Attacking the Qualcomm Adreno GPU

Posted by Ben Hawkes, Project ZeroWhen writing an Android exploit, breaking out of the application sandbox is often a key step. There are a wide range of remote attacks that give you code execution with the privileges of an application (like the browser or a messaging application), but a sandbox escape is still required to gain full system access.This...

2w

JITSploitation I: A JIT Bug

By Samuel Groß, Project ZeroThis three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870...

3w

JITSploitation II: Getting Read/Write

Posted by Samuel Groß, Project ZeroThis three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870...

3w

JITSploitation III: Subverting Control Flow

Posted by Samuel Groß, Project ZeroThis three-part series highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870...

3w

MMS Exploit Part 5: Defeating Android ASLR, Getting RCE

Posted by Mateusz Jurczyk, Project ZeroThis post is the fifth and final of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. Previous posts are linked below:MMS Exploit Part 1: Introduction to the Samsung...

Aug 2020

Exploiting Android Messengers with WebRTC: Part 3

Posted by Natalie Silvanovich, Project ZeroThis is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. CVE-2020-6514 discussed in the blog post was fixed on July 14 with these CLs.This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of...

Aug 2020

Exploiting Android Messengers with WebRTC: Part 2

Posted by Natalie Silvanovich, Project ZeroThis is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of security issues breaks down. Part 3 is scheduled for August 6.Part 2: A Better...

Aug 2020

MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle

Posted by Mateusz Jurczyk, Project ZeroThis post is the fourth of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published as they are completed and will be linked here when complete.MMS...

Aug 2020

Exploiting Android Messengers with WebRTC: Part 1

Posted by Natalie Silvanovich, Project ZeroThis is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of security issues breaks down. Part 2 is scheduled for August 5 and Part 3 is scheduled...

Aug 2020

The core of Apple is PPL: Breaking the XNU kernel's kernel

Posted by Brandon Azad, Project ZeroWhile doing research for the one-byte exploit technique, I considered several ways it might be possible to bypass Apple's Page Protection Layer (PPL) using just a physical address mapping primitive, that is, before obtaining kernel read/write or defeating PAC. Given that PPL is even more privileged than the rest of...

Jul 2020