xvonfers @xvonfers Twitter profile

Pinned Tweet

xvonfers

@xvonfers

2 months

V8 Sandbox escape/bypass/violation and VR collection

GitHub - xv0nfers/V8-sbx-bypass-collection

Contribute to xv0nfers/V8-sbx-bypass-collection development by creating an account on GitHub.

github.com

3

53

204

Last Seen Profiles

@toncu34_39

@TJenkins83073

@CharlotteP27179

@syuwitch1191

@IndoAbgme

@nq0m1_g0v

@pxsunn

@bokeplokalmalam

@Rich9Richard

@lizzeewiz

@XJ6xtyjOxoY2yJ9

@BemisDiana57371

@toji966198

@shionicoringo

@yerb

@popejames

@harold676078146

@paddowilson

@bokeplokalmalam

@stw_pdg

@scenerena

@AlexFries11

@HebaShabasy

@LucaFreitag4

@PinarSOzbay

@Mil30646236

@BillBailey

@MT_Card

@PattersonD60545

@its__Therry

@AgenceRecherche

@Mayvchmidt

@urielconta20

@MHPhotoTweets

@mirei5231192012

@Thx4UrServais

xvonfers

@xvonfers

9 months

Full Chain Baseband Exploits. Details of the baseband and baseband-to-AP pivot vulnerabilities, exploitable for RCE, chained together at the same time ▶️Part 1: ▶️Part 2: ▶️Part 3: @TaszkSecLabs @kutyacica

Full Chain Baseband Exploits, Part 3

Full Chain Baseband Exploitation, Part 3

labs.taszk.io

2

141

393

xvonfers

@xvonfers

5 months

(CVE-2024-1283)[1521893]Heap buffer overflow in Skia(crash when a BMP image contains an unnecessary EOF code) is now public with RCE exploit and novel cross-cache technique. @r3tr074

xvonfers

@xvonfers

8 months

(CVE-2024-1283)[1521893 aka 41494860]Heap buffer overflow in Skia(crash when a BMP image contains an unnecessary EOF code). @r3tr074

0

4

46

0

48

130

xvonfers

@xvonfers

4 months

(CVE-2024-27834)Integer underflow -> RCE + PAC bypass. @_manfp #Pwn2Own #P2OVancouver

About the security content of Safari 17.5 - Apple Support

This document describes the security content of Safari 17.5.

support.apple.com

4

21

122

xvonfers

@xvonfers

4 months

I have recently been in the V8 vulnerability research/exploitation topic and in this post I will briefly talk about the key points at the very start of the study:

1

26

122

xvonfers

@xvonfers

3 months

xvonfers

@xvonfers

3 months

0

2

25

3

4

114

xvonfers

@xvonfers

28 days

I translated the presentation from Russian, now in English

V8sandbox_bypass/V8SandboxBypass_en.pdf at master · xv0nfers/V8sandbox_bypass

V8sandbox_bypass using stack misalignment. Contribute to xv0nfers/V8sandbox_bypass development by creating an account on GitHub.

github.com

xvonfers

@xvonfers

28 days

[OFFZONE 2024][Rus]Bypassing the V8 sandbox protection mechanism(presentation with PoC): @phoen16xxx

0

9

50

4

22

96

xvonfers

@xvonfers

10 months

(CVE-2023-40088) 0-click RCE(Bluetooth, UAF in ~CallbackEnv) com_android_bluetooth_btservice_AdapterService does not null its local JNI environment variable after detaching the thread, allowing UAF under certain conditions.

xvonfers

@xvonfers

10 months

Android Security Bulletin—December 2023 Fixed three 0-clicks: ⏩CVE-2023-40077(EoP) & CVE-2023-40076(ID), in Framework ⏩CVE-2023-40088(System, RCE) "Source code patches for these issues will be released to the AOSP repository in the next 48 hours."

