An iOS zero-click radio proximity exploit odyssey

Posted by Ian Beer, Project ZeroNOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 13.5 in May 2020.In this demo I remotely trigger an unauthenticated kernel memory corruption vulnerability which causes all iOS devices in radio-proximity to reboot, with no user interaction. Over the next 30'000 words I'll...

2d

Oops, I missed it again!

Written by Brandon Azad, when working at Project ZeroThis is a quick anecdotal post describing one of the more frustrating aspects of vulnerability research: realizing that you missed a bug that was staring you in the face only once you see the patched version!Some suspicious codeAfter writing the oob_timestamp exploit, I spent some time trying to find...

3w

Enter the Vault: Authentication Issues in HashiCorp Vault

 Posted by Felix Wilhelm, Project ZeroIntroductionIn this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services (AWS) and Google Cloud Platform (GCP). These issues can lead to an authentication bypass in configurations that use the aws and gcp auth methods, and demonstrate the type of issues you can...

Oct 2020

Announcing the Fuzzilli Research Grant Program

Posted by Samuel Groß, Project ZeroProject Zero’s mission is to make 0-day hard in order to improve end-user security. We attack this problem in different ways, including supporting other security researchers. While Google currently offers research grants, they are limited to academics and those affiliated with universities. Today we are announcing...

Oct 2020

Attacking the Qualcomm Adreno GPU

Posted by Ben Hawkes, Project ZeroWhen writing an Android exploit, breaking out of the application sandbox is often a key step. There are a wide range of remote attacks that give you code execution with the privileges of an application (like the browser or a messaging application), but a sandbox escape is still required to gain full system access.This...

Sep 2020

JITSploitation I: A JIT Bug

By Samuel Groß, Project ZeroThis three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870...

Sep 2020

JITSploitation II: Getting Read/Write

Posted by Samuel Groß, Project ZeroThis three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870...

Sep 2020

JITSploitation III: Subverting Control Flow

Posted by Samuel Groß, Project ZeroThis three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870...

Sep 2020

MMS Exploit Part 5: Defeating Android ASLR, Getting RCE

Posted by Mateusz Jurczyk, Project ZeroThis post is the fifth and final of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. Previous posts are linked below:MMS Exploit Part 1: Introduction to the Samsung...

Aug 2020

Exploiting Android Messengers with WebRTC: Part 3

Posted by Natalie Silvanovich, Project ZeroThis is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. CVE-2020-6514 discussed in the blog post was fixed on July 14 with these CLs.This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of...

Aug 2020