Twitter | Pretraživanje | |
Fergus
16
Tweetovi
226
Pratim
37
Osobe koje vas prate
Tweetovi
Fergus proslijedio/la je tweet
Willi Ballenthin 10. lis
macOS forensic artifact stream incoming.
Prikaži podatke · Reply Retweet Označi sa "sviđa mi se"
Fergus proslijedio/la je tweet
J is evolving past Darwin 27. ruj
Not "possibly the biggest". THE Biggest. Congratulations to ! Thankfully AAPL eventually patched this - the stuff Cellebrite , Grey key etc base their entire business model on. For researchers,this is a great boon:Brings back tethered, JB&opens up dual boot, for life!
Prikaži podatke · Reply Retweet Označi sa "sviđa mi se"
Fergus proslijedio/la je tweet
Aleph Research 17. lip
We hacked our way to executing an interactive bash shell on iOS on QEMU. We based the research on the work done by . Thanks!
Prikaz sažetka · Reply Retweet Označi sa "sviđa mi se"
Fergus 6. lip
Odgovor korisniku/ci @silviocesare @SeanieCurran @infosectcbr
No wait, code has to be on flash (Harvard architecture strikes again!). So, ROP to rewrite the flash..? 😃
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 6. lip
Odgovor korisniku/ci @silviocesare @SeanieCurran @infosectcbr
No MMU - is ROP necessary?
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 21. sij 2019.
Odgovor korisniku/ci @brinlyau
Also haven’t been on a network of more than a dozen devices all trying to do the same update. Caching proxy is so much simpler than going down a WSUS-like route.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 23. pro 2018.
Odgovor korisniku/ci @userlandkernel
Right, your argument is that if you can corrupt sa_len with another bug, before the CONNECTED event, the callback registered in mptcp_subflow_add (), will trigger the overflow. Not bad, but if you have a memory corruption there are definitely better targets
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 23. pro 2018.
Odgovor korisniku/ci @userlandkernel
You're referring to this "flow" ? Seems to be from a very cool, yet unrelated, exploit for CVE-2018-4415.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 23. pro 2018.
Odgovor korisniku/ci @fergofrog
Unless there's a driver that happily passes sockaddr's from userland into mptcp straight through mptcp_connectx, rather than mptcp_usr_connectx, this is not an exploitable bug. Definitely doesn't require additional checks to be added, or a CVE to be assigned.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 23. pro 2018.
Odgovor korisniku/ci @fergofrog
Finally mptcp_check_subflows_and_add, either passes a fixed length dst struct, or one from mpte->mpte_dst, which is set from , which is our dear friend from before, mptcp_usr_connectx, which checks sa_len.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 23. pro 2018.
Odgovor korisniku/ci @fergofrog
mptcp_subflow_connected_ev operates on the CONNECTED event, called at . The mpts->mpts_dst, however, only has uses in two other functions mptcp_subflow_add (the function in question) and (does check sa_len).
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 23. pro 2018.
Odgovor korisniku/ci @s1guza @NedWilliamson i 2 ostali
Makes it very easy to verify /'s points regarding /'s unexploitable bug. From there are 3 uses. For the simple case, the sa_len is checked at (mptcp_usr_connectx).
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Fergus 23. pro 2018.
Updated the XNU code browser to xnu-4903.221.2.
Prikaži podatke · Reply Retweet Označi sa "sviđa mi se"
Fergus 22. pro 2018.
I've released an updated guide on compiling xnu 4903.221.2 (macOS 10.14.1) for arm64. No code changes required this time - thanks Apple!
Prikaz sažetka · Reply Retweet Označi sa "sviđa mi se"