I did it again! It was fun to work on exploit one night before the event and one shot it at the demonstration!
And thank you
@thezdi
and
@ubuntu
for making the report process painless!
Validated! Kyle Zeng from ASU SEFCOM brought a race condition to
#Pwn2Own
and successfully used it to escalate privileges on
#Ubuntu
desktop. He earns $20,000 and 2 Master of Pwn points.
#P2OVancouver
Finally, here is the blog documenting the crazy 7 days that I spent on CVE-2022-1786 to pwn kCTF (and won a lot of cash)! Let me know what you think of the blog!
I just pwned Google's Container-Optimized OS with a 0day, *again*! The vulnerability lies in a hot cache in Linux kernel thus extremely hard to exploit in the remote server. Thanks to
@sirdarckcat
's help in resetting the servers, I was finally able to make it work!
I just performed local privilege escalation and docker escape on Google's GKE engine yet again with yet another 0day! Fun fact, Google hasn't finished processing my last report :P
Thanks to
@itszn13
, now you can click a play button in the
#how2heap
main page and start learning various heap exploitation techniques! Want to learn heap in newer libc? No problem. Just select it in the panel on the left!
I just pwned the latest Ubuntu at Pwn2Own despite the unexpected release yesterday! This is my first in-person Pwn2Own event! And I'm so grateful to
@thezdi
for this amazing event!
Success! Kyle Zeng from ASU SEFCOM used a double free bug to exploit Ubuntu Desktop. He earns $30,000 and 3 Master of Pwn points.
#Pwn2Own
#P2OVancouver
I did it! I just pwned Ubuntu 22.04 at
@typhooncon
! I'm thrilled to have achieved this! // Excitement aside, I'd like to thank
@amatcama
for encouraging me to attend
#TyphoonPWN
, all my professors for the support, and
@SecuriTeam_SSD
for hosting the amazing event!
I just pwned Google's Container-Optimized OS again together with
@Markak_
. This time, we used a 0day + cross cache attack. And this makes our second success this month and also my late Christmas present :D
My paper: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability" just got listed in USENIX Sec 22 recently. The systematic study was the key to my recent success in kctf. Check it out!
The V8 Sandbox is now in scope for Chrome VRP for bypass submissions, meeting specific criteria, with rewards up to $5,000!
Please see the Chrome VRP rules [] for full submission criteria and eligibility details.
I'm so excited seeing the hard copy of the Kernel Exploit Recipes booklet from Google! I feel so proud that my work is part of it! It will stay in my collection forever. Thank you for making it happen!
@sirdarckcat
The V8 Sandbox is now in scope for Chrome VRP for bypass submissions, meeting specific criteria, with rewards up to $5,000!
Please see the Chrome VRP rules [] for full submission criteria and eligibility details.
I'm going to present our paper "RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections" at
@acm_ccs
this afternoon. Get excited, fellow hackers!
It's such an honor to be a recipient of Google PhD Fellowship.
Thank you,
@GoogleAI
, for this opportunity.
And I'd like to thank my advisor,
@___tiffanyb___
, for her great support in this application and in my PhD study!
In 2009, Google created the PhD Fellowship Program to recognize and support outstanding graduate students pursuing exceptional research in computer science and related fields. Today, we congratulate the recipients of the 2023 Google PhD Fellowship!
Just learnt that my bug CVE-2022-1786 got fixed recently on Android. This is the bug that earned me the first full bounty in kctf's history (before the bounty raise in Aug). A blog on this bug is on the way :)
I'm excited that P0 is referencing my cpu_entry_area exploit technique. The blog mentioned that users can put controlled data using hardware breakpoint. Well, it is actually easier than that :). Will write up how to completely break SMAP using cpu_entry_area in a bit.
Excited to announce my first ever P0 blogpost is now public! It details a new exploit strategy on Linux kernel that Jann and I worked together to invent. Thanks to everyone on the P0 team for giving me the opportunity to achieve this dream!
