的舞蹈
Blitzard CVE-2016-1815的发现和利用经历。我们通过三步走最终完成了这个利用，本文将先问大家介绍第二和第三步 –
The Journey of a complete OSX privilege escalation with a single vulnerability – Part 1
In previous blog posts Liang talked about the userspace privilege escalation vulnerability we found in WindowServer. Now in following articles I will talk about the
Blitzard kernel bug we used in this year’s pwn2own to escape the Safari renderer sandbox, existing in the
blit operation of graphics pipeline. From a exploiter’s prospective we took advantage of an vector out-of-bound access which under carefully prepared memory situations will lead to write-anywhere-but-value-restricted to achieve both infoleak and RIP control. In this article we will introduce the exploitation methods we played with mainly in kalloc.48 and kalloc.4096.
First we will first introduce the very function which the overflow occurs, what we can control and how these affect our following exploitation.
Interesting Integer overflow in enum comparison IOHIDDevice::handleReportWithTime
By flanker from KeenLab.
There exists a signed integer comparison overflow in
IOHIDDevice::_getReport and then
handleReportWithTime, which can lead to oob access/execute in
handleReportWithTime. A normal process can leverage this vulnerability to archive potential code execution in kernel and escalate privilege.