In this post I'll use CVE-2024-5830, a bug in object transitions in Chrome to gain RCE in the Chrome renderer sandbox:

RT @oegerikus: I founded a new company: @xbow. XBOW brings AI to offensive security, augmenting the productivity of pentesters, bug hunters….

In this post I'll use CVE-2024-3833, a type confusion in v8 to gain remote code execution in the Chrome renderer sandbox:

In this post I'll use CVE-2023-6241, a vulnerability in the Arm Mali GPU that I reported last November to gain arbitrary kernel code execution from an untrusted app on a Pixel 8 with MTE enabled.

In this post I'll use CVE-2023-4069, a type confusion bug in the Maglev JIT compiler of Chrome that I reported in July, to gain RCE in the Chrome renderer sandbox:

In this post I'll use CVE-2023-3420, an incorrect side effect modelling bug in the JIT compiler that I reported to Chrome, to gain a sandboxed remote code execution in the renderer:

This time I'll look at CVE-2022-46395, an Arm Mali GPU driver UAF I found by analysing Jann Horn's CVE-2022-36449. I'll also use a technique of Jann Horn to win a very tight race to gain arbitrary kernel code execution and root from untrusted Android app.

In this post I'll look at a patching issue that leaves Pixel 6 vulnerable to an already fixed bug for more than 5 months. This allows arbitrary kernel code execution and root from an untrusted app and shows some potential problems with backporting:

CVE-2022-25664 is one of the most interesting bug I've reported. It's "only" an info leak, but a very powerful one that allows an untrusted Android app to read pages of memory from the kernel or other apps any number of times.

It may seem fair that Android "can't fix" this bug as it's in 3rd party code, but even after Arm released a public patch, it look 3 months for Android to apply the patch. Sadly, this is not a one off, as the list goes on: IMO this is worse than having 0day.

In this post I'll use CVE-2022-38181, a use-after-free I reported last year in the Arm Mali GPU driver to gain arbitrary kernel code execution and root from untrusted Android app. Not sure if the bug or the disclosure is more interesting:

file: "mali_app/app/src/main/cpp/hello-jni.c": 4b66a16931b96fdf14a32aa9963c25326a2a8b217e7a842d886d5885ef01956d .The email I sent: 234646839712e54fb7179ab74ddeb6bb8857d9bd853b29be2596fdb21d22a4c7 (Plain text starts from "Hi" and ends with "Mo") Thanks!.

Bug trigger: 1. file with "main", shorter file name: b50887cdcd53c2d63ea8253bae534aa079f99aac93fa5ff900c34f9475cb4086 .2. file with "main", longer file name: c20576e4895e6d4ddd1b40eb05375d274b2788867d0aa921699b9dddd945732a.

If someone from @Arm security is reading this, please reply to my email on 5 Aug about a bug report that Android security team shared with you privately, thanks. SHA256 of various files for verification (next tweets).

This might be the best bug I found. Never thought I'd be writing a kernel exploit as reliable, clean and fast as a browser exploit. For a while I actually used this to root my research phone when can't be bothered to patch the rom:

RT @GHSecurityLab: In this post @mmolgtm goes through the details of CVE-2022-1134, a type confusion in Chrome, and shows how to gain remot….

This is probably the most complex exploit I've done so far. A UAF in Android kernel freed by kfree_rcu (introduces a delay) in a tight race + kCFI + Samsung RKP. Yet its still possible to gain arbitrary kernel RW, disable SE and root from untrusted app.

In this post I'll go through 3 bugs in the Qualcomm NPU driver that I reported, which allowed me to execute arbitrary kernel code from the untrusted app domain in Android, disable SELinux and bypass task cred protection to gain root on a Samsung phone:

RT @GHSecurityLab: Go dumpster diving for arbitrary code execution in v8's garbage collector with @mmolgtm in his Chrome vulnerability RCA….

RT @GHSecurityLab: Learn how @mmolgtm dug his way out of the Chrome sandbox using a credit card as a shovel! "The fugitive in Java: Escapin….