Some time ago, I solved a Linux kernel challenge on VULNCON 2021 and promised to provide a writeup. But my procrastination (in fact kctf) stopped me from doing so. But anyway, here is how I first-blooded the IPS linux kernel challenge from VULNCON 2021
🔥 1/ As promised here is the long blog write-up of a 6 year old Linux kernel UAF vulnerability (CVE-2022-32250) which we exploited multiple times to gain reliable priv esc on Ubuntu 22.04.
@nccgroupinfosec
EDG
@saidelike
@fidgetingbits
@alexjplaskett
🧵
Great. Now memory leaks, warnings, bugs in components not exposed to non-root users (CVE-2021-46957), even performance issue patches ( CVE-2024-26602) are "security bugs"
I recently collaborated with
@Markak_
and pwned Google's Container-Optimized OS. We developed two completely different exploits independently. My exploit has some previously unknown techniques but less reliable compared with
@Markak_
's. I'll release my exploit later as well. :D
Got the root shell and escaped from the container on Google's Container-Optimized OS. Used a 1-day, but indeed a 0-day in many vendors' kernel. I will release the code if possible, it might be the first public exploit applying corss-cache technique in Linux kernel.
#kctf
deadline fighter be like: arrive at Vancouver one night before on-stage demonstration for
#Pwn2Own
and yet to fine-tune the exploit reliability for physical machines :D
Congrats to the 7 companies that will receive $1 million each to develop AI-enabled cyber reasoning systems that automatically find and fix software vulnerabilities as part of the
#AIxCC
Small Business Track! Full announcement: .
I'm so proud to have attended the event with the best hackers in the world! (And appeared for 0.5s in the cool video! :) ) It was really fun! Thanks Google! And
@sirdarckcat
!
bugSWAT live hacking 📣: We are planning two events this year, one in the US and one in Europe. Invites based on recent submissions and past bugSWAT performance. More details soon - keep those bug reports coming!
Here's a peek into our last bugSWAT:
I learnt so much during corCTF when trying to solve the two fun and hard Linux kernel challenges. Thanks to
@cor_ctf
. I'll definitely play the CTF next year.
Check out corCTF kernel writeups!
FizzBuzz101's challenge shows a novel leakless + data-only technique to pwn Linux with a 6 byte overflow:
D3v17's CoRJail shows a novel technique used on kctf to achieve arb free with poll_list :
Sadly, one of our bugs was known, but still, the exploit chain is cool. Still a good start for a Pwn2Owner first timer like us. We will be back next year. (And I will write a blog on how I heap-ed it :) )
@InsanityBit
@sirdarckcat
I do plan to write a blog about this exploitation after the bug is patched and google finishes processing the report. This is a very interesting story.
📢Thrilled to announce the AMAZING PC members of WOOT 2023! 🤯
They are ready, and waiting to see your submissions!
Submission deadline: Friday, January 27 - Very soon!😱
Check our website:
More updates are coming soon! Stay tuned!
I didn't expect
@asisctf
to be hard this year. I planned to play *casually* and ended up solving a kernel and a chrome challenges. I spent one more day on the second chrome challenge after the ctf ended and finally solved it with the author's
@harsh_khuha
's help.
@0xCrashX
@sirdarckcat
I wrote a fuzzer a few months ago. For some reason, I only set it up about 2 weeks ago. It found the bug in 1 week. It took me about 2days to have an exploit ready locally and 5 more days to actually pwn the remote server because of many obstacles.
We'll be live streaming the SEFCOM T0 attempt to compromise the Wyze Cam v3 surveillance camera here and on YouTube at 16:30 EDT (GMT-4). Their methodology will surprise (and maybe frighten) you.
