|
Saar Amar
@
AmarSaar
|
|
Reversing, Exploits, Windows Internals, Virtualization, Mitigations. @pastenctf team member. MSRC-IL
|
|
|
1.380
Tweetovi
|
225
Pratim
|
6.353
Osobe koje vas prate
|
| Tweetovi |
| Saar Amar proslijedio/la je tweet | ||
|
Yarden Shafir
@yarden_shafir
|
2. velj |
|
Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't.
@aionescu and I wrote about these!
windows-internals.com/dkom-now-with-…
|
||
|
|
||
| Saar Amar proslijedio/la je tweet | ||
|
qwertyoruiop
@qwertyoruiopz
|
31. sij |
|
aaand simplefb pic.twitter.com/xjE8TUueKf
|
||
|
|
||
| Saar Amar proslijedio/la je tweet | ||
|
j00ru//vx
@j00ru
|
30. sij |
|
Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy! googleprojectzero.blogspot.com/2020/01/part-i…
|
||
|
|
||
| Saar Amar proslijedio/la je tweet | ||
|
qwertyoruiop
@qwertyoruiopz
|
29. sij |
|
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
29. sij |
|
Great job man!
|
||
|
|
||
| Saar Amar proslijedio/la je tweet | ||
|
gerhart
@gerhart_x
|
29. sij |
|
Windows Server 2019 securekernel live debugging demo
youtu.be/tRLQwsJQ-hU
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
29. sij |
|
|
||
|
Saar Amar
@AmarSaar
|
29. sij |
|
Yep, both in ancient rome and pwndb :)
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
29. sij |
|
Interesting vulnerability: may_create_in_sticky() was
done when we already have dropped the ref to dir and thus dir (a struct dentry ptr) might be freed and reuse. One impact is a 1-bit infoleak oracle in open() (CVE-2020-8428) seclists.org/oss-sec/2020/q…
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
23. sij |
|
Short time after the publish of the crazy design issue, contradicting XOM on EL0 && PAN (the arch can't create ---/--x, checkout @s1guza's amazing post. TL;DR twitter.com/AmarSaar/statu…)
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
23. sij |
|
Wow, crazy issue bypasses PAN: Part of the uaccess routines (__arch_clear_user() and __arch_copy_{in,from,to}_user()) fail to re-enable PAN if they encounter an unhandled fault while accessing userspace. Check out the patch: lore.kernel.org/patchwork/patc… @Liran_Alon
|
||
|
|
||
| Saar Amar proslijedio/la je tweet | ||
|
Project Zero Bugs
@ProjectZeroBugs
|
22. sij |
|
Insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still isn't atomic bugs.chromium.org/p/project-zero…
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
22. sij |
|
Well it got fixed, so yeah ;)
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
22. sij |
|
Of course! EVERYTHING reachable from sk!IumInvokeSecureService is in scope.
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
22. sij |
|
At @offensive_con we'll have round 2. But this time with securecalls
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
21. sij |
|
No. You can return into an address which the original flow didn't intend, but you control the registers :)
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
21. sij |
|
In those CET times: It's possible to return in unwinding to any address in the SSP, causing a "type confusion" between stack frames ;)
I really like the different variants of this concept twitter.com/AmarSaar/statu…:) Type confusions are on fire! (stack frames, objc for PAC bypass) twitter.com/yarden_shafir/…
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
21. sij |
|
Can't wait!
|
||
|
|
||
| Saar Amar proslijedio/la je tweet | ||
|
qwertyoruiop
@qwertyoruiopz
|
21. sij |
|
See you at @BlueHatIL for another round of “One Weird Trick SecureROM Hates”! I hoped to have enough material for a new talk, but my plans didn’t quite work out :X
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
20. sij |
|
It's finally here, guys - @BlueHatIL is back! Checkout the schedule && register now! bluehatil.com
|
||
|
|
||