j00ru//vx
@j00ru
Followers
38,424
Following
828
Media
16
Statuses
1,308
(Mostly) Windows hacker & vulnerability researcher. Google Project Zero. @DragonSectorCTF
Switzerland
Joined April 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#خلصوا_صفقات_الهلال1
• 535441 Tweets
ラピュタ
• 392094 Tweets
Atatürk
• 368369 Tweets
#พรชีวันEP15
• 234436 Tweets
Johnny
• 194661 Tweets
Megan
• 180116 Tweets
#金曜ロードショー
• 126835 Tweets
MEGTAN IS COMING
• 108594 Tweets
NAMJOON
• 101293 Tweets
RM IS COMING
• 99728 Tweets
YINWAR OVER THE HORIZON
• 98721 Tweets
#初音ミク誕生祭2024
• 84089 Tweets
#バルス祭り
• 58631 Tweets
Labor Day
• 44265 Tweets
CHERISH TWENTY WITH WONYOUNG
• 41918 Tweets
ミクさん
• 41067 Tweets
olivia rodrigo
• 39150 Tweets
ムスカ大佐
• 38677 Tweets
#ساعه_استجابه
• 32354 Tweets
ŹOOĻ記念日
• 22831 Tweets
パズーとシータ
• 22354 Tweets
ミクちゃん
• 19655 Tweets
#4MINUTES_EP6
• 19117 Tweets
滅びの呪文
• 17411 Tweets
#フロイニ
• 14630 Tweets
ロボット兵
• 13246 Tweets
ナウシカ
• 13158 Tweets
ミク誕生日
• 10575 Tweets
Lolla
• 10018 Tweets
Today I'm happy to release new research I've been working on for a while: 0-click RCE via MMS in all modern Samsung phones (released 2015+), due to numerous bugs in a little-known custom "Qmage" image codec supported by Skia on Samsung devices. Demo:
22
761
2K
In summary of the last ~1.5 years of my work, I wrote a comprehensive whitepaper on the limitations of C language, kernel infoleaks, Bochspwn Reloaded and many related topics. It's out now! Thanks to all involved. Feels good 😎
13
486
1K
Meet BrokenType – the font fuzzing toolset that helped me find 39 vulns in the Windows kernel and user-mode Uniscribe library in 2015-2017. It includes a font mutator, generator and loader. Now on GitHub:
4
505
1K
I've released an archive of the 13 low-level challenges I developed for CTFs organized with
@DragonSectorCTF
in 2014-2018, mostly Windows/Linux pwning. This includes task binaries, write-ups and exploits. I hope it'll entertain some more hackers 💻
5
392
984
New blog post: Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018).
1
344
525
The final part 5 of my Samsung MMS exploit blog series is out 🎉 It covers bypassing Android 10 ASLR and getting RCE. Also comes with the exploit source code!
3
226
500
The Windows syscall tables from my blog are now on GitHub, updated with Windows 10 1803 and formatted as CSV/JSON for easier use in software. Enjoy!
3
263
453
My Infiltrate slides about recent progress in Windows kernel infoleak detection:
Topics covered:
• Windows x64 instrumentation
• Leaks to file systems
• Double-write conditions
• Visual Studio .pdb heap disclosure
2
244
453
I'd assume PE parsing in the Windows kernel would be well tested but surprisingly no, five such bugs were fixed last Patch Tuesday, all found by fuzzing. They crashed the OS as soon as they'd be written to disk or worst case viewed in Explorer. Details:
10
218
449
At last, the series begins: MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface.
I'm excited to start sharing more about this work, starting with a deep dive into the internals and history of the codec.
3
223
452
In an effort to share more of my source code publicly, I've uploaded Bochspwn Reloaded (the kernel infoleak detector) to GitHub. For those interested, it may shed some light on the implementation details of the project. See:
3
225
429
I'm happy and honored to be listed
#1
on this year's
@msftsecurity
researcher list. :) Congratulations to everyone who made it there.
30
42
426
With Windows 10 20H1 (2004) almost out the door, I've updated the system call tables on my blog and on GitHub. Delta-wise, this seems to be the biggest Windows 10 update yet: +7 syscalls in ntoskrnl and +64,-6 in win32k.sys
5
140
424
This weekend, I updated the Windows syscall tables on my blog and GitHub () with the upcoming Windows 10 1903 (19H1).
There's one new ntoskrnl syscall – NtCreateCrossVmEvent (STATUS_NOT_IMPLEMENTED), with 8 removed and 24 added in win32k since 1809.
2
184
392
For those interested in coverage-guided fuzzing, I've just released CmpCov - an instrumentation module for clang/SanitizerCoverage, which breaks down CMP/strcmp()/etc. into bytes and writes the extra coverage data to standard .sancov files. Get it here:
2
174
364
Announcing Bochspwn Reloaded – a new kernel memory infoleak detector – and the REcon Montreal 2017 slides.
