A vulnerability in the pktcdvd driver in the Linux kernel allows for the disclosure of 4 bytes of kernel memory. In this post, I’ll describe the tad bit of magic that’s necessary to exploit the vulnerability on both 32-bit and 64-bit hosts to disclosure an arbitrary amount of kernel memory.
Ben Hawkes discovered a vulnerability in the Controller Area Network (CAN) packet family in the Linux kernel that results in a controllable overflow of a SLUB-allocated structure. As there’s not a whole lot of modern, public examples of SLUB overflow exploits, I’ll describe my exploit of the CAN vulnerability in detail.
I got my hands on a copy of the recent Android SMS trojan that commits toll fraud via SMS messages to premium Russian shortcodes. What follows is a brief teardown of the APK and disassembly of the trojan’s dexcode and description of its malicious functionality. It’s incredibly simple in nature so there’s not much detail to go into.
This posts aims to peek inside the Android GTalkService connection and observe its protocol. In particular, we’re interested in the INSTALL_ASSET message and whether or not it is protected by any additional cryptographic signatures beyond the intended guarantees provided by the SSL transport.
In this post, I’ll talk about the REMOVE_ASSET and INSTALL_ASSET mechanisms that can be invoked by Google via Android’s GTalkService to not only remotely remove applications from an Android device but also remotely install new applications.
SummerCon was absurdly fun. Thanks for redpantz for putting on a great event and all the NY guys for making it a blast. My talk was on a few random Android topics…slides are available below. I threw everything together about 12 hours before my talk so it’s a little rough around the edges and a few slides have been redacted for now.
Just got back from SOURCE Boston. SOURCE was a great event: a great line-up of speakers, fun social events (thanks to Rapid7 and iSEC for sponsoring), and smooth execution (props to Stacy and Zach). My talk was on the topic of Linux kernel security, slides are available here.
A vulnerability in the ReiserFS filesystem of the Linux kernel (versions <= 2.6.34-rc3) allows for the unprivileged reading and writing of objects in the .reiserfs_priv path. Leveraging extended attributes and POSIX file-based capabilities, this vulnerability allows for privilege escalation on systems with a ReiserFS filesystem.
Wow, it’s been forever since I’ve written any entries…startup life is busy, but fun! Nothing interesting in this one, but I thought I’d post for Google purposes that I’ve mirrored copies of the Month of Kernel Bugs (MoKB) and the Month of Apple Bugs (MoAB).
A recent vulnerability in the Linux kernel (versions <= 2.6.32-rc1) allows the leakage of certain register contents. The x86-64 registers r8-r11 may be leaked to 32-bit unprivileged userspace applications that switch themselves into 64-bit mode.
