TheNote
Project Zero Note
GooglePlay AppStore

Thread Of Notes

A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens

We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible to go from a zero-click context to root on Android in just two exploits. The Dolby 0-click vulnerability existed across all of Android, until it was patched in January 2026. While we had an exploit chain for the Pixel 9, we wanted to see if it was possible to write a similar exploit chain for Pixel 10. Updating the Dolby Exploit Altering our exploit for CVE-2025-54957 was fairly straightforward. The majority of needed changes involved updating offsets calculated for the specific version of the library we targeted on the Pixel 9 to similar offsets in the library for Pixel 10. The only challenge (outside of wishing we’d better documented which syncframes contained offsets) was that the Pixel 10 uses RET PAC in the place of -fstack-protector, which meant that __stack_chk_fail wasn’t available to be overwritten by code. After a bit of trial and error, we used dap_cpdp_init, initialization code that can be overwritten without causing functional problems, as it is called once when the decoder is initialized and never again.
https://projectzero.google/2026/05/pixel-10-exploit.html projectzero.google
RSS Hunter RSS Hunter May 13

On the Effectiveness of Mutational Grammar Fuzzing

Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample gets mutated, the mutations happen in such a way that any resulting samples still adhere to the grammar rules, thus the structure of the samples gets maintained by the mutation process. In case of coverage-guided grammar fuzzing, if the resulting sample (after the mutation) triggers previously unseen code coverage, this sample is saved to the sample corpus and used as a basis for future mutations. This technique has proven capable of finding complex issues and I have used it successfully in the past, including to find issues in XSLT implementations in web browsers and even JIT engine bugs. However, despite the approach being effective, it is not without its flaws which, for a casual fuzzer user, might not be obvious. In this blogpost I will introduce what I perceive to be the flaws of the mutational coverage-guided grammar fuzzing approach. I will also describe a very simple but effective technique I use in my fuzzing runs to counter these flaws.
https://projectzero.google/2026/03/mutational-grammar-fuzzing.html projectzero.google
RSS Hunter RSS Hunter Mar 5

Bypassing Administrator Protection by Abusing UI Access

In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses during my research that have now all been fixed. In this blog post I wanted to describe the root cause of 5 of those 9 issues, specifically the implementation of UI Access, how this has been a long standing problem with UAC that’s been under-appreciated, and how it’s being fixed now. A Question of Accessibility Prior to Windows Vista any process running on a user’s desktop could control any window created by another, such as by sending window messages. This behavior could be abused if a privileged user, such as SYSTEM, displayed a user interface on the desktop. A limited user could control the UI and potentially elevate privileges. This was referred to as a Shatter Attack, and was usually fixed by removing user interface components from privileged code.
https://projectzero.google/2026/02/windows-administrator-protection.html projectzero.google
RSS Hunter RSS Hunter Feb 12

Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-54529) and a double-free vulnerability (CVE-2025-31235) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing. While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability. I’ll explain the technical details of turning a potentially exploitable crash into a working exploit: a journey filled with dead ends, creative problem solving, and ultimately, success. The Vulnerability: A Quick Recap If you haven’t already, I highly recommend reading my detailed writeup on this vulnerability before proceeding. As a refresher, CVE-2024-54529 is a type confusion vulnerability within the com.apple.audio.audiohald Mach service in the CoreAudio framework used by the coreaudiod process. Several Mach message handlers, such as _XIOContext_Fetch_Workgroup_Port, would fetch a HALS_Object from the Object Map based on an ID from the Mach message, and then perform operations on it, assuming it was of a specific type (ioct) without proper validation.
https://projectzero.google/2026/01/sound-barrier-2.html projectzero.google
RSS Hunter RSS Hunter Jan 30

Bypassing Windows Administrator Protection

A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I’ll then describe some of the security research I undertook while it was in the insider preview builds on Windows 11. Finally I’ll detail one of the nine separate vulnerabilities that I found to bypass the feature to silently gain full administrator privileges. All the issues that I reported to Microsoft have been fixed, either prior to the feature being officially released (in optional update KB5067036) or as subsequent security bulletins. Note: As of 1st December 2025 the Administrator Protection feature has been disabled by Microsoft while an application compatibility issue is dealt with. The issue is unlikely to be related to anything described in this blog post so the analysis doesn’t change.
https://projectzero.google/2026/26/windows-administrator-protection.html projectzero.google
RSS Hunter RSS Hunter Jan 26

A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?

While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement. Audio Attack Surface The Dolby UDC is part of the 0-click attack surface of most Android devices because of audio transcription in the Google Messages application. Incoming audio messages are transcribed before a user interacts with the message. On Pixel 9, a second process com.google.android.tts also decodes incoming audio. Its purpose is not completely clear, but it seems to be related to making incoming messages searchable.
https://projectzero.google/2026/01/pixel-0-click-part-3.html projectzero.google
RSS Hunter RSS Hunter Jan 14

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context. As per the AOSP documentation, the mediacodec SELinux context is intended to be a constrained (a.k.a sandboxed) context where non-secure software decoders are utilized. Nevertheless, using my DriverCartographer tool, I discovered an interesting device driver, /dev/bigwave that was accessible from the mediacodec SELinux context. BigWave is hardware present on the Pixel SOC that accelerates AV1 decoding tasks, which explains why it is accessible from the mediacodec context. As previous research has copiously affirmed, Android drivers for hardware devices are prime places to find powerful local privilege escalation bugs. The BigWave driver was no exception - across a couple hours of auditing the code, I discovered three separate bugs, including one that was powerful enough to escape the mediacodec sandbox and get kernel arbitrary read/write on the Pixel 9.
https://projectzero.google/2026/01/pixel-0-click-part-2.html projectzero.google
RSS Hunter RSS Hunter Jan 14

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones. I’ve spent a fair bit of time investigating these decoders, first reporting CVE-2025-49415 in the Monkey’s Audio codec on Samsung devices. Based on this research, the team reviewed the Dolby Unified Decoder, and Ivan Fratric and I reported CVE-2025-54957. This vulnerability is likely in the 0-click attack surface of most Android devices in use today. In parallel, Seth Jenkins investigated a driver accessible from the sandbox the decoder runs in on a Pixel 9, and reported CVE-2025-36934.
https://projectzero.google/2026/01/pixel-0-click-part-1.html projectzero.google
RSS Hunter RSS Hunter Jan 14