4
279
333
I'm very happy to be ranked
#9
on this year's
@msftsecurity
researcher list at
#BHUSA2019
, which makes it the fifth year in top 10. Hats off to everyone else on the list! 😀
14
18
296
I've released the reports of 20 bugs found in Microsoft DirectWrite in the handling of OpenType fonts. They are in the P0 tracker as usual: . The 10 most important ones were fixed in Patch Tuesday yesterday, the rest were closed as vNext.
2
120
272
This week:
MMS Exploit Part 2: Effective Fuzzing of the Qmage Codec
1
128
269
I've digged up some ancient versions of Adobe Reader to figure out exactly which symbols were public in which builds and when. Turns out all the core modules had them at some point. My full analysis on the P0 blog:
3
101
258
Trying hard to keep up the weekly cadence of the MMS series. Today we're finally moving to exploitation, starting with finding a good bug and building RCE/ASLR 🔮 primitives. Enjoy!
MMS Exploit Part 3: Constructing the Memory Corruption Primitives,
1
126
252
Here's a short story on how patches introduced exclusively in Windows 10 may affect the security of Windows 7 and 8 by exposing 0-day bugs.
Project Zero blog: "Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs" by
@j00ru
-
5
272
380
5
197
247
The joy of ancient font driver code... this is by far the most crazy/strange KASLR bypass I've ever found. It's a shame this & related issue will never be fixed on Windows 7 and 8.
Windows Kernel ATMFD.DLL NamedEscape 0x2511 pool address derivation from entropy accumulator
1
24
51
4
132
242
Owning Adobe Reader and the Windows Kernel with a single font bug - slides and other details of my research are out
http://t.co/sFeaEqCfbT
6
327
237
DrSancov, another tiny tool I've been finding useful lately. It's a DynamoRIO plugin which mimics the output of ASAN and SanitizerCoverage, so that you can easily plug in a closed-source app into a fuzzing framework expecting a typical open-source target.
0
98
231
Are you interested in font security? I've just updated my BrokenType repository () with several new tools: font2pdf (embedding custom fonts in PDFs), a DirectWrite API testing harness and a Windows FontSub.dll loader. Enjoy :)
0
71
230
In the vein of sharing pieces of my toolset, here's another one: a super thin PE loader for Linux, based on the pe-parse library. Worked for the Windows font subsetter, may work for other self-contained DLLs.
1
92
228
In July, there is a lot going on for the security of Android image decoding, so I recommend installing this month's update ASAP. This includes a DNG memory corruption in all modern Androids, and further issues in Samsung's Qmage codec. Both rated critical and reachable via MMS.
4
78
230
The BabyKernel Windows exploitation challenge from last week's
@DragonSectorCTF
is up on GitHub:
0
78
226
Achievement unlocked – found my first compiler vuln. is a 3 kB heap memory disclosure in .PDB symbols generated by Visual Studio. Use updated PDBCopy with the -CVE-2018-1037 flag to check and fix your public symbols. More details to follow soon. :)
2
63
221
I've just updated the Windows syscall tables on my blog with data from Windows 10 build 1703. Quite a few interesting changes and additions.
6
98
213
The syscall tables on my blog were just updated with Windows 10 Fall Creators Update. The velocity of win32k changes is getting out of hand
3
141
211
Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy!
0
77
201
Slides about my Windows Metafile research (Ruxcon, PacSec) and fuzzing (Black Hat EU) are now public, see .
2
168
192
Fixed this month: CVE-2021-26863, a race condition/use-after-free in win32k.sys demonstrating
@tiraniddo
's excellent Memory Access Trapping technique in Windows (). It was a fun exercise to do some auditing in search of the specific code pattern.
Windows Kernel win32k UAF of the PDEVOBJ object via a race condition in NtGdiGetDeviceCapsAll
0
30
86
1
71
191
Windows system call tables updated, refreshed and reworked. Now include Win10 1507/1511/1607, among other changes.
0
172
187
This week's episode: MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle
0
79
182
Not sure if this is common knowledge, but I recently learned about Windows Server Core and suddenly running Windows in VMs/Bochs for research (instrumentation/fuzzing) became much more convenient.
It's a lightweight/stripped down version of regular Windows with (almost) no GUI.
3
46
178
I've just derestricted a new unpatched Windows 7-10 kernel pool pointer leak: . It's an interesting instance of a "double-write" race condition during user/kernel interactions.
3
106
182
New blog post: Windows user-mode exploitation trick – refreshing the main process heap.
