Formal Methods.pdf
315.2 KB
🔓Exploring Formal Methods for Cryptographic Hash Function Implementations.
💥SHA-3 Buffer Overflow
(Part 2, part 1 here).
In this writeup Nicky Mouha give a brief intro to three indispensable tools: KLEE Web, CodeQL for GitHub, and deps.dev, that helping to find vulnerability
(CVE-2022-37454, the Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant BoF that allows attackers to execute arbitrary code or eliminate expected cryptographic properties).
💥 KLEE is a symbolic virtual machine built on top of the LLVM compiler infrastructure.
Currently, there are two primary components:
1️⃣The core symbolic virtual machine engine; this is responsible for executing LLVM bitcode modules with support for symbolic values.
2️⃣A POSIX/Linux emulation layer oriented towards supporting uClibc, with additional support for making parts of the operating system environment symbolic.
#vulnerability #cryptography #expoitation #HashFunctions #SHA3 #BLAKE #XKCP #Grøstl #Apple_CoreCrypto
💥SHA-3 Buffer Overflow
(Part 2, part 1 here).
In this writeup Nicky Mouha give a brief intro to three indispensable tools: KLEE Web, CodeQL for GitHub, and deps.dev, that helping to find vulnerability
(CVE-2022-37454, the Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant BoF that allows attackers to execute arbitrary code or eliminate expected cryptographic properties).
💥 KLEE is a symbolic virtual machine built on top of the LLVM compiler infrastructure.
Currently, there are two primary components:
1️⃣The core symbolic virtual machine engine; this is responsible for executing LLVM bitcode modules with support for symbolic values.
2️⃣A POSIX/Linux emulation layer oriented towards supporting uClibc, with additional support for making parts of the operating system environment symbolic.
#vulnerability #cryptography #expoitation #HashFunctions #SHA3 #BLAKE #XKCP #Grøstl #Apple_CoreCrypto
👍3
🧅Security Onion cheat sheet is updated for version 2.4 Beta 3.
#security #SecurityOnion #CheatSheet #ThreatHunting #network #monitoring
#security #SecurityOnion #CheatSheet #ThreatHunting #network #monitoring
👍3🔥2❤1
Private Shizo
🔥CVE-2023-3079(bug id: 1450481) - Type Confusion in V8 ( 0-day, may have been actively exploited/ITW ) Reviewed here: 4584248 "[ic] Fix store handler selection for arguments objects"
💥По сути был зафикшен выбор хэндлера хранилища для
"arguments objects" во время "inline caching"(исходники которого находятся в следующей директории V8: /src/ic ).
💥 In fact, the store handler selection for "arguments objects" was fixed during "inline caching" (the sources of which are located in the following V8 directory: /src/ic).
🔖Для лучшего понимания "inline caching" в V8 и последующей эксплуатации советую прочитать следующие материалы/ For a better understanding of "inline caching" in V8 and subsequent exploitation, I advise you to read the following materials:
🌐Javascript Hidden Classes and Inline Caching in V8
🌐JavaScript engine fundamentals: Shapes and Inline Caches
🌐V8 optimizations behind the scenes
🌐Inside JavaScript Engines, Part 2: code generation and basic optimizations
🌐CVE-2021-38001: A Brief Introduction to V8 Inline Cache and Exploitating Type Confusion
🌐analysis of CVE-2021-38001 by @vngkv123
🌐The Chromium super (inline cache) type confusion
#security #expoitation #JSE #V8 #TypeConfusion #inlineCaching
"arguments objects" во время "inline caching"(исходники которого находятся в следующей директории V8: /src/ic ).
💥 In fact, the store handler selection for "arguments objects" was fixed during "inline caching" (the sources of which are located in the following V8 directory: /src/ic).
🔖Для лучшего понимания "inline caching" в V8 и последующей эксплуатации советую прочитать следующие материалы/ For a better understanding of "inline caching" in V8 and subsequent exploitation, I advise you to read the following materials:
🌐Javascript Hidden Classes and Inline Caching in V8
🌐JavaScript engine fundamentals: Shapes and Inline Caches
🌐V8 optimizations behind the scenes
🌐Inside JavaScript Engines, Part 2: code generation and basic optimizations
🌐CVE-2021-38001: A Brief Introduction to V8 Inline Cache and Exploitating Type Confusion
🌐analysis of CVE-2021-38001 by @vngkv123
🌐The Chromium super (inline cache) type confusion
#security #expoitation #JSE #V8 #TypeConfusion #inlineCaching
👍1
|Sysdiagnose analysis framework|
🕵️♂️Довольно простой в использовании инструментарий для анализа диагностических логов iOS(sysdiagnose) для проверки целостности.
