Twitter | Pretraživanje | |
Vitaly Nikolenko
Security researcher @ DUASYNT. Kernels, hypervisors. PGP: 77B1 FBAC E0FD 2E94 F8AC 2D91 9566 2314 344F 85E8
779
Tweetovi
86
Pratim
3.650
Osobe koje vas prate
Tweetovi
Vitaly Nikolenko 16. sij
Odgovor korisniku/ci @mrchickenrobot1
yeah. not a logic bug. UAF
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 16. sij
I'll make my tech report and poc public soon. It was a fun bug affecting most major distributions. one exploit to rule them all w/ all kernel expl mitigation bypasses - no rop chains / hardcoded crap
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko proslijedio/la je tweet
Blue Frost Security 7. sij
Full analysis and exploit for Windows kernel ws2ifsl use-after-free (CVE-2019-1215) by our researcher
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 7. sij
Odgovor korisniku/ci @uid1000
oh it'll now be in style for the next few years while android oems catch up ;)
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 7. sij
ROP/JOP pivoting to user space is now back in style
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 3. sij
We'll be running our Android kernel exploitation training in Canada (2nd week of April 2020). If there're any other Canadian companies interested in this training during that month, please reach out!
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 29. pro
Advanced ghetto cooling system
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 29. lis
Odgovor korisniku/ci @jon0day
yep
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 29. lis
Odgovor korisniku/ci @mitp0sh @ickyphuz
scaling is fine too.. it's basically a single input/single exec path/single kernel subsystem per pi mutated to death with code coverage. not the smartest option but it works
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 29. lis
Odgovor korisniku/ci @mitp0sh @ickyphuz
well it's a slightly better cpu on pi 4s. disk access is still a bottleneck but my reasons for doing it on bare metal are different. I was triggering more bugs in qemu/vmware than in the kernel itself. not concerned about power consumption either
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 29. lis
moar fuzzing moar pi
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 27. lis
KASLR/SMEP/SMAP etc
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 20. lis
null-ptr-deref trigger in nfnetlink on upstream 4.4 kernels
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 6. lis
Odgovor korisniku/ci @orinimron123
ubuntu kernel maintainers work in mysterious ways :)
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 6. lis
Odgovor korisniku/ci @orinimron123
hahah looks like it got un-"patched" in recent kernels. your version has the patch applied. try something more recent.. mine was 4.4.0-161 from Aug this year
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 6. lis
Odgovor korisniku/ci @embeddedgus
it's fixed in all upstream lts releases afaik
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 6. lis
Odgovor korisniku/ci @embeddedgus
don't know any Ubuntu lts versions that use 4.9? Upstream is fixed, it's just Ubuntu being special
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 6. lis
Odgovor korisniku/ci @vnik5287
combine with P0 null-page mmap bypass on older kernels / AMD or no-smep systems and you got yourself an easy ret2usr exploit
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 6. lis
doesn't seem like ubuntu 4.4 LTS kernels want to pull the upstream patch. can still rip <-- 0 with syscall(__NR_clock_gettime, 10, 0)
Reply Retweet Označi sa "sviđa mi se"
Vitaly Nikolenko 16. ruj
Odgovor korisniku/ci @GujjarPcp
We got the 64 bit version working back then. All I can remember it wasn't trivial
Reply Retweet Označi sa "sviđa mi se"