3
163
179
This has bitten me twice now, so let me reiterate: if you do fuzzing on Windows with Application Verifier (PageHeap etc.), disable logging first:
appverif -logtofile disable
otherwise your target will start for seconds and then minutes due to linear search of a log file name 😬
3
36
175
The write-ups of 12 further x64-specific Windows kernel infoleaks fixed last week are now online: . I'll discuss their discovery in my upcoming
@InfiltrateCon
talk in April :)
1
97
156
I uploaded my BadType challenge from last weekend's Dragon CTF Teaser on GitHub. It's a medium-difficulty RE task for Windows x64 (worth 400 pts), solved by 9⃣ teams during the competition.
1
36
151
New blog post! Disclosing stack data (stack frames, GS cookies etc.) from the default heap on Windows.
1
145
145
Summary of last Patch Tuesday:
• 8 bugs in the Microsoft FontSub.dll library,
• 2 bugs in AFDKO when converting documents in Adobe Acrobat,
• 10 bugs in PDF rendering in Adobe Reader (mostly fonts and JP2K).
Details and PoCs in the tracker:
2
39
144
Protip: using GitHub to search for random symbols from the audited software often pays off. It's surprising what you can find there.
For example, when fuzzing the Windows FontSub.dll library, I found that some of the code was open-sourced as part of .NET:
1
29
144
If you wish to start fuzzing JPEG2000 images in PDF, I'd recommend
@angealbertini
's mkimage script to embed them, with a few mods:
• /JPXDecode filter
• Removed /ColorSpace and /BitsPerComponent
• Correct width/height, determined e.g. with "identify"
1
42
140
As promised last week, the details of the .PDB heap memory disclosure in Visual Studio (CVE-2018-1037) are now available at . Infoleaks are a really special breed of bugs, be it in kernel or user-mode 🐛
2
85
133
If you like kernel security or the Bochspwn project, feel invited to my Bochspwn Reloaded talk at
@reconmtl
and
@BlackHatEvents
this summer.
3
49
134
Let's try something new and document a bit of a failure😅
I briefly fuzzed the Windows t2embed.dll library (handles EOT fonts in e.g. PPTs in PowerPoint) and didn't find any significant bugs. Has it been beaten to death by efforts like ? :)
4
36
133
The video from my Black Hat USA 2017 talk on Bochspwn Reloaded (kernel memory disclosure detection project) is now on YouTube:
0
86
126
Just derestricted two Microsoft DirectWrite font bugs fixed yesterday, found with the harness I published recently.
One shiny mem. disclosure only affected Edge, as Chrome and Firefox were protected by OTS, which doesn't allow EBDT/EBLC tables. Yay for attack surface reduction👏
Microsoft DirectWrite out-of-bounds read in sfac_GetSbitBitmap while processing TTF fonts
0
15
33
1
28
123
I'm impressed by the detailed analysis of the sample minimization process, root cause and fix of one of the October Windows kernel PE parsing bugs, performed with REVEN. Great read! 🤓
Applying Timeless Analysis to the recent CVE-2019-1347: When a mouse over a file is enough to crash your system. Read our analysis and get your hands on the trace on our new demo platform.
1
49
99
1
29
122
GG! I pushed my Windows x64 pwnable binary together with a brief write-up and exploit code on GitHub:
The Dragon CTF 2020 is now over!
Congratulations to the winners:
🥇Perfect ⚔️ Guesser (
@pb_ctf
+
@GuesserSuper
)
🥈ALLES! (
@allesctf
)
🥉hxp (
@hxpctf
)
Thanks to all participating teams, and to our prize sponsor,
@SumoLogic
!
Full scoreboard:
2
18
72
1
27
123
The 30th Windows kernel infoleak found with Bochspwn was fixed last tuesday, this time in netio.sys. CVE-2017-8564,
0
80
119
At last, a new post on my blog. Check out a write-up on the discovery and exploitation of FreeType2 CVE-2014-2240 at
0
121
113
Does anyone know an IDA Pro plugin to create .pdb files based on function names and other symbols in the .idb? I've only found but nothing beyond that.
8
23
96
The fuzzing harness referenced in the report has also just been open-sourced at . I hope this makes it easy to reproduce my results and bootstrap further research into Qmage and potentially other proprietary Skia image codecs.
1
32
112
My bugs fixed by MS in the last Patch Tuesday (Windows Registry, GDI, GDI+, Uniscribe, ICM) are now unrestricted:
1
73
92
Last week's
#44CON
slides and details about further Windows kernel font vulnerabilities are out at
http://t.co/vQPCnkBgVF.
2
65
79
The x86 links are and , with an adequate change in the URL for 64-bit tables.
1
27
76
The bug report is now public at
For Samsung, there are new vulnerabilities in the custom Qmage codec fixed as SVE-2020-17675 (no CVE yet), which have similar severity to the Qmg bugs exploited in April. Full details in the P0 tracker are restricted until 90 days elapse under our 2020 disclosure policy trial.
