🔥 1/ In the last 6 months working on Linux kernel bug hunting/exploitation there has been a number of key resources which have been super useful (coming from a macOS/Windows background) to understand the state of things in 2022 🚀.
Here's a short🧵 to recognise this + thoughts:
✍️ 1/ Want to learn how to bug hunt in hard targets and find high impact issues? Here’s a short Sunday 🧵for those starting out and some general thoughts from over the years on software security:
Just posted a rare non-technical short blog aiming to demystify security research a bit Part 1 is focusing on choosing topics, approach, mindset. I feel like as industry we often see the output from research but less about the process of getting there.
I am often asked what books have had the most impact to me in security. This is a really tough question as I have read so many, however, here are some I have have on my shelf and why they were important to me👇
🔥 1/ As promised here is the long blog write-up of a 6 year old Linux kernel UAF vulnerability (CVE-2022-32250) which we exploited multiple times to gain reliable priv esc on Ubuntu 22.04.
@nccgroupinfosec
EDG
@saidelike
@fidgetingbits
@alexjplaskett
🧵
Blog: SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250) against the latest Ubuntu (22.04) and Linux kernel 5.15 - by
@saidelike
,
@alexjplaskett
and
@FidgetingBits
-
Just published a write-up of CVE-2020-3919 which was patched in macOS 10.15.4 and iOS 13.4, an uninitialised kernel memory vulnerability within IOHIDLibUserClient:
I recently got asked about WiFi over-the-air exploits and my knowledge was a fairly rusty. In refreshing this I went over a number of papers and tooling - here is 8 of them! 🧵
Ever wanted to exploit Windows 10 with CVE-2021-31956? Obsessive about kernel memory layouts? is now up focusing on exploit reliability, stability and detection!
#windows
Continuing on from my previous thread on remote exploits (macOS/Linux) here is the eagerly antipated Windows version!
A small selection from multiple areas!
#cybersecurity
#windows
With so many high achieving people in security it’s common to feel like you never get enough work done. You should always take a step back and appreciate yourself. If you worked hard it will compound! Keep the momentum up! 💪
One problem with software security is that there are lots of materials explaining specific vulns or exploits but not many giving a broad structured overview in one place.
This free book on Low-Level Security for Compiler Developers aims to address this.
Everyone knows that a firewall is meant to provide network security. However, what happens if that appliance has vulnerabilities on your external perimeter?
Here’s 5 firewall and VPN exploit research from the past:
At the end of last year I decide to take a look into consumer router security (Netgear, TP-Link, Synology) and dam was there a lot of great previous research! Here are some articles which practically demonstrate RCE from a LAN or WAN perspective:
Jailbreaking the Sonos Era 100
The Era 100 is Sonos’s flagship device, released on March 28th 2023 and is a notable step up from the Sonos One.
@NCCGroupInfosec
found multiple weaknesses within the bootloader which could lead to full compromise
#sonos
1/ As someone who has reviewed hundreds of CVs for job applications in the past, I just want to highlight some personal tips for vulnerability researchers in order to maximise their applications (i.e. outside typical career history and education). 🧵
The amount of free training courses available these days for
#cybersecurity
is wild. People ask me if its worth paying for a specific course? First, have you seen all the free material out there?
Lets dig into a selection! 👇
Friday was my last day at F-Secure (ex-MWR) after 12 years. Been quite a ride and grateful I had the opportunity to work with some brilliant people! Looking forward to new challenges now! If anyone’s interested in hiring me for a UK role, please reach out.
1/18 As 2021 is starting to come towards and end, now seems to be good time to look back at all the great macOS vulnerability research / exploit development published during the year! Tried to keep to macOS mainly but obviously there's some crossover with iOS research too. 🧵
Game hackers really do perform in-depth reverse engineering!
A great post on analysis of Valorant's Guarded Regions
by
@Xyrem256
Reverse engineering integrity checks in Black Ops 3 by
@momo5502
Another interesting talk by industry legend and prolific bug hunter
@ivansprundel
on TCP/IP stack fuzzing at
#37c3
Ilja talks about his experiences co-opting an existing userland TCP/IP stack to perform stateful fuzzing. He goes through the history,
Happy to announce
@robHerrera_
and myself will be presenting about Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap at BlackHat USA this year! We will demo remotely compromising the device and capturing audio.
