RT @orangecyberch: 🛡️ In this blog post, @itm4n and @PMa1n extend the work of @floesen_ and demonstrate how Server Silos can be leveraged t….

RT @chompie1337: i am not trying to argue whether or not Admin -> Kernel should be a security boundary (though based on their own design de….

Question for the Windows people: Is a „wild“ memcpy to a pool allocation (~100 bytes) with fully controlled source but size=0xffffffff exploitable in any meaningful way? Bug occurs during handling of an IOCTL with transfer type METHOD_BUFFERED (source buffer in kernel memory).

RT @splinter_code: Bye bye to my admin->kernel priv8 0day 👋.Was sitting on it due to an NDA and i thought it was a quite unique bug, turns….

Did you know that LSASS has the ability to execute arbitrary kernel-mode addresses? I wrote a small proof of concept that allows administrators to execute unsigned code in the kernel if LSA Protection is disabled.

RT @m_u00d8: Fuzzing is hard, evaluating fuzzing is harder 🔥. For our new @IEEESSP paper, we studied 150 fuzzing evals and found issues suc….

If performed remotely, the DoS does not work on clients that have the Remote Event Log feature blocked in their firewall. Whether this is the case, I guess, depends on many factors such as the domain group policies for example.

A bug allows any user to crash the Windows Event Log service of any other Windows 10/Server 2022 machine on the same domain. According to MSRC, the bug does not meet the bar for servicing and therefore they allowed me to publish a proof of concept.

RT @Neodyme: When CS:GO clients connected to our server, they got more than a game. We found 3 RCE vulnerabilities to give clients an unexp….

RT @the_secret_club: Improving MBA Deobfuscation using Equality Saturation by @fvrmatteo and @mr_phrazer.

RT @daax_rynd: It's been a while. here's the next part of the MMU virtualization series covering some paging details, MTRR basics, and co….

RT @mr_phrazer: I've released a new version of my #BinaryNinja plugin to detect obfuscated code. In a blog post we evaluate new heuristics….

RT @mr_phrazer: Giving the workshop on code deobfuscation was great fun. Thanks for your active participation! #HITB2021AMS. Check out code….

RT @mr_phrazer: Together with @m_u00d8 we are happy to release msynth, our code deobfuscation framework to simplify Mixed Boolean-Arithmeti….

RT @the_secret_club: Counter-Strike Global Offsets: reliable remote code execution by @brymko @cffsmith @scannell_simon (Guest article). ht….

RT @bienpnn: "Critical this, critical that, just pay them the same flat amount" - a company that makes billions dollars each year. https://….

Also, make sure to check out the exploit code if you are interested:

RT @the_secret_club: CVE-2021-30481: Source engine remote code execution via game invites by @floesen_ .

It's disclosure time! I hope you enjoy my write-up.

RT @teapotddd: Here's a demonstration of one of the exploits that I have reported - an unconditional RCE that can be reliably triggered by….