Blog

We are excited to embark on a series of teardowns to explore the inner workings of various devices. In this particular teardown, our focus will be on the 1st-Generation of IKEA-SONOS SYMFONISK Speaker Lamp, unraveling its captivating inner workings. Please note that due to prior testing, certain screws, wires, and components have been temporarily removed from the appliance and may not be present during this analysis. However, for the purpose of this exercise, we have meticulously reassembled the SYMFONISK to its approximate original state....

Recently, I was trying out various exploitation techniques against a Linux kernel vulnerability, CVE-2022-3910. After successfully writing an exploit which made use of DirtyCred to gain local privilege escalation, my mentor Billy asked me if it was possible to tweak my code to facilitate a container escape by overwriting /proc/sys/kernel/modprobe instead. The answer was more complicated than expected; this led me down a long and dark rabbit hole… In this post, I will discuss the root cause of the vulnerability, as well as the various methods I used to exploit it....

TLDR prctl PR_SET_VMA (PR_SET_VMA_ANON_NAME) can be used as a (possibly new!) heap spray method targeting the kmalloc-8 to kmalloc-96 caches. The sprayed object, anon_vma_name, is dynamically sized, and can range from larger than 4 bytes to a maximum of 84 bytes. The object can be easily allocated and freed via the prctl syscall, and leaked information can be obtained via reading the proc/pid/maps file. The advantage of this method is that it does not require a cross-cache attack from cg/other caches (unlike other objects such as msg_msg) as anon_vma_name is allocated with the GFP_KERNEL flag....

Background The discovery and analysis of vulnerabilities is a critical aspect of cybersecurity research. Today, we will dive into CVE-2023-1829, a vulnerability in the cls_tcindex network traffic classifier found by Valis. We will explore the process of exploiting and examining this vulnerability, shedding light on the intricate details and potential consequences. We have thoroughly tested our exploit on Ubuntu 22.04 with kernel version 5.15.0-25, which was built from the official 5....

TLDR; We began our work on Samsung immediately after the release of the Pwn2Own Toronto 2022 target list. In this article, we will dive into the details of an open-redirect vulnerability discovered during the Pwn2Own 2022 event and how we exploited it on a Samsung S22 device. By breaking down the technical aspects and using code snippets, we aim to provide a comprehensive overview of this critical security flaw. To begin, I revisited our team’s paper (written by Li Jiantao and Nguyễn Hoàng Thạch) from previous year, where two bugs were identified....

Introduction While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI. To aid in understanding, we present a visual representation of CVE-2022-41082 below. The sink of ProxyNotShell: //System.Management.Automation.InternalDeserializer.ReadOneObject() internal object ReadOneObject(out string streamName) { //... Type targetTypeForDeserialization = psobject.GetTargetTypeForDeserialization(this._typeTable); //[1] if (null != targetTypeForDeserialization) { Exception ex = null; try { object obj2 = LanguagePrimitives....

Summary A command injection vulnerability exists in CS-Cart’s HTML to PDF converter (https://github.com/cscart/pdf) allowing unauthenticated attackers to achieve remote command execution (RCE). The vulnerability only affects the HTML to PDF converter service and the default hosted service at converter.cart-services.com (maintained by CS-Cart’s development team) used by the PDF converter plugin, and does not allow for RCE against base installations of CS-Cart. Product Background In CS-Cart v4.13.2, the HTML to PDF converter is an optional plugin (disabled by default) for printing PDF documents in CS-Cart....