0

5

21

1

22

92

xvonfers

@xvonfers

1 month

PageJack: A Powerful Exploit Technique With Page-Level UAF Slides: Repository: WP: Zhiyun Qian, Jiayi Hu, Jinmeng Zhou, Qi Tang & Wenbo Shen @pkqzy888

10

33

87

xvonfers

@xvonfers

4 months

Exploit a vuln to corrupt funcrefs within the sandbox -> modify funcrefs to point to functions with different signatures -> invoke corrupted funcrefs using call_ref or return_call_ref -> cause tagged vs. untagged type confusion -> ... -> SBX @5aelo

1

7

87

xvonfers

@xvonfers

6 months

(CVE-2024-3159)[330760873][Pwn2Own][runtime][MapUpdater]OOB Read in V8. @le_douds @Ga1ois

Zero Day Initiative

@thezdi

6 months

Confirmed! @le_douds and @Ga1ois from Palo Alto used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer. The were aboe to exploit #Chrome and #Edge with the same bugs, earning $42,500 and 9 Master of Pwn points. #Pwn2Own

1

9

48

0

19

83

xvonfers

@xvonfers

4 months

In my recent exploration of V8 vulnerability research and exploitation, I've delved into the V8 sandbox, a critical component designed to enhance security by isolating V8’s heap memory. This topic is about fuzzing V8 Sandbox, criticism and suggestions are welcome!

xvonfers

@xvonfers

4 months

I have recently been in the V8 vulnerability research/exploitation topic and in this post I will briefly talk about the key points at the very start of the study:

1

26

122

3

14

83

xvonfers

@xvonfers

9 months

A Journey of Browser Hacking with ANGLE. @singi21a

GitHub - singi/webgl-0day

Contribute to singi/webgl-0day development by creating an account on GitHub.

github.com

0

21

81

xvonfers

@xvonfers

9 months

CVE-2023-41974 aka Landa(UAF in the XNU kernel). Fixed in iOS 17.0 and macOS 14.0. "This exploit does not corrupt the kernel state such that it needs to be cleaned up post-KRKW in order to prevent a kernel panic."

1

24

78

xvonfers

@xvonfers

7 months

(CVE-2024-0039)[295887535][Android][BLE][ATT]OOB write in attp_build_value_cmd -> 0-click RCE

xvonfers

@xvonfers

8 months

(CVE-2024-0031)[Android][BLE][ATT]OOB Write in attp_build_read_by_type_value_cmd function->0-click RCE.

0

13

54

0

24

74

xvonfers

@xvonfers

7 months

(CVE-2023-6702)[1501326][$16000][promises, async stack traces]Type Confusion in V8 is now open with a PoC: This vulnerability has existed since the `Promise.any` function was introduced. PoC: ./d8 poc.js

xvonfers

@xvonfers

9 months

CVE-2023-6702: Type Confusion in V8(CaptureAsyncStackTrace). [1501326]Fix the case when the closure has run We were using the closure pointing to NativeContext as a marker that the closure has run, but async stack trace code was confused about it.

1

6

37

1

27

74

xvonfers

@xvonfers

6 months

[1511448]V8 Spectre-v1 Vulnerability in V8-optimized code that allows speculative memory access to arbitrary 64-bit memory addresses, which bypasses the V8 Sandbox. @5aelo Juhee Kim Youngjoo Lee

2

16

73

xvonfers

@xvonfers

4 months

PoC + Exploit:

xvonfers

@xvonfers

5 months

[1518257][$12000][wasm]UAF of wasm memory buffer due to mismatch of cached memory in graph-builder-interface in function ReloadInstanceCacheIntoSsa. PoC: ./d8 poc.js

2

10

18

2

20

72

xvonfers

@xvonfers

1 month

Bypassing the V8 sandbox protection mechanism. "The report describes a way to bypass this security mechanism using the vulnerability found, as well as a new exploitation technique" new exploitation technique???😅

2

18

69

xvonfers

@xvonfers

4 months

Thanks for the helpful comments from @0x00deadbeef , because I'm a little behind the current Linux kernel security and exploitation.

xvonfers

@xvonfers

4 months

(CVE-2024-26926)[Binder]Craft malicious binder object with misaligned offsets -> send object through IPC -> binder_get_object() copies object using copy_from_user() without alignment check -> misaligned object bypasses alignment validation -> ... -> EoP

0

12

54

2

10

68

xvonfers

@xvonfers

6 months

Manfred Paul ( @_manfp ) used an OOB R/W on a JavaScript object by fooling range-based bounds check elimination(CVE-2024-29943) for the RCE and an exposed dangerous function bug via Event Handlers(CVE-2024-29944) to achieve his SBX of FF.