Почитать про sysdiagnose в iOS 16 можно тут.
Перед запуском парсера, необходимо добавить новый кейс для sysdiagnose:
$
$
З.Ы. Для того, чтобы узнать список парсеров следует ввести команду:
$
⚠️Важная особенность: данный инструментарий можно использовать, как вспомогательный, при анализе iOS-устройства, которое потенциально было заражено spyware.
🕵️♂️A fairly easy-to-use toolkit for analyzing iOS diagnostic logs (sysdiagnose) to check the integrity.
You can read about sysdiagnose in iOS 16 here.
Before launching the parser, you need to add a new case for sysdiagnose:
$
$
P.S. In order to find out the list of parsers, enter the command:
$
⚠️Important feature: this toolkit can be used as an auxiliary tool when analyzing an iOS device that has potentially been infected with spyware.
#forensics #DFIR #iOS #sysdiagnose #timeline #spywareAnalysis #JB_not_need
🕵️♂️Довольно простой в использовании инструментарий для анализа диагностических логов iOS(sysdiagnose) для проверки целостности.
Почитать про sysdiagnose в iOS 16 можно тут.
Перед запуском парсера, необходимо добавить новый кейс для sysdiagnose:
$
python initialyze.py file имя_файла
Запускаются парсеры довольно просто:$
python parsing.py parse sysdiagnose-ps 1
$ python sysdiagnose-uuid2path 1
$ python sysdiagnose-mobileactivation 1
$ python sysdiagnose-accessibility-tcc 1
Результат будет сохранен тут:./parsed_data/1/sysdiagnose-xxxxx.jsonи так далее
З.Ы. Для того, чтобы узнать список парсеров следует ввести команду:
$
python parsing.py list parsers
⚠️В том случае, если появится желание визуализировать таймлайны, которые мы извлекли через sysdiagnose и в то же время позволяют вычислительные ресурсы, то данное дело можно организовать в Timesketch.⚠️Важная особенность: данный инструментарий можно использовать, как вспомогательный, при анализе iOS-устройства, которое потенциально было заражено spyware.
🕵️♂️A fairly easy-to-use toolkit for analyzing iOS diagnostic logs (sysdiagnose) to check the integrity.
You can read about sysdiagnose in iOS 16 here.
Before launching the parser, you need to add a new case for sysdiagnose:
$
python initialyze.py file file_name
Parsers are launched quite simply:$
python parsing.py parse sysdiagnose-ps 1
$ python sysdiagnose-uuid2path 1
$ python sysdiagnose-mobileactivation 1
$ python sysdiagnose-accessibility-tcc 1
The result will be saved here:./parsed_data/1/sysdiagnose-xxxxx.jsonand so on
P.S. In order to find out the list of parsers, enter the command:
$
python parsing.py list parsers
⚠️In the event that there is a desire to visualize the timelines that we extracted through sysdiagnose and at the same time allow computing resources, then this case can be organized in Timesketch.⚠️Important feature: this toolkit can be used as an auxiliary tool when analyzing an iOS device that has potentially been infected with spyware.
#forensics #DFIR #iOS #sysdiagnose #timeline #spywareAnalysis #JB_not_need
❤1👍1🔥1
Forwarded from Private Shizo
📲(Pwn2Own) Samsung Galaxy S22 McsWebViewActivity Permissive List of Allowed Inputs RCE Vuln(CVE-2023-21515)
The specific flaw exists within the
📲(Pwn2Own) Samsung Galaxy S22 InstantPlaysDeepLink Permissive List of Allowed Inputs RCE Vuln(CVE-2023-21514)
The specific flaw exists within the
📲(Pwn2Own) Samsung Galaxy S22 McsWebViewActivity Permissive List of Allowed Inputs RCE Vuln(CVE-2023-21516)
The specific flaw exists within the
📲(Pwn2Own) Samsung Galaxy S22 McsWebViewActivity Permissive List of Allowed Inputs RCE vuln(ZDI-23-843).
The specific flaw exists within the
The specific flaw exists within the
McsWebViewActivity class. The issue results from a permissive list of allowed inputs. An attacker can leverage this vulnerability to execute code in the context of the current user.📲(Pwn2Own) Samsung Galaxy S22 InstantPlaysDeepLink Permissive List of Allowed Inputs RCE Vuln(CVE-2023-21514)
The specific flaw exists within the
InstantPlaysDeepLink class. The issue results from a permissive list of allowed inputs. An attacker can leverage this vulnerability to execute code in the context of the current user.📲(Pwn2Own) Samsung Galaxy S22 McsWebViewActivity Permissive List of Allowed Inputs RCE Vuln(CVE-2023-21516)
The specific flaw exists within the
McsWebViewActivity class. The issue results from a permissive list of allowed inputs. An attacker can leverage this vulnerability to execute code in the context of the current user.📲(Pwn2Own) Samsung Galaxy S22 McsWebViewActivity Permissive List of Allowed Inputs RCE vuln(ZDI-23-843).