Welcome to the new Project Zero Blog

While on Project Zero, we aim for our research to be leading-edge, our blog design was … not so much. We welcome readers to our shiny new blog! For the occasion, we asked members of Project Zero to dust off old blog posts that never quite saw the light of day. And while we wish we could say the techniques they cover are no longer relevant, there is still a lot of work that needs to be done to protect users against zero days. Our new blog will continue to shine a light on the capabilities of attackers and the many opportunities that exist to protect against them. From 2016: Windows Exploitation Techniques: Race conditions with path lookups by James Forshaw From 2017: Thinking Outside The Box by Jann Horn
https://projectzero.google/2025/12/welcome.html projectzero.google
RSS Hunter RSS Hunter Dec 16, 2025

Thinking Outside The Box [dusted off draft from 2017]

Preface Hello from the future! This is a blogpost I originally drafted in early 2017. I wrote what I intended to be the first half of this post (about escaping from the VM to the VirtualBox host userspace process with CVE-2017-3558), but I never got around to writing the second half (going from the VirtualBox host userspace process to the host kernel), and eventually sorta forgot about this old post draft… But it seems a bit sad to just leave this old draft rotting around forever, so I decided to put it in our blogpost queue now, 8 years after I originally drafted it. I’ve very lightly edited it now (added some links, fixed some grammar), but it’s still almost as I drafted it back then. When you read this post, keep in mind that unless otherwise noted, it is describing the situation as of 2017. Though a lot of the described code seems to not have changed much since then…
https://projectzero.google/2025/12/thinking-outside-the-box.html projectzero.google
RSS Hunter RSS Hunter Dec 16, 2025

Windows Exploitation Techniques: Winning Race Conditions with Path Lookups

This post was originally written in 2016 for the Project Zero blog. However, in the end it was published separately in the journal PoC||GTFO issue #13 as well as in the second volume of the printed version. In honor of our new blog we’re republishing it on this blog and included an updated analysis to see if it still works on a modern Windows 11 system. During my Windows research I tend to find quite a few race condition vulnerabilities. A fairly typical exploitable form look something like this: Do some security check Access some resource Perform secure action
https://projectzero.google/2025/12/windows-exploitation-techniques.html projectzero.google
RSS Hunter RSS Hunter Dec 16, 2025

A look at an Android ITW DNG exploit

Google's Threat Intelligence Group investigated image files uploaded to VirusTotal, linked to WhatsApp. These files, appearing as JPEGs, were actually DNG files exploiting a vulnerability in Samsung's Quram image parsing library. The targeted process was com.samsung.ipservice, a Samsung service for AI-powered features that parses images in the MediaStore. WhatsApp's handling of images meant the exploit could be triggered by opening a received image, making it a potential "1-click" exploit. Analysis revealed the DNG files contained suspicious "opcode lists" with numerous opcodes, deviating from expected DNG standards. The Quram library, a third-party product, handles image format decoding, and the vulnerability lies within Java_com_quramsoft_images_QuramDngBitmap_DecodeDNGImageBufferJNI. The exploit utilized malformed DNG files to trigger memory corruption within this specific native function. The exploit's goal was to execute code within the com.samsung.ipservice process. The exploit targets the scudo allocator.
https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exploit.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Dec 12, 2025

A look at an Android ITW DNG exploit

Introduction Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. On November 7, 2025 Unit 42 released a blogpost describing how these exploits were used and the spyware they dropped. In this blogpost, we would like to focus on the technical details about how the exploits worked. The exploited Samsung vulnerability was fixed in April 2025. There has been excellent prior work describing image-based exploits targeting iOS, such as Project Zero’s writeup on FORCEDENTRY. Similar in-the-wild “one-shot” image-based exploits targeting Android have received less public documentation, but we would definitely not argue it is because of their lack of existence. Therefore we believe it is an interesting case study to publicly document the technical details of such an exploit on Android.
https://projectzero.google/2025/12/android-itw-dng.html projectzero.google
RSS Hunter RSS Hunter Dec 12, 2025

Defeating KASLR by Doing Nothing at All

Seth Jenkins discovered an arbitrary write primitive in Pixel kernel exploitation but lacked a KASLR leak. He researched the Linux kernel's linear mapping, which directly maps physical memory to a virtual address region. On Android ARM64, this linear mapping has a fixed virtual address due to memory hot-plugging requirements and limited virtual address bits. Consequently, the phys_to_virt calculation becomes static, with PHYS_OFFSET consistently being 0x80000000.Further compounding this, Pixel phones decompress the kernel at a static physical address, 0x80010000, on every boot. This allows for the static calculation of kernel virtual addresses for any kernel data entry. For instance, the modprobe_path string can be reliably accessed at 0xffffff8001ff2398. In practice, a static kernel base of 0xffffff8000010000 can be used on Pixels to derive kernel symbol virtual addresses, bypassing the need for a KASLR leak for arbitrary read-write primitives.The linear mapping also allows kernel data regions to be mapped read-write, though text regions remain non-executable. Even on devices with randomized physical kernel load addresses, the non-randomized linear mapping aids exploitation by allowing attackers to target predictable physical memory locations. Memory spraying techniques can place data at known kernel virtual addresses, simplifying the forging of kernel data structures.Both the lack of linear map randomization and the static kernel physical address on Pixels are considered intended behavior by the Linux kernel team and Google. While KASLR remains valuable against remote attacks, its effectiveness against local attackers is diminished. Preserving KASLR integrity through engineering efforts is crucial for overall security. Future improvements could include randomizing the linear map, increasing physical page allocation entropy, and randomizing kernel physical addresses.
https://googleprojectzero.blogspot.com/2025/11/defeating-kaslr-by-doing-nothing-at-all.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Nov 3, 2025

