exploit_playground: overly-commented exploits (and Ian Beer’s getvolattrlist bug)

Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented 😉 ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes.





iSecCon 2018: Intel Security Conference 2018

Re: https://firmwaresecurity.com/2018/06/15/intel-security-conference/

More details are available:

iSecCon 2018: Intel Security Conference 2018
Intel Ronler Acres 4 (RA4), 2501 NW Century Blvd
Hillsboro, OR, United States, December 4-5, 2018

* Rodrigo Branco (BSDaemon), Chief Security Researcher, Intel Corporation (STrategic Offensive Research & Mitigations – STORM, IPAS)
* Deepak K Gupta, Security Researcher, Intel Corporation (Windows OS Group)
* Marion Marschalek, Senior Security Researcher, Intel Corporation (STrategic Offensive Research & Mitigations – STORM, IPAS)
* Martin Dixon, Chief Security Architect, Intel Corporation (IPAS)
* Vincent Zimmer, Senior Principal Engineer, Intel Corporation (Software and Services Group)
* Matt Miller, Partner, Microsoft Corporation
* Cesar Cerrudo, CTO, IOActive
* Thomas Dullien (“Halvar Flake”), Staff Engineer, Google Project Zero
* Shay Gueron, Senior Principal Engineer, Amazon Web Services (AWS)



Cyberus Tech: Intel LazyFP vulnerability: Exploiting lazy FPU state switching

[…]Earlier this year, Julian Stecklina (Amazon) and Thomas Prescher (Cyberus Technology) jointly discovered and responsibly disclosed another vulnerability that might be part of these, and we call it LazyFP. LazyFP (CVE-2018-3665) is an attack targeting operating systems that use lazy FPU switching. This article describes what this attack means, outlines how it can be mitigated and how it actually works.

For further details, see the current draft of the lazyFP paper: <Link withheld by request from Intel>

Please check back regularly, we’re going to update this post in coordination with Intel.[…]



Kees Cook on Linux kernel 4.17 security features

If you’re not aware, Kees does a good job about blogging on new Linux kernel features. The topic list from current blog post:

Jailhouse hypervisor
Sparc ADI
new kernel stacks cleared on fork
pin stack limit during exec
Variable Length Array removals start




Oski Technology: nice infographic of firmare vulns (“SuperBug”)


I don’t know anything about this company and their product, but I like the cover infographic for some of the hardware/firmware topics it covers:



Un-Sexy Headline: USB Restricted Mode Will Improve iPhone User Security

By Riana Pfefferkorn on June 14, 2018 at 4:01 pm

In the upcoming version of the Apple iPhone iOS operating system, iOS 12, the phone’s Lightning cable port (used for charging and data transmission) will be disabled an hour after the phone is locked. The device will still charge, but transferring data to or from the device via the Lightning cable will require entering the device’s password first. Connecting to the data port via Lightning cable is what third-party forensic devices called Cellebrite and GrayKey rely upon to extract data from locked, encrypted iPhones. These tools (made, respectively, by the eponymous Cellebrite and a company called Grayshift) are employed by U.S. law enforcement agencies at federal, state, and local levels. Unsurprisingly, just about everybody covering the story is framing Apple’s move as one that will thwart law enforcement.[…]