@pagabuc
@seanhn
@lazytyped
@h0mbre_
I'd recommend all the linux kernel challenges (there are four) from corCTF in 2021 and 2022. The one that learnt the most is Wall of Perdition
Even with a small step size (no time to run it overnight), angr found 3 different chains quickly. (my solve used the chain starting from _IO_new_file_finish) The updated script can be found here (2/2):
And CVE-2021-46940 is even for tools. I'm sorry, it is not even in the kernel. And "it must be run be run as root". And the direct impact is "prevents the timer from update the stat". I'm not sure why this is a security bug.
@ScepticCtf
made an amazing challenge, byor, for CTF that challenges angr to find a chain in file structures without relying on wide_data. And ofc, with some minor changes to my original angry-FSROP script, angr is able to solve it! (1/2)
🔥 1/ In the last 6 months working on Linux kernel bug hunting/exploitation there has been a number of key resources which have been super useful (coming from a macOS/Windows background) to understand the state of things in 2022 🚀.
Here's a short🧵 to recognise this + thoughts:
@0xCrashX
@sirdarckcat
Looking for 0days is not what we usually do in CTFs. But I did benefit a lot from then. Many techniques that I used in the exploit were learnt when playing CTFs.
@moyix
@saleemrash1d
Funny enough, a similar thing happened once. During linectf 2020 or 2021, they had a v8 challenge, where they introduced a bug right next to a 0day vuln. So, during the ctf, a bunch of people audited v8 source and found the 0day :)
For clarification, I didn't come up with the technique the P0 blog demonstrates. What I did was using it as a KASLR/SMAP bypass, which I assume inspired the technique in the P0 blog. (the blog mentions kCTF exploit, and my exploit is the only one using cpu_entry_area so far)
And also, the safe-linking patch also ensures the chunk returned by tcache is properly aligned. I didn't find a bypass to that. Gonna miss the days when ptmalloc can be manipulated to return any wacky addresses :(
@ScepticCtf
It turns out I was wrong in the followup section (in my blog). angr can find more than just wide_data shenaigans. After changing my script to fit your challenge, angr found new techniques quickly. (This time, it is codecvt,which surprises me because I thought they are encrypted)
The latest Google Pixel 6 pwned with a 0day in kernel! Achieved arbitrary read/write to escalate privilege and disable SELinux without hijacking control flow. The bug also affects Pixel 6 Pro, other Pixels are not affected :)
@HDWSec
This blog post is flagged as malware by fortinet (on virustotal) and malwarebytes. I'm not saying it is malicious. But I think you should fix it. And I advise other security researchers clicking it with caution.
In short, tcache poisoning requires a heap leak now, which is not a big deal. This is because modern heap exploitation techniques aim to achieve chunk overlapping, which provides heap leak. And safe-linking fails to prevent it.
@gf_256
We got 97% of the image but could only see "good job here is your flag: flag{i_am_????_binary_ninja_???}" the only missing piece was the hppa architecture(we got 66% of it).
@degrigis
I want to do context-aware ROP chain in angrop too. The idea is to give angrop a state and probably also where the ROP will be. Then it can use constraints in the state to constrain ROP chain.
@_saagarjha
@acm_ccs
Then we use the a search algorithm to take a VM snapshot at the syscall that grants PC-control for analysis. You can think we take snapshots at each syscall candidates (this won't work in fact, just for the ease of understanding).
@spendergrsec
So, the root cause of the bug is in the goto_chain infinite loop handling logic . When it returns, tcf_result is not cleared. Later cbq_classify casts res.class into a cbq_class pointer, but in reality, it is a pointer of something else => type confusion.
@_saagarjha
@acm_ccs
That's a great question. We first run the poc to crash the vanilla kernel once so we know the syscall number that grants PC-control. Then we instrument the kernel to filter out irrelevant syscalls (not the same number and not from the poc) --
@c0m0r1
There are two bypasses to this check: house of botcake and double free in fastbin + fastbin_stash_to_tcache. And then enjoy arbitrary allocation in tcache :)