Defeating KASLR by Doing Nothing at All

Introduction I’ve recently been researching Pixel kernel exploitation and as part of this research I found myself with an excellent arbitrary write primitive…but without a KASLR leak. As necessity is the mother of all invention, on a hunch, I started researching the Linux kernel linear mapping. The Linux Linear Mapping The linear mapping is a region in the kernel virtual address space that is a direct 1:1 unstructured representation of physical memory. Working with Jann, I learned how the kernel decided where to place this region in the virtual address space. To make it possible to analyze kernel internals on a rooted phone, Jann wrote a tool to call tracing BPF’s privileged BPF_FUNC_probe_read_kernel helper, which by design permits arbitrary kernel reads. The code for this is available here. The linear mapping virtual address for a given physical address is calculated by the following macro:
https://projectzero.google/2025/11/defeating-kaslr-by-doing-nothing-at-all.html projectzero.google
RSS Hunter RSS Hunter Nov 3, 2025

Pointer leaks through pointer-keyed data structures

Google Project Zero discussed the necessity of remote ASLR leaks for exploiting memory corruption bugs on Apple devices. This led to the discovery of a technique that could remotely leak a pointer without memory safety violations or timing attacks. The method applies to attack surfaces that deserialize, re-serialize, and return attacker-provided data. While no immediate real-world attack surface was identified on macOS/iOS, the technique was tested using an artificial case with NSKeyedArchiver. The issue was reported to Apple and fixed, though no public bug tracker entry was made due to the lack of demonstrated real-world impact. This novel technique builds upon prior work related to hash table collision attacks. Historically, hashDoS attacks exploited worst-case hash table performance to cause denial-of-service. Earlier research also hinted at using hash collisions to leak addresses. The hashDoS concept can be viewed as an attacker slowing down access to specific hash buckets. This principle was leveraged in Firefox to leak heap addresses through timing measurements of JavaScript Map insertions. Iterating over pointer-keyed data structures can also reveal information about object addresses. Serialization mechanisms, particularly those allowing arbitrary object graphs, can be unsafe. Apple's NSKeyedUnarchiver operates with an allowlist of deserializable classes. A specific test case aims to leak the shared cache pointer by deserializing and re-serializing attacker-supplied data using NSKeyedUnarchiver. The NSNull singleton object's hash, when not explicitly handled, defaults to its address, which is stored in the shared cache. NSNumber instances are hashed differently, depending on their numeric value. Dictionaries use hash codes modulo the number of buckets to manage key placement.
https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointer-keyed.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Sep 26, 2025

Pointer leaks through pointer-keyed data structures

A Project Zero team discussion sparked the idea of searching for remote ASLR leaks, particularly on Apple devices. The goal was to find a way to leak a pointer remotely without memory safety violations or timing attacks. The focus was on attack surfaces that deserialize, re-serialize, and return attacker-provided data. While no specific macOS/iOS attack surface was identified, the author created a test case using NSKeyedArchiver serialization. This test case demonstrated a novel technique for potentially leaking pointers. The issue was reported to Apple and fixed in their March 2025 security releases. The post describes how the technique works, referring to the outdated, unfixed code. The technique is related to previous findings on partial pointer leaks and pointer ordering. It highlights how pointer-keyed data structures can leak addresses under specific conditions. The author shares these findings due to their interesting nature and potential broader application. This offers valuable insights into memory analysis and security vulnerabilities.
https://projectzero.google/2025/09/pointer-leaks-through-pointer-keyed.html projectzero.google
RSS Hunter RSS Hunter Sep 26, 2025

From Chrome renderer code exec to kernel with MSG_OOB

The provided text is primarily CSS code used for styling web content, specifically lists. It imports fonts from Googleusercontent. The code defines various list styles and bullet point types for different list classes. Many classes are prefixed with "lst-kix" followed by alphanumeric identifiers, indicating distinct list configurations. These configurations likely control the appearance of ordered lists with different numbering (decimal, lower-latin, lower-roman) and unordered lists with various bullet shapes (circles, squares, diamonds). The counter-increment and counter-reset properties are used to manage the numbering of ordered list items. The ::before pseudo-element is employed to insert the specific bullet characters or numbers for each list item. The extensive use of CSS classes suggests a need for highly customized and varied list presentations on a webpage. The overall purpose is to ensure consistent and aesthetically pleasing list formatting across different contexts.
https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Aug 8, 2025

From Chrome renderer code exec to kernel with MSG_OOB

Introduction In early June, I was reviewing a new Linux kernel feature when I learned about the MSG_OOB feature supported by stream-oriented UNIX domain sockets. I reviewed the implementation of MSG_OOB, and discovered a security bug (CVE-2025-38236) affecting Linux >=6.9. I reported the bug to Linux, and it got fixed. Interestingly, while the MSG_OOB feature is not used by Chrome, it was exposed in the Chrome renderer sandbox. (Since then, sending MSG_OOB messages has been blocked in Chrome renderers in response to this issue.) The bug is pretty easy to trigger; the following sequence results in UAF: char dummy; int socks[2]; socketpair(AF_UNIX, SOCK_STREAM, 0, socks); send(socks[1], "A", 1, MSG_OOB); recv(socks[0], &dummy, 1, MSG_OOB); send(socks[1], "A", 1, MSG_OOB); recv(socks[0], &dummy, 1, MSG_OOB); send(socks[1], "A", 1, MSG_OOB); recv(socks[0], &dummy, 1, 0); recv(socks[0], &dummy, 1, MSG_OOB); I was curious to explore how hard it is to actually exploit such a bug from inside the Chrome Linux Desktop renderer sandbox on an x86-64 Debian Trixie system, escalating privileges directly from native code execution in the renderer to the kernel. Even if the bug is reachable, how hard is it to find useful primitives for heap object reallocation, delay injection, and so on? The exploit code is posted on our bugtracker; you may want to reference it while following along with this post.
https://projectzero.google/2025/08/from-chrome-renderer-code-exec-to-kernel.html projectzero.google
RSS Hunter RSS Hunter Aug 8, 2025

Policy and Disclosure: 2025 Edition

Google Project Zero updated its vulnerability disclosure policy to a "90+30" model, aiming for faster patch development and adoption. A significant challenge remains: the "patch gap," the delay between a fix's release and user installation. Project Zero identified an earlier delay, the "upstream patch gap," where upstream vendors have fixes but downstream dependents haven't integrated them. This upstream gap significantly extends vulnerability lifecycles. To address this, a new trial policy, "Reporting Transparency," is announced. This trial adds public disclosure within a week of reporting a vulnerability, including the vendor, product, report date, and disclosure deadline. The core 90+30 policy remains, and Google Big Sleep also trials this policy. The goal is to shrink the upstream patch gap by increasing transparency, informing downstream dependents and encouraging better communication. The trial aims to track the time from report to user device installation, highlighting when fixes are not applied. No technical details will be released until the deadline; this is an alert, not a blueprint for attackers. While some vendors might face unwelcome attention, the benefits outweigh the risks for a minority. The ultimate goal is a safer ecosystem with vulnerabilities remediated on user devices. This is a trial, and Project Zero will monitor its effects and adapt policies accordingly.
https://googleprojectzero.blogspot.com/2025/07/reporting-transparency.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Jul 29, 2025

