This is the final part #4 of the “One font vulnerability to rule them all” blog post series. In the previous posts, we introduced the “blend” PostScript operator vulnerability and successfully used it to first exploit Adobe Reader, and later escape the sandbox on 32-bit builds of Windows 8.1 by repeating the attack against the kernel with a modified ROP chain and payload.
Saturday August 22nd
Friday August 21st
Since there haven't been any major public announcements regarding PS4 hacking for a long time now, I wanted to explain a bit about how far PS4 hacking has come, and what is preventing further progression. I will explain some security concepts that generally apply to all modern systems, and the discoveries that I have made from running ROP tests on my PS4. If you are not particularly familiar with exploitation, you should read my article about exploiting DS games through stack smash vulnerabilities in save files first. You may download my complete setup here to run these tests yourself; it is currently for firmware 1.76 only.
Monday August 17th
Sunday August 16th
Tuesday August 11th
In this blog post, we'll cover the complete process of exploiting the TrustZone vulnerability described in the previous post. If you haven't read it already, please do! ... Patient Zero While developing this exploit, I only had my trusty (personal) Nexus 5 device to work with. This means that all memory addresses and other specific information written below is taken from that device. In case anyone wants to recreate the exact research described below, or for any other reason, the exact version of my device at the time was: > google/hammerhead/hammerhead:4.4.4/KTU84P/1227136:user/release-keys With that out of the way, let's get right to it!
### What is angr? angr is a framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks. ### What's it made of? angr is made up of several subprojects, all of which are open-source! * an executable and library loader, CLE * a library describing various architectures, archinfo * a Python wrapper around the binary code lifter VEX, PyVEX * a VEX simulation engine, SimuVEX * a data backend to abstract away differences between static and symbolic domains, Claripy * the full-program analysis suite itself, angr
The Angler Exploit Kit (EK) recently added support for an Internet Explorer (IE) vulnerability (CVE-2015-2419) that was patched in July 2015. Quickly exploiting recently patched vulnerabilities is standard for Angler EK authors, but the target has been Adobe Flash Player since the second half of 2014. The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight). This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes. To date, Angler will deliver Flash, IE, and/or Silverlight exploits depending upon the target’s environment.
In this article, I’m going to present a way to perform Keystroke Injection attacks from a plain Android device. A keyboard is the main way of communicating between the user and the computer. Because of this special connection, computers always trust keyboards. Keystroke Injection takes advantage of this inherent trust. In short, whenever you connect a device claiming to be a keyboard, a computer will automatically recognize it and accept, without a doubt. How can a device claim to be a keyboard? Simple, using a universal specification called HID (Human Interface Device). It just has to enumerate itself as a Keyboard HID, and that’s it.
Saturday August 8th
I’ve talked about domain trusts more than many people probably care about. A few weeks ago I posted “Domain Trusts: We’re Not Done Yet” – apparently there’s even more! I’ve said before that trusts will not let you magically exploit a domain. I now need to add one caveat to that statement concerning Golden Tickets and external sids, as some recent work in this area from Sean Metcalf and Benjamin Delpy will likely change the way we operate. Sean presented on this during his “Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection” Blackhat presentation, and has a post up on his site on this topic as well.
Friday August 7th
The Rudimentary Treatise on the Construction of Locks was penned by locksmith Alfred C. Hobbes, shedding light on early lock construction. He acknowledged the rising debate over discussing the security/insecurity of locks, arguing for disclosure in the name of innovation: > In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. This would earmark the beginnings of the debate on revealing the insecurities of security solutions for the sake of improving security.
THE COMMON WISDOM when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.