Something a little different from my usual 0day research, just published a write-up of using DynamoDB streams and AWS Lambda functions to post-processing of crash logs for fuzzing triage:
I got asked the other day if there are any advice for those wanting to get more into vuln research. Off the top of my head I didn’t give a great answer! So here’s 5 things now I have actually thought more about it more:
1/⚠️ CVE-2022-32250 (CVE-2022-1966) - A 6 year old bug in the linux kernel by
@nccgroupinfosec
EDG
@saidelike
@fidgetingbits
@alexjplaskett
Vuln write-up: Pretty fun bug to work on + challenging to exploit. We rewrote the exploit many times. More info soon
See our (
@aflplusplus
team's) talk on how to "Fuzz Everything, Everywhere, All at Once" with LibAFL and QEMU today at 13:50 on Stage 1 at
#37c3
#LibAFL
#Fuzzing
I have just released my slides for "VR for Pwn2" from
@syspwnx
talk I gave yesterday. Covering general P2O/VR experience, SoHo Smash-Up Ubiquiti and Lexmark printers.
✍️ An Introduction to Chrome Exploitation: Maglev Edition" by
@matteomalvica
is a great write up for understanding the V8 pipeline and Chromium security. The post features a detailed walkthrough of CVE-2023-4069. Highly recommended!
My team EDG is looking for an experienced exploit developer! RT's welcome!
This is a full time research and development role, primarily contributing to the developing of capabilities for consultants, showcasing knowledge, collab with other teams etc.
Seeing a lot more interest/investigations around using LLM agents and tool integration for automated hacking / CTFs recently.
by NYU /
@moyix
by project zero
by
@daveaitel
Cool hardware hacking talk on the Nintendo DSi today at
#37c3
by PoroCYon
They did the following:
1) Dump the ARM7 ROM using vector glitch hack
2) Dump the ARM9 ROM using double glitch hack
3) Find weak spots in the ARM9 ROM
Now that Apple's XNU KDK 10.15.4 build 19E287 is released, it means that it is possible to kernel debug and run a KASAN kernel the same version as the current released macOS build! Have updated my old blog post with this version now:
Hi Hackers,
Let’s celebrate all our wins and inspire others by dropping a link below to a write-up of some public security research you’re the most proud of!
Don’t be shy! Let’s goo! 👇
#CyberSecurity
NCC Group's EDG also developed a POC exploit recently for CVE-2022-0185 (Linux kernel root and a container breakout) by
@alexjplaskett
@FidgetingBits
@saidelike
- Make sure to get those patches deployed - / or implement mitigation
Looks like quite a few interesting papers from NDSS Symposium 2024 (LLM/Fuzzing/Exploitation)
Large Language Model guided Protocol Fuzzing
DeGPT: Optimizing Decompiler Output with LLM
DeepGo: Predictive Directed Greybox Fuzzing
Just looking through the technical talks at CCC this year, there’s quite a few interesting sounding ones coming up!
Operation Triangulation: What You Get When Attack iPhones of Researchers by
@oct0xor
@kucher1n
@bzvr_
Apple's iPhone 15: Under the C
Just published a small article about the tooling available for coverage guided fuzzing in Go Might save some other Go newbies some background research time.
Writeup of a remote code execution vulnerability in Western Digital PR4100 used at Pwn2Own 2021 by
@NCCGroupInfosec
EDG (
@alexjplaskett
@saidelike
@FidgetingBits
)
Vuln was in AppleDouble file format handling, which you may recognise recent samba vuln too
Crashing to obtain root! Here's the tech details a vuln which was could be used to compromise Lexmark printers with network level access at Pwn2Own. Dir traversal file write through PJL was discovered and exploited + AWK crash to abuse the crash handling.
A thread on recent automotive security research.
I will highlight a selection of things which caught my during recent explorations.
#automotive
#cybersecurity
📣 1/
@nccgroupinfosec
Exploit Development Group is looking for a 4th team member to join our team To develop exploits for consultants to achieve their objectives on engagements, perform research and development, do Pwn2own etc. Our recent work🧵
Here is a collection of great articles which show extending syzkaller grammars and psuedo-syscalls.
Tickling ksmbd: fuzzing SMB in the Linux kernel by
@notselwyn
by
@xairy
One interesting talk I noticed recently was "LLM4Shell: Discovering and Exploiting RCE Vulnerabilities in Real-World LLM-Integrated Frameworks and Apps"
If you’re interested to see what type of software defects Soho routers have, check out our research - 7 exploit chains (netgear, TP-Link, synology, ubiquiti) and pivoted from WAN > LAN.
Slides:
Video:
#cybersecurity
#routers
Not long left until tomorrow the 8th 11:20 PST when myself and
@robHerrera_
demonstrate remote kernel code execution and audio capture implant deployment against Sonos devices in
@BlackHatEvents
South Pacific F, Level 0.
#BHUSA
Today we've gone public with a vulnerability we found in cow tracking collars. My project student Sam was able to full reverse the protocol, allowing us to both read and inject animal activity data. The paper is available here under open access
When it seems like you are not finding any vulns
When you’re just about to give up
When it feels impossible
That’s exactly when it’s time to double down and go harder than ever!