-
Exploiting the Synology DiskStation with Null-byte Writes
Achieving remote code execution as root on the Synology DS1823xs+ NAS
In October, we attended Pwn2Own Ireland 2024 and successfully exploited the Synology DiskStation DS1823xs+ to obtain remote code execution as root. This issue has been fixed as CVE-2024-10442.
The DiskStation is a popular line of NAS (network-attached storage) products by Synology. It has been succesfully exploited a few times at Pwn2Own events in the past, though it remained untouched in the prior year’s event (Pwn2Own Toronto 2023). Then Ireland 2024 saw three successful entries, all using unique bugs.
This post will detail our experience researching the Synology DiskStation and writing an exploit against it for the event.
Prepping to throw an exploit at the Synology DiskStation, Pwn2Own Ireland 2024
Continue Reading →
-
Pwn2Own Automotive: Popping the CHARX SEC-3100
Exploiting Unsafe C++ Destructor Ordering on Process Teardown
Our previous post explored some of the bugs we discovered in the CHARX SEC-3100 ControllerAgent service for Pwn2Own Automotive. We’ll now walk through how these bugs were weaponized to produce a fully remote exploit.
We left off with a use-after-free (UAF) primitive. Notably however, the UAF occurs on process teardown (a “one-shot” style bug), and we don’t have any information leaks to easily deal with ASLR (address space layout randomization).
If you want to try exploiting a similar bug on your own, we’ve hosted a challenge with an adapted version of the same bug pattern on our in-browser WarGames platform here.
Continue Reading →
-
Pwn2Own Automotive: CHARX Vulnerability Discovery
Abusing Subtle C++ Destructor Behavior for a UAF
The first Pwn2Own Automotive introduced an interesting category of targets: electric vehicle chargers. This post will detail some of our research on the Phoenix Contact CHARX SEC-3100 and the bugs we discovered, with a 2nd separate post covering the actual exploit.
We’ve adapted the fundamental bug pattern into a challenge hosted on our in-browser WarGames platform here, if you want a hands-on attempt at exploiting the rather interesting C++ issue we discovered.
Although an EV charger may initially seem like an “exotic” target with non-standard protocols and physical interfaces, once those are figured out, everything eventually boils down to some binary consuming untrusted input (e.g. from the network), and all the classic memory corruption principles apply.
Continue Reading →
JTAG 'Hacking' the Original Xbox in 2023
Using Intel CPU JTAG to dump the secret bootrom in Microsoft's original Xbox
The LDT, a Perfect Home for All Your Kernel Payloads
Using the HIB segment to bypass KASLR on x86-based macOS
Exploiting Intel Graphics Kernel Extensions on macOS
A Pwn2Own 2021 Apple Safari Sandbox Escape
Exploiting an Unbounded memcpy in Parallels Desktop
A Pwn2Own 2021 Guest-to-Host Virtualization Escape
What's New in Tenet v0.2
Quality-of-life improvements, cell-based trace visualization, and more...
Snapcraft Packages Come With Extra Baggage
Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348
All Your Base Are [Still] Belong To Us
Fuzzing Modern UDP Game Protocols With Snapshot-based Fuzzers
The Oddest Place You Will Ever Find PAC
Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary
32 bits, 32 gigs, 1 click...
Exploitation of a JavaScriptCore WebAssembly Vulnerability
Tenet: A Trace Explorer for Reverse Engineers
Conventional Debuggers Are Crumbling to Software Complexity, Now What?
Lucid: An Interactive Hex-Rays Microcode Explorer
Studying decompiler internals has never been so easy...
7 Days to Lift: A Mission in Microcode
Extending the Hex-Rays Decompiler to Support Intel AVX Instructions
What's New in Lighthouse v0.9
Python 3, custom coverage formats, coverage cross-refs, themes & more
A Cryptocurrency Heist, Starring Your Web Browser
Abusing well-defined web standards to exploit localhost services
In Transactional Memory, No One Can Hear You Scream
Attacking Intel's Transactional Synchronization Extensions
What's New in Lighthouse v0.8
Binary Ninja support, HTML coverage reports, consistent styling
Scaling up Binary Exploitation Education
Augmenting Esoteric Security Subjects with Gamification & Accessibility
Exploiting the macOS WindowServer for root
Four Heap Sprays, Two Dangling Pointers, One Bitflip
Cracking the Walls of the Safari Sandbox
Fuzzing the macOS WindowServer for Exploitable Vulnerabilities
Weaponization of a JavaScriptCore Vulnerability
Illustrating the Progression of Advanced Exploit Primitives In Practice
Timeless Debugging of Complex Software
Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
Vulnerability Discovery Against Apple Safari
Evaluating Complex Software Targets for Exploitable Vulnerabilities
A Methodical Approach to Browser Exploitation
The Exploit Development Lifecycle, From A to Z(ero Day)
Building up from the Ethereum Bytecode
Practical Decompilation of Ethereum Smart Contracts
What's New in Lighthouse v0.7
Frida, C++ demangling, context menu, function prefixing, bugfixes
Dangers of the Decompiler
A Sampling of Anti-Decompilation Techniques
What's New in ripr v1.1
Function Arguments, Basic Block Mode, and more
Untangling Exotic Architectures with Binary Ninja
Supplementing Flare-On 2017 with some sanity
What's New in Lighthouse v0.6
Intel pintool, cyclomatic complexity, batch load, bugfixes
Hello World
Compiling Executables for the Classic POSIX Subsystem on Windows