kSMBd: a quick overview
In this blogpost, we introduce the analysis of one SMB implementation: kSMBd. It will be followed up by a talk at OffensiveCon 2023 named “Abusing Linux in-kernel SMB server to gain kernel remote code execution”.
tag: Vulnerability Research
The Fuzzing Guide to the Galaxy: An Attempt with Android System Services
Although the Android base is open source, many different constructors customize it with their own UIs and APIs. All these additions represent an extra attack surface that can change from one phone model to another. We tried to automatically fuzz the closed-source system services powering these modifications, discovering
CVE-2022-39907 and CVE-2022-39908 along the way.ARM TrustZone: pivoting to the secure world
- Discovery of two vulnerabilities in secure world components
- Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment
- Leverage of aarch32 T32 instruction set to find nice stack pivots
- Turning an arbitrary write into an arbitrary code execution
Fuzzing RDPEGFX with "what the fuzz"
Microsoft’s Remote Desktop Protocol (RDP) client was fuzzed by various teams in the past few years, it thus seemed like a good target to try a recent snapshot fuzzer: what the fuzz (wtf) (of which we are only users). In this companion post to our Hexacon 2022 talk (slides, video) we’ll show how we took advantage of wtf flexibility in order to efficiently fuzz the RDPEGFX channel of Microsoft RDP client and uncover CVE-2022-30221.
Remote Deserialization Bug in Microsoft's RDP Client through Smart Card Extension (CVE-2021-38666)
This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.
Remote ASLR Leak in Microsoft's RDP Client through Printer Cache Registry (CVE-2021-38665)
This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.
Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology
This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.