How to unc0ver a 0-day in 4 hours or less

By Brandon Azad, Project ZeroAt 3 PM PDT on May 23, 2020, the unc0ver jailbreak was released for iOS 13.5 (the latest signed version at the time of release) using a zero-day vulnerability and heavy obfuscation. By 7 PM, I had identified the vulnerability and informed Apple. By 1 AM, I had sent Apple a POC and my analysis. This post takes you along that...

5d

FF Sandbox Escape (CVE-2020-12388)

By James Forshaw, Project ZeroIn my previous blog post I discussed an issue with the Windows Kernel’s handling of Restricted Tokens which allowed me to escape the Chrome GPU sandbox. Originally I’d planned to use Firefox for the proof-of-concept as Firefox uses the same effective sandbox level as the Chrome GPU process for its content renderers. That...

4w

A survey of recent iOS kernel exploits

Posted by Brandon Azad, Project ZeroI recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here.This post summarizes original iOS kernel exploits from local app context targeting iOS...

Jun 2020

Fuzzing ImageIO

Posted by Samuel Groß, Project ZeroThis blog post discusses an old type of issue, vulnerabilities in image format parsers, in a new(er) context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing...

Apr 2020

You Won't Believe what this One Line Change Did to the Chrome Sandbox

Posted by James Forshaw, Project ZeroThe Chromium sandbox on Windows has stood the test of time. It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the...

Apr 2020

TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln

Posted by Maddie Stone, Project ZeroINTRODUCTIONI’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post. On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458,...

Apr 2020

Escaping the Chrome Sandbox with RIDL

Guest blog post by Stephen Röttgertl;dr: Vulnerabilities that leak cross process memory can be exploited to escape the Chrome sandbox. An attacker is still required to compromise the renderer prior to mounting this attack. To protect against attacks on affected CPUs make sure your microcode is up to date and disable hyper-threading (HT).In my last guest...

Feb 2020

Mitigations are attack surface, too

Posted by Jann Horn, Project ZeroIntroductionThis blog post discusses a bug leading to memory corruption in Samsung's Android kernel (specifically the kernel of the Galaxy A50, A505FN - I haven't looked at Samsung's kernels for other devices). I will describe the bug and how I wrote a (very unreliable) exploit for it. I will also describe how a second...

Feb 2020

A day^W^W Several months in the life of Project Zero - Part 2: The Chrome exploit of suffering

Posted by Sergei Glazunov and Mark Brand, Project ZeroIntroductionAfter we’d understood how the bug worked, and had passed on those details to Chrome to help them get started on a fix, we went back to our other projects. This bug remained a topic of discussion, and eventually we ran out of excuses for not trying to write an exploit for it. One of the...

Feb 2020

A day^W^W Several months in the life of Project Zero - Part 1: The Chrome bug of suffering

Posted by Sergei Glazunov and Mark Brand, Project ZeroIntroductionIt was a normal week in the Project Zero office when we got an interesting email from the Chrome team — they’d been looking into a serious crash that was happening occasionally on Android builds of Chrome, but hadn’t made much progress. The same crash had then briefly reproduced on ClusterFuzz;...

Feb 2020