1
2
27
0
27
75
Last week, Microsoft fixed the last 8 Windows kernel infoleaks found by Bochspwn Reloaded. Between April 2017-now, that's 67 CVEs assigned to disclosure of uninitialized memory. Shortly after
@InfiltrateCon
, I'll be releasing a whitepaper to wrap up this long-lived project. :)
0
19
66
I will be writing a longer piece on the Project Zero blog in the next month or two, discussing the discovery and especially exploitation of these issues. Until then, enjoy!😀
3
2
66
I also took the chance to analyze all kernels starting with Windows NT4, and created a chart showing the progression of the syscall table sizes between 1996-2019 in visual form. Actually seeing the bigger picture of a ~2.5x growth is quite fascinating/scary.
4
33
64
A detailed write-up on the ATMFD.DLL NamedEscape 0x250C pool corruption is now available in the P0 bug tracker: . :)
0
83
63
Congrats to the winners of this year's Dragon CTF, and the 5⃣ teams that solved my small Linux pwnable "Nim" challenge!
As usual, I've uploaded my write-up and exploit on GitHub:
Dragon CTF 2021 is officially over!
Congratulations to the winners:
1. Balsn (
@balsnctf
)
2. organizers (
@0rganizers
)
3. More Smoked Leet Chicken (
@leetmore
)
Thank you for playing - GG!
3
13
88
4
13
59
@gynvael
and I have just published the slides from our "Pwning with style" CTF talk. Check
http://t.co/tvMedyb1c0
and
http://t.co/vCTwTQgf7k
1
62
60
SECURE 2014 slide deck and Hex-Rays IDA Pro advisories published, see
http://t.co/zQZT2VNIZQ
3
56
58
The effort was inspired by Fortinet's CVE-2018-1040 from last year. Original write-up: . Thanks!
0
15
59
September MS Patch Tuesday roundup: 7 kernel infoleaks via Bochspwn and 2 stray TTF bugs in win32k. Reports open at
2
37
58
To save you a click, here's a director's cut of the original MMS exploit demo, with a soundtrack included for some laughs 🙃🎶
1
13
54
In related news, I've just derestricted a bunch of NTFS filesystems infoleaks () fixed on last Patch Tuesday, along with two other disclosures at
#1361
,1362.
The video from my Black Hat USA 2017 talk on Bochspwn Reloaded (kernel memory disclosure detection project) is now on YouTube:
0
86
126
1
34
52
I also took the chance to clean up a bit and move the original Bochspwn (double fetch detector, 2013) repository from "kfetch-toolkit" to . I hope this makes it a bit less confusing and easier to find in the future :)
0
15
52
Fixes for these bugs started rolling out with the May update, and Samsung officially addressed them as SVE-2020-16747 (). For now, we have assigned CVE-2020-8899 collectively to all 5218 unique crashes we reported.
1
10
51
Just posted a few exploits for recent "pwning" CTF tasks on the official
@DragonSectorCTF
blog, see
http://t.co/TFWYuaxNFV.
0
52
50
Windows Race Condition research is out! See "SyScan 2013, Bochspwn paper and slides" at
http://t.co/eSQVp7CFf9
and
http://t.co/ygicqyl6qB
14
98
51
Really loving this collaboration with font guru
@abrax5
, who knows typography inside out, far beyond just the exploitation-specific bits. So much potential for learning from each other 🤓 and finding some cool multi-browser memory corruption bugs in the meantime!
With more powerful font formats, it's important to keep browsers and apps safe.
@j00ru
and I found a
#vulnerability
in
#DirectWrite
when processing variable fonts: RCE on visiting a page with a specially crafted font.
1
27
89
1
5
49
My "Windows Kernel Trap Handler and NTVDM Vulnerabilities — Case Study" slide deck from
#ZeroNights
is up, see
http://t.co/nOJ9JvjPfR.
3
68
46
Just updated all System Call and CSR API tables with Windows 2012/8/8.1 data on my blog, see
http://t.co/PRxHfJczPG
for details.
1
47
42
CVE-2017-0299, a minor Windows kernel infoleak, is finally patched for good. It's a case of a bad fix and working PoC public for 2 months.
2
18
41
Windows exploitation ninjas, there is a pwn500 task I created for the CTF which started ~2 hrs ago. Can you hack it?
0
39
43
On a related note, for those interested in the Qmg format and Android remote zero-click exploitation, I have some good news! The first post in the series is coming out very soon, with plans to publish each one ~weekly until the series is finished. 😀
1
2
43
Derestricted bugs from this month's early Microsoft update – four Windows kernel infoleaks and one pool buffer overflow in the infamous ATMFD NamedEscape interface:
0
25
41
New
#0days
in the wild. "A story of win32k!cCapString, or unicode strings gone bad."
http://t.co/VdisDsWTF7
0
72
41