ENGINEERING BLOG

  • Exploiting Intel Graphics Kernel Extensions on macOS

    A Pwn2Own 2021 Apple Safari Sandbox Escape

    June 29, 2022 / Jack Dates


    To escape the Safari sandbox for our Pwn2Own 2021 submission, we exploited a vulnerability in the Intel graphics acceleration kernel extensions (drivers) on macOS. This post will detail the bug and how we went about exploiting it to achieve reliable kernel code execution.

    We delayed publishing this writeup as we discovered and reported a multitude of similar issues to Apple over the past year, the last of which was patched recently. With other researchers catching on, Intel graphics-related CVEs have become increasingly common among Apple’s security update listings. Quite recently, there was even an exploit discovered in-the-wild targeting the same Intel graphics kernel extensions discussed in this post.

    A demo of the exploit obtaining kernel code execution from unprivileged user context

    Continue Reading →

    • Exploiting an Unbounded memcpy in Parallels Desktop

      A Pwn2Own 2021 Guest-to-Host Virtualization Escape

      May 19, 2022 / Jack Dates


      This post details the development of a guest-to-host virtualization escape for Parallels Desktop on macOS, as used in our successful Pwn2Own 2021 entry. Given privileged code execution in the guest (i.e. via kernel module), the exploit obtains code execution in the Parallels application process running on the host system.

      After providing a brief look at the approach I took towards evaluating Parallels and exploring some of its relevant attack surface, the remainder of the post will demonstrate how we were able to reliably exploit an unbounded memcpy(...) corruption style vulnerability to achieve arbitrary code execution.

      A demo of the exploit running inside the guest popping calc on the host

      Continue Reading →

      • What's New in Tenet v0.2

        Quality-of-life improvements, cell-based trace visualization, and more...

        September 14, 2021 / Markus Gaasedelen


        Tenet is an IDA Pro plugin which enables reverse engineers to explore execution traces of native code. It is a testbed for evaluating how omniscient traces might facilitate new and innovative debugging experiences, improving the speed of software comprehension in reverse engineers and developers alike.

        In this post, we’ll be covering some of the updates that made their way into the v0.2 release of Tenet. As the first ‘major’ update to Tenet, the goal was to fix several quality-of-life issues and improve its general usability. Like any new project, there will be some growing pains as the project begins to find its feet.

        For more background information about Tenet, please see the post about its initial release.

        Tenet is an execution trace explorer for reverse engineers

        Continue Reading →

      Snapcraft Packages Come With Extra Baggage
      Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348
      All Your Base Are [Still] Belong To Us
      Fuzzing Modern UDP Game Protocols With Snapshot-based Fuzzers
      The Oddest Place You Will Ever Find PAC
      Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary
      32 bits, 32 gigs, 1 click...
      Exploitation of a JavaScriptCore WebAssembly Vulnerability
      Tenet: A Trace Explorer for Reverse Engineers
      Conventional Debuggers Are Crumbling to Software Complexity, Now What?
      Lucid: An Interactive Hex-Rays Microcode Explorer
      Studying decompiler internals has never been so easy...
      7 Days to Lift: A Mission in Microcode
      Extending the Hex-Rays Decompiler to Support Intel AVX Instructions
      What's New in Lighthouse v0.9
      Python 3, custom coverage formats, coverage cross-refs, themes & more
      A Cryptocurrency Heist, Starring Your Web Browser
      Abusing well-defined web standards to exploit localhost services
      In Transactional Memory, No One Can Hear You Scream
      Attacking Intel's Transactional Synchronization Extensions
      What's New in Lighthouse v0.8
      Binary Ninja support, HTML coverage reports, consistent styling
      Scaling up Binary Exploitation Education
      Augmenting Esoteric Security Subjects with Gamification & Accessibility
      Exploiting the macOS WindowServer for root
      Four Heap Sprays, Two Dangling Pointers, One Bitflip
      Cracking the Walls of the Safari Sandbox
      Fuzzing the macOS WindowServer for Exploitable Vulnerabilities
      Weaponization of a JavaScriptCore Vulnerability
      Illustrating the Progression of Advanced Exploit Primitives In Practice
      Timeless Debugging of Complex Software
      Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
      Vulnerability Discovery Against Apple Safari
      Evaluating Complex Software Targets for Exploitable Vulnerabilities
      A Methodical Approach to Browser Exploitation
      The Exploit Development Lifecycle, From A to Z(ero Day)
      Building up from the Ethereum Bytecode
      Practical Decompilation of Ethereum Smart Contracts
      What's New in Lighthouse v0.7
      Frida, C++ demangling, context menu, function prefixing, bugfixes
      Dangers of the Decompiler
      A Sampling of Anti-Decompilation Techniques
      What's New in ripr v1.1
      Function Arguments, Basic Block Mode, and more
      Untangling Exotic Architectures with Binary Ninja
      Supplementing Flare-On 2017 with some sanity
      What's New in Lighthouse v0.6
      Intel pintool, cyclomatic complexity, batch load, bugfixes
      Hello World
      Compiling Executables for the Classic POSIX Subsystem on Windows
GITHUB | TWITTER | BLOG | CONTACT
(C) 2022 RET2 SYSTEMS, INC.