The Mediatek wlan driver on Android has several files exposed under the `/proc` virtual filesystem.Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer...
The primitive in play here is a handle duplication attack, and basically the LogMeIn device driver has an IOCTL that will temporarily duplicate a handle specified by the caller (attacker). Along with allowing users to open the device with `PROCESS_DUP_HANDLE` one can open the device and then try to duplicate the newly created handle before it gets closed to continue to hold a reference to a privileged handle and use that for an elevation of privilege.
The vulnerability in the `__io_uaddr_map()` function of the Linux kernel involves the incorrect handling of multi-page regions imported from userspace.This function is intended to map a physically contiguous region of memory from userspace into the kernel's linear mapping area...
An object type confusion was discovered in the Microsoft Kernel Streaming Server (`mskssrv.sys`), which is used for virtualizing camera devices and allowing multiple applications to access camera streams.The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a `context` and a `stream`...
Writeup for exploiting an io_uring bug submitted to kCTF (before io_uring was disabled in kCTF).The vulnerability itself was extremely straightforward and was in the handling for `IORING_OP_MSG_RING` command for signaling another ring...
This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...
Yet another case of bad syncronization or just performing operations in the wrong order.IIn this case `ene_remove` called when removing the device, will remove its internal allocations and everything before it actually unregisters the device...
The last time we covered a "how to exploit a null-deref in the modern era" post we were...disappointed (and potentially attacked by North Korea but that's another story), this one is legit. Rather than focusing on the null-deref as the core memory corruption though, it abuses the handling of the null-dereference with a kernel oops and the side-effects of the oops to overflow a reference count.
Kinda of a cool race condition and sort of differential attack deep inside XNU's virtual memory system that allows for bypassing "copy on write" and writing to the underlying page without making a copy.
Excellent post covering three vulnerabilities in Huawei's Secure Monitor used to proxy/transition requests from the "normal world" usually from the hypervisor or kernel into the secure world.
A post on exploiting a bug that Jann Horn discovered in the linux kernel's memory management (MM) subsystem.The bug isn't detailed in this post and is fairly complex (there is a project zero bug report but it's difficult to understand without deep knowledge of MM internals), though they state it will be written up in a future blogpost...
At its core, a simple, yet odd Linux kernel issue, `__io_req_init_async` assumes that the new request (`req`) being submitted was submitted by its own worker, so it sets the `req->work.identity` to `current->io_uring`.