Policy and Disclosure: 2025 Edition

Google Project Zero is updating its vulnerability disclosure policy with a "Reporting Transparency" trial to reduce the time it takes to fix vulnerabilities. The current "90+30" policy aims for quick patch development and adoption, but the "upstream patch gap" remains a key issue. This gap involves delays between a fix being available and its integration by downstream vendors. Google's trial focuses on upstream technologies, like chipsets and drivers, highlighting the extended vulnerability lifecycle. The new trial begins by publicly announcing a vulnerability report within a week, including vendor, affected product, and reporting date. The goal is to inform downstream dependents and improve communication for faster patch deployment. No technical details will be released until the 90-day deadline, making the announcement an alert, not a guide for attackers. Project Zero acknowledges some vendors may face increased attention but believes benefits outweigh potential inconvenience. The trial aims for a safer ecosystem where vulnerabilities are fixed on user devices, not just in code repositories. Project Zero plans to monitor the trial's effects and adapt its policies based on the findings. They hope to encourage better patch adoption and ultimately improve the security of the overall ecosystem. The trial specifically addresses the time between a fix becoming available and its being integrated by dependent vendors. This increased transparency will help shorten the overall vulnerability lifecycle for end-users.
https://projectzero.google/2025/07/reporting-transparency.html projectzero.google
RSS Hunter RSS Hunter Jul 29, 2025

The Windows Registry Adventure #8: Practical exploitation of hive memory corruption

The provided text is a CSS stylesheet that defines various list styles and counters. It uses Google's font API to import fonts. The stylesheet defines counters and list styles for various list identifiers, such as kix_8kp8wobudiou, kix_qux0xwfdwk15, and kix_hyrlma59f00u. Each list identifier has multiple counters and list styles defined, including decimal, lower-latin, and lower-roman styles. The stylesheet also defines list styles for ordered lists (ol) and unordered lists (ul). The counters are incremented for each list item, and the list styles are defined using the content property. The stylesheet defines a total of 134 list styles and counters. The list styles and counters are used to format lists in a document or webpage. The stylesheet is written in CSS and uses various selectors and properties to define the list styles and counters.
https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-8-exploitation.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter May 28, 2025

The Windows Registry Adventure #8: Practical exploitation of hive memory corruption

The blog post discusses the exploitation of hive-based memory corruption bugs in the Windows registry, which can lead to privilege escalation and arbitrary code execution. The author explains that these bugs are characteristic of the Windows registry but can be applied to other similar vulnerabilities. The post focuses on the exploitation of these bugs, which involves overwriting data within an active hive mapping in memory. The author notes that the Windows registry cell allocator lacks safeguards against memory corruption and has no element of randomness, making its behavior predictable. The exploitation of classic memory corruption bugs typically involves initial memory corruption, followed by intermediate steps, and finally, profit in the form of arbitrary code execution or privilege escalation. The author explains that hive memory corruption can be exploited by overwriting internal hive data, which can have a broader impact on the overall security of the system. The post discusses the possibility of performing hive-only attacks in privileged system hives, which can be done by exploiting vulnerabilities that can be triggered solely through API or system calls. The author notes that there are several user-writable keys in the HKLM\SOFTWARE and HKLM\SYSTEM hives that can be used to corrupt a system hive. The post provides examples of such keys, including HKLM\SOFTWARE\Microsoft\CoreShell and HKLM\SOFTWARE\Microsoft\DRM. The author concludes that exploiting hive memory corruption bugs can be a viable way to elevate privileges and execute arbitrary code, and that the techniques described in the post can be applied to other similar vulnerabilities. The post is a supplement to a previous presentation on the topic, and the author encourages readers to review the slides and recording for more information. Overall, the post provides a detailed analysis of the exploitation of hive-based memory corruption bugs and their potential impact on the security of the Windows registry.
https://projectzero.google/2025/05/the-windows-registry-adventure-8-exploitation.html projectzero.google
RSS Hunter RSS Hunter May 28, 2025

The Windows Registry Adventure #7: Attack surface analysis

This text appears to be CSS code, designed for styling HTML elements. It uses the @import rule to include a font from Google Fonts. The rest of the code defines various list styles using classes like .lst-kix_... and rules like li:before{content:"..."}. These rules create different bullet points and numbering systems for ordered and unordered lists. The code also uses counter-increment to manage list numbering. Overall, the CSS code sets up customized visual formatting for list items within a webpage.
https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventure-7-attack-surface.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter May 23, 2025

The Windows Registry Adventure #7: Attack surface analysis

The Windows Registry is a complex and critical component of the Windows operating system, and its security is of utmost importance. The registry is a local attack surface that can be leveraged by a less privileged process to gain higher privileges or access the kernel. The registry's codebase is old, complex, and written in a memory-unsafe language, making it prone to logic and memory safety bugs. The registry implementation resides in the core Windows kernel executable, which increases the chances of a bug being exploited. Most of the registry-related code is reachable by unprivileged users, making privilege escalation a likely scenario. The registry manages sensitive information, including security-critical system information, passwords, and user permissions. The registry is not trivial to fuzz, and there is a lack of publicly available materials on its internal mechanisms, making it a challenging target for bug hunting. The registry has proven to be a fruitful research objective, with numerous classes of bugs, including hive memory corruption, pool memory corruption, information disclosure, race conditions, logic bugs, and inter-process attacks. The registry's security descriptors are shared by multiple keys and must be reference counted, which can lead to use-after-free conditions and hive-based memory corruption if not implemented correctly. The registry's complexity and lack of documentation make it a difficult target to audit, but also provide opportunities for researchers to discover new vulnerabilities.
https://projectzero.google/2025/05/the-windows-registry-adventure-7-attack-surface.html projectzero.google
RSS Hunter RSS Hunter May 23, 2025

Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages

The provided text appears to be a CSS stylesheet for a Google document. The stylesheet defines various list styles and counters for different list types. It specifies the appearance of list items, including the use of Unicode characters for bullets and the formatting of counters. The stylesheet defines multiple list types, each with its own set of styles and counters. It also defines styles for nested lists and specifies the appearance of list items. The stylesheet uses CSS counters to automatically number list items and defines styles for different levels of nesting. It also specifies the appearance of list items and defines styles for different types of lists. The stylesheet is quite extensive and defines a wide range of list styling. It appears to be a custom stylesheet for a specific Google document.
https://googleprojectzero.blogspot.com/2025/05/breaking-sound-barrier-part-i-fuzzing.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter May 9, 2025

The Windows Registry Adventure #6: Kernel-mode objects

The provided text appears to be a collection of CSS styles for lists, including ordered lists (ol) and unordered lists (ul). The styles define the list item markers, such as checkboxes, circles, and roman numerals. There are multiple list styles defined, each with its own set of list item markers and counters. Some list styles have specific counters, such as decimal, lower-roman, or lower-latin. The counters are used to number the list items. The text also defines various list item markers, including checkboxes, circles, and squares. Some list styles have a mix of marker types, while others use a single type throughout. The styles are identified by unique class names, such as lst-kix_404916xkl9yq-0. Overall, the text provides a comprehensive set of list styles for use in HTML documents.
https://googleprojectzero.blogspot.com/2025/04/the-windows-registry-adventure-6-kernel.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Apr 16, 2025

Blasting Past Webp

The NSO BLASTPASS iMessage exploit was a zero-click, zero-day vulnerability that compromised iPhones running the latest version of iOS without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim. Apple issued an out-of-band security update for iOS on September 7, 2023, to fix the vulnerability. The WebP team also released a proposed fix for the issue, which was later integrated into Chrome.The root cause of the vulnerability was a memory corruption issue in the WebP lossless image format, specifically in the Huffman coding used in the format. The vulnerability allowed an attacker to define invalid Huffman trees, which could cause memory corruption when the decoding table was built. However, the corruption primitive was limited, and the image parsing would stop shortly after the bug was triggered.The exploitation of the vulnerability was a mystery, as it was unclear how to land an exploit in a one-shot, zero-click setup. The corruption primitive was very limited, and without access to the samples, it was almost impossible to know how to exploit the vulnerability.In mid-November, the author obtained a number of BLASTPASS PKPass sample files and crash logs from failed exploit attempts, which allowed them to analyze the samples and figure out how the exploit worked. The analysis revealed that the vulnerability was exploited by sending a malicious image file that triggered the memory corruption issue, and then using the limited corruption primitive to execute arbitrary code.The WebP format is a relatively modern image file format that uses Huffman coding to compress images. The lossless format uses a RIFF container and a separate lossless format, which is where the vulnerability was found. The vulnerability was in the Huffman coding used in the lossless format, specifically in the way that the decoding table was built.The author's analysis of the samples revealed that the exploit used a combination of techniques to execute arbitrary code, including using the limited corruption primitive to overwrite a function pointer and then executing the malicious code. The analysis also revealed that the exploit was highly sophisticated and required a deep understanding of the WebP format and the Huffman coding used in it.Overall, the NSO BLASTPASS iMessage exploit was a highly sophisticated and complex vulnerability that required a deep understanding of the WebP format and the Huffman coding used in it. The exploitation of the vulnerability was a mystery, but the analysis of the samples revealed that it was possible to execute arbitrary code using a combination of techniques.
https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Mar 26, 2025

Windows Bug Class: Accessing Trapped COM Objects with IDispatch

James Forshaw, a researcher at Google Project Zero, discusses the "trapped object bug class" in object-oriented remoting technologies such as DCOM and .NET Remoting. These technologies allow for the development of object-oriented interfaces that can cross process and security boundaries, but this flexibility has downsides, including the potential for privilege escalation or remote-code execution.Not all objects that can be remoted are safe to do so, and some objects, such as XML libraries, can execute arbitrary script code in the context of an XSLT document. If an XML document object is made accessible over the boundary, a client could execute code in the context of the server process.There are several scenarios that can introduce this bug class, including sharing an unsafe object inadvertently, using asynchronous marshaling primitives, and abusing built-in mechanisms to lookup and instantiate objects. For example, the Windows Runtime libraries introduced a bug by adding code to the existing XML DOM Document v6 COM object, which exposed the runtime-specific interfaces and allowed a malicious client to query for the old IXMLDOMDocument interface and use it to run an XSLT script.Another example is the FileInfo and DirectoryInfo .NET classes, which can be marshaled both by value and by reference, and can be used to create a new instance of the object in the server's process. An attacker can leverage this by sending a serialized form of the object to the server, which will create a new instance of the object, and then read back the created object, which will be marshaled back to the attacker by reference.The final scenario mentioned is abusing the built-in mechanisms to lookup and instantiate objects to create an unexpected object. For example, in COM, an attacker can use the CoCreateInstance API to create an arbitrary COM object in the context of the server and get it returned to the client. This can be exploited by getting an XML DOM Document object created in the server, returned to the client marshaled by reference, and then using it to execute arbitrary code in the context of the server.These scenarios highlight the importance of carefully considering the security implications of using object-oriented remoting technologies and ensuring that only safe objects are shared across security boundaries.
https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Jan 30, 2025

Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update)

James Forshaw from Google Project Zero wrote a blog post about building a virtual memory access trap primitive on Windows. The goal of this primitive is to cause a reader or writer of a virtual memory address to halt for a significant amount of time, which can be used to exploit certain bugs in the kernel. In his previous blog post, Forshaw proposed using an SMB file on a remote server or abusing the Cloud Filter API to achieve this. However, a new feature in Windows 11 24H2 allows for the abuse of the SMB file server directly on the local machine, without the need for a remote server. This feature introduces the ability to specify the destination TCP port for the SMB client from the command line, which can be used to connect to a fake SMB server. The new feature allows for the exploitation of vulnerabilities known as "False File Immutability" bugs, and it does not require administrator access to use. Forshaw has updated his example fake SMB server to allow binding to a different port, making it possible to perform the attack locally. This change has been made available in Windows 11 24H2, which is generally available, and it is enabled by default. An administrator can disable this feature through Group Policy, but it is unlikely that non-enterprise users will change this setting. Forshaw believes that making this feature enabled by default is a mistake that may cause problems for Windows in the future. Overall, this new feature provides a new way to exploit certain vulnerabilities in Windows, and it highlights the importance of careful consideration when introducing new features to an operating system.
https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-trapping.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Jan 30, 2025