1

11

68

xvonfers

@xvonfers

1 month

[sides]The Way to Android Root: Exploiting Your GPU on Smartphone @vxradius Xiling Gong Xuan Xing

2

14

66

xvonfers

@xvonfers

6 months

(CVE-2024-1580)dav1d integer overflow when decoding an AV1 video with large width/height -> OOB write Encoded OBUs with frame width and height of 50000x50000: test.c:

xvonfers

@xvonfers

6 months

0

1

7

1

15

65

xvonfers

@xvonfers

1 month

Overcoming State: Finding Baseband Vulnerabilities by Fuzzing Layer-2 Slides: Dyon Goos & Marius Muench

0

16

64

xvonfers

@xvonfers

3 months

wow... [330575498][wasm][Pwn2Own 2024] v8 wasm type confusion, which allows for the execution of arbitrary shellcode inside the ”renderer” processis with V8 sbx bypass is now open with exploit: Whitepaper: @_manfp

xvonfers

@xvonfers

6 months

[330575498][wasm] Check for type-definition count limit.

1

0

3

18

64

xvonfers

@xvonfers

4 months

Key attack surfaces in V8(IMHO): 1/ JS code exectution: - Type Confusions - UaFs - OOB Accesses 2/ Wasm: - Incorrect parsing - Signature mismatch 3/ JIT Compilation: - JIT Spraying - Deopt bugs

1

14

62

xvonfers

@xvonfers

2 months

(CVE-2024-3832, insufficient fix for CVE-2021-30561)[$20000][331358160][wasm]Object corruption in V8 is now open with PoC: PoC with patch: @mmolgtm

xvonfers

@xvonfers

5 months

(CVE-2024-3832)[$20000][331358160][wasm]Object corruption in V8. @mmolgtm

0

6

16

0

12

64

xvonfers

@xvonfers

9 months

PoC CVE-2023-6817[nf_tables](UAF->DoS/LPE) gcc -o poc poc.c -lnftnl -lmnl Details:

xvonfers

@xvonfers

9 months

(CVE-2023-6817)[netfilter][nft_set_pipapo]skip inactive elements during set walk(UAF->LPE)

1

7

20

0

24

59

xvonfers

@xvonfers

10 months

(Webkit) CVE-2023-42916 Processing web content may disclose sensitive information(OOB read, exploited ITW) CVE-2023-42917 Processing web content may lead to arbitrary code execution(memory corruption, exploited ITW) @_clem1

3

14

62

xvonfers

@xvonfers

6 months

(CVE-2024-2886)[330575496] UAF in WebCodecs->RCE. @0x10n

Zero Day Initiative

@thezdi

6 months

Confirmed!! Seunghyun Lee ( @0x10n ) of KAIST Hacking Lab used a UAF to RCE in the renderer on both #Micosoft Edge and #Google Chrome. He earns $85,000 and 9 Master of Pwn points. That also puts us over $1,000,000 for the event! #Pwn2Own

1

14

88

1

9

60

xvonfers

@xvonfers

4 months

Class static blocks can execute arbitrary code when the class is first accessed->placing malicious code in a static block-> using eval() and IC->forcing JIT optimization ->modifying the prototype chain and causing unexpected type transitions -> ... -> Type Confusion

xvonfers

@xvonfers

4 months

1

16

4

9

60

xvonfers

@xvonfers

3 months

So, this is the latest twee about the introduction to V8 VR. The first diagram shows a simplified path from discovery to exploitation V8. The second was taken from @5aelo 's presentation from @offensive_con .

xvonfers

@xvonfers

4 months

Key attack surfaces in V8(IMHO): 1/ JS code exectution: - Type Confusions - UaFs - OOB Accesses 2/ Wasm: - Incorrect parsing - Signature mismatch 3/ JIT Compilation: - JIT Spraying - Deopt bugs

1

14

62

0

15

57

xvonfers

@xvonfers

4 months

I completely forgot to mention that with the release of Chrome M123(stricter handling, integrity checks, etc), many V8 SBX techniques that relied on manipulating raw pointers inside the V8 sandbox were effectively neutralized. Thanks @5aelo !

0

6

58

xvonfers

@xvonfers

4 months

(CVE-2024-2173)[$12000][325893559][wasm][wasm-to-js wrapper]OOB memory access in V8 due to a missing bounds check in tier-up of wasm-to-js wrapper is now public with PoC: PoC: ./d8 poc-full.js

xvonfers

@xvonfers

7 months

(CVE-2024-2173)[$12000][325893559][wasm][wasm-to-js wrapper]OOB memory access in V8 due to a missing bounds check in tier-up of wasm-to-js wrapper.

