Analysis of an Out-0f-Bounds Webkit JIT bug in the Safari Browser (CVE-2017-2547)

Browsers have been one of the most effective attack vectors from an offensive point of view. In most cases, a browser serves as good entry point to a chain of exploits that lead to full system compromise due to their nature of single clicks.

This blog post will focus on the basics of JIT Bugs and why they are critical using CVE-2017-2547,a winning Pwn2Own safari bug, as a case study. This specific bug is very intersting since it can be use to achieve both an info-leak and act as a write primitive.

Read More

The Vupen Entry Test (Part 1)

Sometime back while looking for challenges to do , I came a cross an article that said how big security companies give guys challenges to test their skills. As a result, I tried to find if I can find some of these challenges. I eventually bumped in to an Entry test that belongs to Vupen (whose founder went ahead to launch Zerodium). This seemed really interesting.

In this post we will focus on reversing, bug hunting and triggering the bug we find. There will be a follow up (Part 2 that focuses on the exploitation part).

Let the detective work begin πŸ•΅οΈ .

Read More

Android Hooking

I recently found myself in situation where I had to analyze another process in order to understand what was really happening . In order to achieve this , I had to monitor the target process in one way or another. In the process I had to implement a simple hook just to do evil stuff 😈 .

For purposes of demonstration and for the blog I will simply look at how you can hook onto another process changing the flow of execution. In this case we will simply have a sleep program as the target and a hooking program that arguments the sleeping behavior of the sleep program .

Let’s get our hands dirty 😎 .

Read More

SIOCSIFORDER count memory corruption bug

This post is about a bug I found in the xnu kernel affecting the SIOCSIFORDER call. The bug affected both OS X and iOS. In iOS it affects iOS 10.3 and below so obviously it has been fixed in the lastest version of iOS.
The bug id referencing the bug was 663014551, however upon reporting I was told it was a duplicate so i guess it was a rediscovery πŸ˜’ .

Anyways , since it was my first bug report to apple I thought it was worth a blog post.

Lets begin πŸ˜ƒ .

Read More