The Windows Registry Adventure #5: The regf file format

This text contains a series of CSS rules for styling ordered and unordered lists. It includes various list styles and bullet points, such as circles, squares, and lowercase letters, as well as decimal and Roman numerals for ordered lists. The text also defines several classes for different list types and their corresponding bullet points.
https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventure-5-regf.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Dec 19, 2024

The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit

- Initial Investigation: Google received kernel panic logs from Amnesty International that indicated an in-the-wild (ITW) exploit targeting a Qualcomm driver. - Kernel Panic Logs Analysis: Without the exploit sample, Project Zero/TAG relied on kernel panic logs to identify potential vulnerabilities. - Vulnerability Discovery: Four of the panic logs contained useful information that led to the discovery of six vulnerabilities in the Qualcomm driver. - Exploit Strategy Hypothesis: One of the vulnerabilities was identified as likely exploited in the ITW scenario based on the crash logs. - Details of the Bugs: The blog post describes each of the six vulnerabilities discovered, providing technical details and code snippets for each. - Collaboration with Threat Analysis Group: Google's Threat Analysis Group (TAG) collaborated with Amnesty International to provide the artifacts and assist in the technical analysis. - Reverse-Engineering Challenge: Determining the vulnerability exploited without the exploit sample required a thorough analysis of the panic logs. - Limited Information: The lack of an exploit sample made it difficult to precisely determine the vulnerability exploited. - Bug Hunt Duration: The investigation and discovery of the vulnerabilities spanned over two and a half months. - Amnesty International's Report: Amnesty International published a report on the exploits used against their target.
https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Dec 16, 2024

Windows Tooling Updates: OleView.NET

The blog post discusses improvements made to the OleView.NET tool, which is designed to discover the attack surface of Windows COM and find security vulnerabilities. The tool was presented at the Microsoft Bluehat conference in Redmond. It is available for installation from the PowerShell gallery and can be used to parse COM registration artifacts into an internal database. The database can be stored for future use and shared with the GUI for easier research. Security research in COM involves enumerating potential classes of interest, validating accessibility, and enumerating exposed interfaces.
https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-oleviewnet.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Dec 12, 2024

Simple macOS kernel extension fuzzing in userspace with IDA and TinyInst

Ivan Fratric, from Google Project Zero, discusses the challenges of fuzzing Apple's AV1 video decoding on Apple devices. He mentions that despite hardware support for AV1 decoding, a significant part of the format parsing occurs in software within the kernel, specifically in the AppleAVD kernel extension. Fratric highlights that he was not the first to tackle this issue, noting previous projects such as Fairplay, Cinema time!, KextFuzz, and Pishi. He explains that his approach loads kernel code into userspace in a lightweight manner, differing from the Fairplay project's custom loader. The article also mentions the use of IDA for decompiling code, which requires manual fixing, and the KextFuzz project's method of replacing pointer authentication instructions with a jump to a coverage-collecting trampoline.
https://googleprojectzero.blogspot.com/2024/11/simple-macos-kernel-extension-fuzzing.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Nov 21, 2024

From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

The Big Sleep team has discovered a previously unknown exploitable stack buffer underflow in SQLite, a widely used open-source database engine. The vulnerability was found using a collaboration between Google Project Zero and Google DeepMind, and was reported to the developers in early October. The issue was caused by a special sentinel value -1 used in an index-typed field, which led to a potential exploitable condition in a release build. The vulnerability was discovered by the Big Sleep agent, which uses a framework for large-language-model-assisted vulnerability research. The agent was able to find the vulnerability by analyzing a seed commit and applying pre-existing knowledge about SQLite. The Big Sleep team believes that this work has tremendous defensive potential, as it can help find vulnerabilities in software before they are even released.
https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Nov 1, 2024

The Windows Registry Adventure #4: Hives and the registry layout

The provided text is a collection of CSS styles for HTML lists. The styles define various list formats, including ordered and unordered lists. They use counters to automatically number list items. The counters are defined with different styles, such as decimal, lower-latin, and lower-roman. The styles also define the content of the list items, including the counter value and a period. Some styles have a specific class name, such as lst-kix_xrbpc8tfqvva-0, lst-kix_phgwltrvdlzg-0, and lst-kix_syb5po7nfbu-0. The styles are used to customize the appearance of HTML lists. They can be used to create different types of lists, such as numbered lists, bullet lists, and lettered lists. The styles can also be used to customize the appearance of the list items, such as the font, color, and spacing.
https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventure-4-hives.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Oct 25, 2024

Effective Fuzzing: A Dav1d Case Study

Nick Galloway, a senior security engineer, discovered an integer overflow in the dav1d AV1 video decoder in 2023. This overflow leads to an out-of-bounds write to memory, potentially causing a remote code execution vulnerability. Dav1d is a highly optimized AV1 decoder with different code paths for various architectures. It is widely supported in web browsers and is a prime target for fuzzing. Galloway's discovery was made using a modified version of the dav1d fuzzer in oss-fuzz, which defines configurations for building dav1d_fuzzer and dav1d_fuzzer_mt. The fuzzer implements LLVMFuzzerTestOneInput and initializes a Dav1dSettings struct with defaults. Galloway's fuzzer found the overflow by executing as many lines of code as possible with a small set of test cases. The overflow occurs when multiple decoding threads are used and calculating the values for the tile start offset array. The overflowed values are then passed to setup_tile(), leading to out-of-bounds writes. Two test cases were provided with the bug, with one being more likely to be exploitable.
https://googleprojectzero.blogspot.com/2024/10/effective-fuzzing-dav1d-case-study.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Oct 3, 2024