0

1

22

0

16

56

xvonfers

@xvonfers

10 months

(CVE-2023-42917, WebKit memory corruption, ITW) Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure 😉Enjoy. @_clem1

Cherry-pick b0a755e34426. https://bugs.webkit.org/show_bug.cgi?id=265067 · WebKit/WebKit@00352dd

Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure https://bugs.webkit.org/show_bug.cgi?id=265067 rdar://118548733 Reviewed by J...

github.com

xvonfers

@xvonfers

10 months

(Webkit) CVE-2023-42916 Processing web content may disclose sensitive information(OOB read, exploited ITW) CVE-2023-42917 Processing web content may lead to arbitrary code execution(memory corruption, exploited ITW) @_clem1

3

14

62

3

14

57

xvonfers

@xvonfers

1 month

(CVE-2024-5158)[338908243][builtins]Type Confusion between WasmObject and JSObject in Array Concat(most of the data fields in Wasm object (especially in WasmStruct) are controllable) is now public with PoC ./d8 poc.js @Kipreyyy

xvonfers

@xvonfers

4 months

(CVE-2024-5158)[338908243][$10000][builtins]The HasOnlySimpleElements function could incorrectly assume that certain non-JSObjects have simple elements -> ... -> Type Confusion @Kipreyyy

0

2

21

1

9

57

xvonfers

@xvonfers

8 months

(CVE-2024-0031)[Android][BLE][ATT]OOB Write in attp_build_read_by_type_value_cmd function->0-click RCE.

Android Security Bulletin—February 2024 | Android Open Source Project

source.android.com

0

13

54

xvonfers

@xvonfers

4 months

(CVE-2024-4761)[339458194] OOB write in V8 in SetOrCopyDataProperties method(exploited ITW) PoC: @buptdsb

1

7

55

xvonfers

@xvonfers

4 months

🥳 [40282115]Introduce automated IPC fuzzing that automatically detects renderer process exposed IPC interfaces and fuzzes them. Design of this fuzzer(private):

1

13

56

xvonfers

@xvonfers

15 days

(CVE-2024-3914)[330759272][Pwn2Own 2024][DOMArrayBuffer]DOMArrayBuffer confused about ownership of backing buffer -> UAF is now open with PoC and exploit PoC: Exploit: WP: @0x10n

xvonfers

@xvonfers

5 months

(CVE-2024-3914)[330759272][DOMArrayBuffer]UAF in v8. "Removing this newly introduced CHECK to be able to merge fixes in this area - we still violate this invariant but the fixes are a step into the right direction."😅 @0x10n

0

8

0

15

57

xvonfers

@xvonfers

4 months

(CVE-2024-26926)[Binder]Craft malicious binder object with misaligned offsets -> send object through IPC -> binder_get_object() copies object using copy_from_user() without alignment check -> misaligned object bypasses alignment validation -> ... -> EoP

xvonfers

@xvonfers

4 months

New Android Security Bulletin released(June 2024)!

2

21

0

12

54

xvonfers

@xvonfers

6 months

Time-Travelling JIT Bugs by Manfred Paul( @_manfp ). 😅It's strange that after such a long time, there was no link on Twitter(X).

0

9

52

xvonfers

@xvonfers

3 months

Excellent performance on V8 by Francois Jolivet: "Evolution of the protections of the V8 Javascript engine" Full article: Slides: Video:

3

18

53

xvonfers

@xvonfers

7 days

(CVE-2024-6100, a variant of CVE-2024-2887)[344608204][$20000][wasm]Type Confusion in V8 -> RCE is now public with PoC and exploit PoC: Exploit: Writeup: @0x10n

xvonfers

@xvonfers

3 months

(CVE-2024-6100)[344608204][$20000][wasm]Type Confusion in V8 @0x10n

1

23

0

7

53

xvonfers

@xvonfers

25 days

😅 (CVE-2024-7971)[360700873][wasm][liftoff] Add DCHECK and regression test(exploited ITW) regression test: ./d8 --expose-gc --liftoff-only regress-360700873.js

xvonfers

@xvonfers

1 month

(CVE-2024-7971)[360700873][wasm]Type confusion in V8(exploited ITW)

0

7

15

2

8

49

xvonfers

@xvonfers

28 days

[OFFZONE 2024][Rus]Bypassing the V8 sandbox protection mechanism(presentation with PoC): @phoen16xxx

