tag: Vulnerability Research
Leveraging Android Permissions: A Solver Approach
The Android permission management system has already suffered from several vulnerabilities in the past. Such weaknesses can grant dangerous permissions to a malevolent application, an example being CALL_LOG
, which gives access to all incoming and outgoing calls.
This post dives into the Android permission system and how a solver was leveraged to find new vulnerabilities. With this approach, a privilege escalation was identified, which was fixed and assigned CVE-2023-20947 by Google.
kSMBd: a quick overview
The Fuzzing Guide to the Galaxy: An Attempt with Android System Services
CVE-2022-39907
and CVE-2022-39908
along the way.ARM TrustZone: pivoting to the secure world
- Discovery of two vulnerabilities in secure world components
- Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment
- Leverage of aarch32 T32 instruction set to find nice stack pivots
- Turning an arbitrary write into an arbitrary code execution
Fuzzing RDPEGFX with "what the fuzz"
Remote Deserialization Bug in Microsoft's RDP Client through Smart Card Extension (CVE-2021-38666)
This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.
Remote ASLR Leak in Microsoft's RDP Client through Printer Cache Registry (CVE-2021-38665)
This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.
Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology
This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.