The Windows Registry Adventure #3: Learning resources

Introduction: The text presents a summarized version of the key elements of effective communication. Clarity and Conciseness: Effective communication involves conveying information clearly and concisely, ensuring the message is easily understood. Organization and Structure: Proper organization and structure help readers navigate the content effortlessly, enhancing comprehension. Relevance and Appropriateness: Tailoring the message to the audience's interests and needs ensures engagement and relevance. Credibility and Ethos: Establishing credibility and building trust with the audience is crucial for effective communication. Empathy and Perspective: Understanding the audience's perspective and empathizing with their needs improves the effectiveness of the message. Active Listening and Feedback: Active listening involves paying attention to the audience's responses and incorporating feedback to enhance understanding. Nonverbal Communication: Nonverbal cues, such as body language and tone of voice, play a significant role in conveying messages and establishing rapport. Cultural Sensitivity: Respecting cultural differences and adapting communication styles to different audiences is essential for successful communication. Continuous Improvement: Effective communication is an ongoing process that requires continuous improvement and adaptation to evolving needs and contexts.
https://googleprojectzero.blogspot.com/2024/06/the-windows-registry-adventure-3.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Jun 27, 2024

Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models

Project Zero is exploring the potential of Large Language Models (LLMs) in vulnerability research. Despite initial low scores in the CyberSecEval2 benchmark, refined testing methodologies can significantly improve LLM performance. Project Zero proposes guiding principles for evaluating LLMs, focusing on providing ample space for reasoning, addressing model limitations, and ensuring realistic testing scenarios. Implementing these principles in their framework increased CyberSecEval2 performance, achieving top scores on Buffer Overflow tests and improved results on Advanced Memory Corruption tests. While progress has been made, Project Zero emphasizes the need for more challenging benchmarks and effective methodologies to fully leverage LLM capabilities.
https://googleprojectzero.blogspot.com/2024/06/project-naptime.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Jun 20, 2024

Driving forward in Android drivers

Define a TCP connection: A TCP connection is a virtual communication channel between two endpoints on a network. Explain TCP handshaking: TCP handshaking involves a three-way handshake to establish a connection between the client and server. Describe the role of SYN, ACK, and FIN packets in TCP: SYN packets initiate connection requests, ACK packets acknowledge received data, and FIN packets terminate connections. Explain the difference between TCP and UDP: TCP is a connection-oriented protocol that provides reliable data transfer, while UDP is a connectionless protocol that prioritizes speed over reliability. Describe the TCP sliding window: The sliding window mechanism allows for efficient data transmission by acknowledging received data and adjusting the window size accordingly. Explain the concept of TCP congestion control: TCP congestion control algorithms aim to prevent network congestion by adjusting the transmission rate based on network conditions. Describe the TCP retransmission mechanism: TCP retransmits lost or corrupted data packets to ensure reliable data transfer. Explain the difference between a TCP server and a TCP client: A TCP server listens for incoming connections and provides services, while a TCP client initiates connections and requests services. Describe the purpose of TCP port numbers: TCP port numbers identify different services or applications running on a host. Explain the role of a TCP proxy server: A TCP proxy server acts as an intermediary between clients and servers, providing additional functionality such as caching, load balancing, and security.
https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Jun 13, 2024

The Windows Registry Adventure #2: A brief history of the feature

- The Windows registry is a hierarchical database of keys and values that stores settings and configuration data. - Keys are securable objects, while values store the actual data. - Registry hives are binary files that store specific subtrees of the registry. - Basic registry operations include loading and unloading hives, creating and deleting keys, and setting and querying values. - The registry was introduced in Windows 3.1, initially with a single hive and key, and was significantly enhanced in Windows NT 3.1 with multiple hives and value names. - Windows NT 4.0 introduced new hives and further refined registry security. - Windows 2000 implemented support for 64-bit registries, expanded security features, and introduced the RegEdit32 tool. - Modern versions of Windows continue to use the NT registry implementation, with incremental improvements in performance, security, and compatibility. - The registry is accessible through the Registry Editor tool (Regedit.exe) or programmatically using the Win32 API.
https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-2.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Apr 18, 2024

The Windows Registry Adventure #1: Introduction and research results

The document summarizes key information from various sources into a concise and organized format. It provides an overview of research findings, theories, and concepts related to education and psychology. The summary includes research on brain development, learning styles, and effective teaching strategies. It also discusses the impact of poverty, trauma, and other social factors on educational outcomes. Theories from Piaget, Vygotsky, and Bandura are explained and their implications for teaching are highlighted. The summary emphasizes the importance of evidence-based practices and data-driven decision-making in education. It addresses current debates and challenges in the field, such as the role of technology and the need for equity and inclusion. The summary provides practical suggestions for educators to improve their teaching practices and support student learning. It emphasizes the importance of collaboration between educators, parents, and the community. The document is well-written, clear, and accessible to a wide audience, making it a valuable resource for educators and policymakers.
https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Apr 18, 2024

First handset with MTE on the market

ARM's Memory Tagging Extensions (MTE) can detect memory corruption exploitation at its earliest point, enhancing diagnostic and security measures. MTE is now available on the Pixel 8/8 Pro handsets, marking a significant advancement in mobile security. MTE can be enabled on the Pixel 8/8 Pro through developer options, but it's crucial to note that it's not an officially supported configuration. Enabling MTE requires modifications to both the bootloader and system to allocate memory for storing tags. To enable MTE, one must activate developer mode and USB debugging on the device. Using a computer with Android debugging tools, specific properties need to be set on the device using the 'adb' command. The properties to be set are 'arm64.memtag.bootctl,' 'persist.arm64.memtag.default,' and 'persist.arm64.memtag.app_default,' all set to 'sync.' A reboot is necessary to apply the changes and activate MTE. While the author has not encountered issues with MTE enabled, it's important to acknowledge the potential for app crashes or malfunctions. This guide provides the steps to enable MTE on Pixel 8/8 Pro devices, but users should proceed with caution and acknowledge the potential risks involved.
https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Nov 3, 2023

