https://pwning.systems/ Recent content on pwning.systems Hugo -- gohugo.io en-us Mon, 31 Oct 2022 19:30:12 +0200 https://pwning.systems/posts/easy-apple-kernel-bug/ Mon, 31 Oct 2022 19:30:12 +0200 https://pwning.systems/posts/easy-apple-kernel-bug/ Earlier this year, I discovered a flaw in XNU, which is the kernel that Apple uses on both macOS and iOS. While it’s not a particularly complicated flaw, I wanted to explain how I discovered it and how it works, both so that I can motivate others and so that they can learn from my discovery. Within the memdev.c file (the ramdisk device driver), I found the source of the vulnerability, which was a write/read operation that exceeded the allowed range. https://pwning.systems/posts/php_filter_var_shenanigans/ Sat, 26 Mar 2022 09:05:53 +0100 https://pwning.systems/posts/php_filter_var_shenanigans/ It is likely that we have all seen PHP filters that prevent us from encountering vulnerabilities. Here in this blog post, I’ll walk you through my thought process for bypassing a filter by looking for a bug in the filter itself in order to reach a bug! Let’s pretend we have the following code, which passes some user-input to filter_var() and uses the FILTER_VALIDATE_DOMAIN or FILTER FLAG HOSTNAME flag. This adds the functionality to validate hostnames on a per-host rationale (this means that they must begin with an alphanumeric character and must contain only alphanumerics or hyphens throughout their entire length). https://pwning.systems/posts/escaping-containers-for-fun/ Sun, 06 Mar 2022 10:42:53 +0100 https://pwning.systems/posts/escaping-containers-for-fun/ Despite the fact that it is not a ‘real’ vulnerability, escaping privileged Docker containers is nevertheless pretty funny. And because there will always be people who will come up with reasons or excuses to run a privileged container (even though you really shouldn’t), this could really be handy at some point in the future. As a result of the recent discovery of the cgroup_release_agent escape trick (CVE-2022-0492), I went on a search for calls to the call_usermodehelper_* family and attempted to determine which ones may be easily accessed within a container environment. https://pwning.systems/posts/sequoia-variant-analysis/ Tue, 03 Aug 2021 18:25:12 +0200 https://pwning.systems/posts/sequoia-variant-analysis/ I imagine we’ve all heard about the recent “Sequoia” bug discovered by the Qualys Research team, identified by CVE-2021-33909. It’s a fascinating bug caused by a size_t to int conversion. According to the analysis, seq_dentry attempts to convert a size_t to an int by sending size_t size to the dentry_path function, which expects a signed integer. Assuming the architecture is 32 bits, size_t’s value can be 0 to 4294967296 since it is unsigned, but int can only hold from -2147483648 to 2147483648 because it is signed (this means that it can have negative values also). https://pwning.systems/posts/apple-kernel-vulnerability/ Tue, 20 Jul 2021 19:30:12 +0200 https://pwning.systems/posts/apple-kernel-vulnerability/ Mistreatment by Apple Security is unfortunately something you’re likely to come across on a regular basis. Usually this concerns people that conduct free work for Apple in their spare time by auditing their assets. Despite Apple’s website claiming the opposite, you’ll frequently find things like quiet patching, no credit, no bounties, and an appalling lack of communication. This is unwise on Apple’s part because it frustrates people who find these bugs and disincentivizes them from sharing them with Apple. https://pwning.systems/posts/setting-up-a-kernel-debugging-environment/ Wed, 31 Mar 2021 18:06:16 +0200 https://pwning.systems/posts/setting-up-a-kernel-debugging-environment/ Following up on my first blog post, I’ve received a few requests to write about setting up a debugging environment; however, since everybody uses different emulators and so on, I’ll mainly focus on which config options are useful! You must first obtain the kernel sources for your preferred version before you can set up a kernel suitable for debugging. We’ll have to decompress it after that. # use your preferred version $ wget https://git. https://pwning.systems/links/ Wed, 10 Mar 2021 17:55:42 +0100 https://pwning.systems/links/ Here are some links to a few of my favorite websites. Darkscience - Nice IRC network SmashTheStack - Nice wargames and community! OverTheWire - Another set of great wargames Dustri.org - Cool person that writes great blogposts :) https://pwning.systems/posts/an-introduction-to-kernel-exploitation-part1/ Mon, 08 Mar 2021 18:42:53 +0100 https://pwning.systems/posts/an-introduction-to-kernel-exploitation-part1/ I’m writing this post because I often hear that kernel exploitation is intimidating or difficult to learn. As a result, I’ve decided to start a series of basic bugs and exercises to get you started! Prerequisites Knowledge of the Linux command line Knowing how to read and write basic C may be beneficial Being able to debug with the help of a virtual computer or another system Able to install the kernel module compilation build requirements A basic understanding of the difference between userland and kernelland could be helpful Having a basic understanding of assembly can be beneficial for future episodes For this part, I wrote a simple Linux character device, /dev/shell. https://pwning.systems/bugs/ Thu, 04 Mar 2021 18:43:47 +0100 https://pwning.systems/bugs/ The following are some of the bugs I discovered: 2025 CVE-2025-32313: In UsageEvents of UsageEvents.java, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 2024 CVE-2024-56626: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write An offset from client could be a negative value, It could allows to write data outside the bounds of the allocated buffer. https://pwning.systems/about/ Thu, 04 Mar 2021 18:35:06 +0100 https://pwning.systems/about/ Hello and welcome to my blog! I’m Jordy Zomer and this is my personal space to share my thoughts, research, and write-ups (assuming I don’t have any memory leaks). Expect to see posts covering: Static Analysis Fuzzing Reverse Engineering Binary Exploitation Vulnerability Research (mainly OSS-focused) Feel free to connect with me over on Twitter/X, or drop me an email at jordy [a-t] pwning.systems :) Cheers!