Posts

  • You can't contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows

    Docker for Windows

    I have been continuing my journey of searching for windows breakout vulnerabilities in popular applications and one that I discovered in March I found interesting enough to share. Whilst kernel vulnerabilities are fun to discover, there are many core windows and third party applications that are fundamentally broken in regards to logic and makes for a lucrative means to gain a SYSTEM shell without having to bypass the several memory mitigations that stand in the way.

    Read more...
  • Foxes Among Us :: Foxit Reader Vulnerability Discovery and Exploitation

    Foxit Reader

    After discovering over 100 vulnerabilities in Foxit Reader, I figured it was about time I shared a full exploit chain that defeats ASLR and DEP. The first vulnerability is an uninitialized buffer that I found independently and was later killed by bit from meepwn. I leveraged this for an information leak to defeat ASLR. The second vulnerability is a use-after-free that I found, killed and leveraged for remote code execution.

    Read more...
  • Adobe, Me and an Arbitrary Free :: Analyzing the CVE-2018-4990 Zero-Day Exploit

    Acrobat Reader

    Update! I originally titled this blog post ‘Adobe, Me and a Double Free’, however as a good friend of mine Ke Liu of Tencent’s Xuanwu LAB pointed out, this vulnerability is actually an out-of-bounds read that leads to two arbitrary free conditions. Therefore I have updated my analysis of the root cause as well as the exploitation.

    I managed to get my hands on a sample of CVE-2018-4990. This was a zero-day exploit affecting Acrobat Reader that was recently patched by Adobe in apsb18-09. Anton Cherepanov at ESET wrote a marketing blog post on it (A tale of two zero-days) which was a decent, pretty poor analysis and it was missing some important things for me, such as how was the bug actually exploited?

    Read more...
  • Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool

    Windows 7

    In the past I have spent a lot of time researching web related vulnerabilities and exploitation and whilst I'm relatively versed in usermode exploitation, I needed to get up to speed on windows kernel exploitation. To many times I have tested targets that have kernel device drivers that I have not targeted due to the sheer lack of knowledge. Gaining low privileged code execution is fun, but gaining ring 0 is better!

    Read more...
  • From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection

    Google Web Toolkit

    This is a follow up blog post to my on auditing Google Web Toolkit (GWT). Today we are going to focus on a specific vulnerability that I found in a GWT endpoint that Matthias Kaiser helped me exploit. Please note that the code has been changed to protect the not so innocent whilst they patch.

    Read more...
  • From Serialized to Shell :: Auditing Google Web Toolkit

    Google Web Toolkit

    Recently I have been looking for vulnerabilities in a target that has some API’s developed with the Google Web Toolkit framework. This is the second time I’ve come up against a target using this technology so I figured it was about time I took some notes.

    Its sufficient to say, that I have finally upheld my word. This blog post is more of a reference to my future self, but if some people get something out of it, then more power to them!

    Read more...
  • Word Up! Microsoft Word OneTableDocumentStream Underflow

    Microsoft Office WordToday, Microsoft released the MS16–148 to patch CVE-2016-7290, which addresses an integer underflow issue that I found. The underflow later triggers an out-of-bounds read during a copy operation which could result in a stack based buffer overflow outside of the protected mode winword.exe process when a processing specially crafted binary document file.

    Read more...
  • The Implied Security of memmove()

    tl;dr; Calls to memmove(); that use a source buffer that is smaller than the destination buffer can be at times exploitable if the size value is bit aligned, is mapped in memory and that the original source buffer is also mapped in memory.

    Read more...
  • Once Upon a Type Confusion

    Microsoft Office Excel Last week, Microsoft released the MS16–107 to patch CVE-2016-3363, which is a Type Confusion vulnerability within Microsoft Excel 2007, 2010, 2013 and 2016 both 32 and 64 bit versions. This post will show you how I determined the vulnerability class and some lightweight technical details around the vulnerability.

    Read more...