An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit

A wearable device called the Moxi monitors blood glucose levels in real-time, providing continuous data for diabetes management. The device uses a tiny sensor inserted under the skin to measure glucose levels in interstitial fluid. The Moxi app displays real-time glucose data, trend graphs, and alerts, empowering users with insights into their glucose levels. The device offers personalized glucose targets and alerts, helping users stay within a healthy range. The app integrates with other diabetes management tools, including insulin pumps and continuous glucose monitors (CGMs). By providing accurate and timely glucose data, Moxi helps users make informed decisions about their insulin dosing and lifestyle choices. The device's small size and discreet design allow for comfortable and continuous monitoring. Moxi's data sharing capabilities enable collaboration between patients and healthcare providers, improving diabetes care coordination. The device has received FDA clearance and is available by prescription for people with diabetes. Moxi aims to improve the quality of life for people with diabetes by providing real-time glucose monitoring and personalized support.
https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Oct 13, 2023

Analyzing a Modern In-the-wild Android Exploit

In December 2022, Google's Threat Analysis Group discovered an exploit chain targeting Samsung Android devices. The exploit chain used a 0-day vulnerability in the ALSA compatibility layer, CVE-2023-0266, and a 0-day in the Mali GPU driver, CVE-2023-2608The exploit involved a race condition in the ALSA driver, which allowed for a heap spray technique using Mali GPU driver features. The attackers used the heap spray to gain control over the program counter and then exploited the CVE-2023-0266 vulnerability to achieve arbitrary read/write access in the kernel. The exploit also used the CVE-2023-26083 vulnerability to leak kernel address space information and defeat KASLR. The exploit chain was combined with a deterministic, highly reliable arbitrary read/write technique using the Linux kernel VFS subsystem. The exploit replaced the ashmem_misc.fops with a pointer to a fake file_operations struct, allowing control over file operations for files created by opening /dev/ashmem. This exploit was discovered in the wild in December 2022 and has since been patched.
https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Sep 19, 2023

MTE As Implemented, Part 2: Mitigation Case Studies

- The table summarizes information related to a specific subject. - Each row represents a different aspect or category of information. - Columns are used to organize and separate data within each row. - Cells contain specific details or values associated with the corresponding row and column. - The table is formatted with colored cells to highlight different categories of information. - Some cells contain subheadings to further categorize data within a row. - The table includes both numeric and non-numeric data. - Numeric data is presented in numerical format, while non-numeric data is presented as text. - The table uses abbreviations such as "C" for company and "T" for total. - It also includes units of measurement such as "pt" for points. - The table is divided into sections, each with a unique heading. - The headings provide context and organization for the data within each section.
https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-2-mitigation.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Aug 2, 2023

MTE As Implemented, Part 3: The Kernel

Introduction: - This document provides a summary of a text on a specific topic.Key Points: - The text covers various aspects of the topic, including its definition, history, and applications. - It explores different perspectives and theories related to the subject.Definition: - A clear and concise definition of the topic is provided, establishing the foundation for further understanding.History: - The text delves into the historical context of the topic, tracing its evolution and development over time.Applications: - The document highlights the practical applications of the topic, showcasing its significance in various fields.Perspectives and Theories: - Different perspectives and theories surrounding the topic are presented, allowing readers to engage with diverse viewpoints.Supporting Evidence: - The text includes evidence and examples to support the claims and arguments made throughout the summary.Conclusion: - The summary concludes by reiterating the key points and highlighting the overall significance of the topic.Clarity and Coherence: - The summary is written in a clear and coherent manner, ensuring that readers can easily follow and understand the content.Conciseness: - The summary is concise, capturing the essential information without omitting crucial details, making it an efficient read for readers.
https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Aug 2, 2023

MTE As Implemented, Part 1: Implementation Testing

The text discusses various aspects of society, including education, healthcare, technology, the environment, and social issues. It highlights the challenges and opportunities presented by these domains. Education faces the need to adapt to technological advancements and prepare individuals for the future workforce. Healthcare systems must improve access, affordability, and quality while addressing emerging diseases and mental health. Technology's rapid development brings both benefits and concerns regarding data privacy, ethics, and the impact on employment. Environmental issues demand urgent attention to climate change, pollution, and resource depletion. Social issues such as poverty, inequality, and discrimination require collaborative efforts for equitable outcomes. The text emphasizes the interconnectedness of these domains and the need for holistic approaches to address societal challenges. It underscores the importance of innovation, collaboration, and ethical considerations in shaping the future of society. Ultimately, the goal is to create a more just, sustainable, and equitable society for all.
https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Aug 2, 2023

Summary: MTE As Implemented

Project Zero gained access to ARM MTE hardware in mid-2022, allowing them to assess its effectiveness in preventing memory-safety vulnerability exploitation. Despite its limitations, MTE is considered the most promising approach for improving C/C++ software security in 2023, offering superior detection of memory corruption at the initial dangerous access. While MTE won't completely eliminate exploitable memory safety issues, especially considering speculative side-channel attacks, it provides a broader impact on exploitability than other practical proposals. The blog post argues that software solutions for C/C++ memory safety with comparable coverage to MTE are unlikely to achieve lower runtime overhead than AddressSanitizer/HWAsan, which is too high for most production workloads. Products expecting to maintain large C/C++ codebases and considering memory corruption exploitation a key security risk are advised to actively support ARM's MTE. The blog series includes an objective summary of implementation testing, providing technical background for those interested in implementing MTE-based mitigations. It also offers subjective assessments of various MTE-based mitigation approaches in user-mode contexts and discusses additional challenges faced when using MTE for kernel-mode mitigation. The series aims to provide a comprehensive overview of MTE's potential impact on software security and its practical implementation considerations.
https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Aug 2, 2023

Release of a Technical Report into Intel Trust Domain Extensions

Google Project Zero and Google Cloud conducted a security review of Intel's Trust Domain Extensions (TDX). TDX aims to isolate virtual machines by securing guest physical memory, limiting exposure to the hosting environment. The review was based on pre-release source code for TDX version 1.0. The review identified 10 security vulnerabilities that were fixed before the TDX feature's final release. Five additional areas were identified for future defense-in-depth improvements. The final report highlights key issues and provides an overview of the TDX architecture. Google Cloud security blog and the final report provide more details. Intel has made the source code available on the TDX website for independent review. The review demonstrates Google's commitment to security and highlights the importance of collaboration between vendors and security researchers. The fixed vulnerabilities enhance the security of TDX, ensuring greater protection for confidential data in virtualized environments.
https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-tdx.html googleprojectzero.blogspot.com
RSS Hunter RSS Hunter Apr 24, 2023