The specific flaw exists within the
McsWebViewActivity class. The issue results from a permissive list of allowed inputs. An attacker can leverage this vulnerability to execute code in the context of the current userZerodayinitiative
ZDI-23-772
(Pwn2Own) Samsung Galaxy S22 McsWebViewActivity Permissive List of Allowed Inputs Remote Code Execution Vulnerability
📡Unchained Skies: A Deep Dive into Reverse Engineering and Exploitation of Drones
Quite an interesting report on the reverse engineering and fuzzing (hardware-in-the-loop fuzzing) of drones, focused on DJI by Nico Schiller(@74ck_0) and Moritz Schloegel(@m_u00d8) at REcon 2023. The report mentions fresh vulnerabilities that can be used for: bypass of vendor signatures in the person of DJI (firmware updates) to upload user code, obtaining root rights and disabling a drone in flight via the operator's smartphone.
Actually, the speakers have already touched on this topic in the work "Drone Security and the Mysterious Case of DJI's DroneID"(github repo) about the attack surface of DJI drones, an analysis of the repeatedly discussed (NOT) secure design of the DJI DroneID protocol (disabling, intercepting and faking it).
#DJI #drone #DroneID #UAV #security #RE #SAST #DAST #fw #fuzzing #vulnerabilities #DoS #arbitrary_code_execution #expoitation #bypass
Quite an interesting report on the reverse engineering and fuzzing (hardware-in-the-loop fuzzing) of drones, focused on DJI by Nico Schiller(@74ck_0) and Moritz Schloegel(@m_u00d8) at REcon 2023. The report mentions fresh vulnerabilities that can be used for: bypass of vendor signatures in the person of DJI (firmware updates) to upload user code, obtaining root rights and disabling a drone in flight via the operator's smartphone.
Actually, the speakers have already touched on this topic in the work "Drone Security and the Mysterious Case of DJI's DroneID"(github repo) about the attack surface of DJI drones, an analysis of the repeatedly discussed (NOT) secure design of the DJI DroneID protocol (disabling, intercepting and faking it).
#DJI #drone #DroneID #UAV #security #RE #SAST #DAST #fw #fuzzing #vulnerabilities #DoS #arbitrary_code_execution #expoitation #bypass
❤1👍1🔥1
recon23_code_detection.pdf
921.9 KB
📡Unchained Skies: A Deep Dive into Reverse Engineering and Exploitation of Drones
Довольно интересный доклад по реверсу и фаззингу(hardware-in-the-loop fuzzing) дронов, сфокусированному на DJI от Nico Schiller(@74ck_0) и Moritz Schloegel(@m_u00d8) на REcon 2023. В докладе есть упоминание свежих уязвимостей, которые могут использоваться для: байпасса подписей поставщика в лице DJI(обновления встроенного ПО) для загрузки пользовательского кода, получение root-прав и выведение из строя в полете дрона через смартфон оператора.
Собственно, выступающие уже затрагивали данную тему в работе "Drone Security and the Mysterious Case of DJI’s DroneID"(репозиторий на гитхабе) про поверхность атаки DJI-дронов, разбор обсуждаемого неоднократно (НЕ)безопасного дизайна протокола DJI DroneID(отключение, перехват и подделывание оного).
#DJI #drone #DroneID #UAV #security #RE #SAST #DAST #fw #fuzzing #vulnerabilities #DoS #arbitrary_code_execution #expoitation #bypass
Довольно интересный доклад по реверсу и фаззингу(hardware-in-the-loop fuzzing) дронов, сфокусированному на DJI от Nico Schiller(@74ck_0) и Moritz Schloegel(@m_u00d8) на REcon 2023. В докладе есть упоминание свежих уязвимостей, которые могут использоваться для: байпасса подписей поставщика в лице DJI(обновления встроенного ПО) для загрузки пользовательского кода, получение root-прав и выведение из строя в полете дрона через смартфон оператора.
Собственно, выступающие уже затрагивали данную тему в работе "Drone Security and the Mysterious Case of DJI’s DroneID"(репозиторий на гитхабе) про поверхность атаки DJI-дронов, разбор обсуждаемого неоднократно (НЕ)безопасного дизайна протокола DJI DroneID(отключение, перехват и подделывание оного).
#DJI #drone #DroneID #UAV #security #RE #SAST #DAST #fw #fuzzing #vulnerabilities #DoS #arbitrary_code_execution #expoitation #bypass
👍5🔥2