PhoenixX

You can contact @phoen1xxx right away.

t.me

xvonfers

@xvonfers

1 month

Bypassing the V8 sandbox protection mechanism. "The report describes a way to bypass this security mechanism using the vulnerability found, as well as a new exploitation technique" new exploitation technique???😅

2

18

69

0

9

50

xvonfers

@xvonfers

14 days

crash.js will just crash with an OOB write leak_hole.js will use the OOB access to leak the hole object Exploit:

xvonfers

@xvonfers

14 days

(CVE-2024-5830)[342456991][$25000]Type confusion in TryFastAddDataProperty(map transition bug) is now open writeup: @mmolgtm

0

3

24

0

10

49

xvonfers

@xvonfers

8 months

(CVE-2024-1283)[1521893 aka 41494860]Heap buffer overflow in Skia(crash when a BMP image contains an unnecessary EOF code). @r3tr074

0

4

46

xvonfers

@xvonfers

6 months

(CVE-2024-29943)[1886849]OOB R/W on a JS object by fooling range-based bounds check elimination. (CVE-2024-29944)[1886852]Inject an event handler into a privileged object -> arbitrary JS execution in the parent process.

mozilla-central @ 45d29e78c0d8f9501e198a512610a519e0605458

Bug 1886849: Remove MObjectKeysLength::computeRange r=jandem

hg.mozilla.org

xvonfers

@xvonfers

6 months

Manfred Paul ( @_manfp ) used an OOB R/W on a JavaScript object by fooling range-based bounds check elimination(CVE-2024-29943) for the RCE and an exposed dangerous function bug via Event Handlers(CVE-2024-29944) to achieve his SBX of FF.

1

11

68

0

8

47

xvonfers

@xvonfers

7 months

(CVE-2023-4070)[1462951][$20000][WASM]Type Confusion in V8 WebAssembly->RCE. PoC: Exploit: [wasm][liftoff] Missing test for security bug

1

15

48

xvonfers

@xvonfers

9 months

Before analyzing the bug and writing PoC/exploit, I advise you to familiarize yourself with the older bug. [192795 ](unshift race condition -> RCE)Array unshift/shift should not race against the AI in the compiler thread. Exploit:

Array unshift/shift should not race against the AI in the compiler th… · WebKit/WebKit@266a919

…read. https://bugs.webkit.org/show_bug.cgi?id=192795 Reviewed by Saam Barati. JSTests: * stress/array-unshift-should-not-race-against-compiler-thread.js...

github.com

xvonfers

@xvonfers

10 months

(CVE-2023-42917, WebKit memory corruption, ITW) Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure 😉Enjoy. @_clem1

3

14

57

3

12

45

xvonfers

@xvonfers

4 months

(CVE-2024-23296)[RTKit] An attacker with arbitrary kernel r/w capability may be able to bypass kernel memory protections(exploited ITW) .

About the security content of iOS 16.7.8 and iPadOS 16.7.8 – Apple Support (UK)

This document describes the security content of iOS 16.7.8 and iPadOS 16.7.8.

support.apple.com

1

11

46

xvonfers

@xvonfers

24 days

wow... "....MiraclePtr is considered a declarative security boundary and a valid submission of a MiraclePtr bypassis now eligible for a reward of $250,128."

Blog: Chrome VRP Reward Updates to Incentivize Deeper Research

The Chrome VRP is increasing reward amounts and their structure to incentivize high-quality reporting and deeper research of Chrome vulnerabilities, see this post for details!

bughunters.google.com

1

4

46

xvonfers

@xvonfers

4 months

🫣 (CVE-2024-5274)[341663589]V8 parse a class static block incorrectly(parsed using the ExpressionScope stack) because class static blocks contain statements, not expressions -> ... -> type confusion -> RCE(exploited ITW) @_clem1

4

6

43

xvonfers

@xvonfers

5 months

(CVE-2024-3516)[328859176][$10000][ANGLE][Translator]Heap buffer overflow in ANGLE. @qriousec @__suto

0

10

44

xvonfers

@xvonfers

1 month

Bypassing ARM's MTE with a SCA broken URL: @BlackHatEvents

2

5

43

xvonfers

@xvonfers

3 months

Comrades, what is the latest public Android full-chain? As an example from Man Yue Mo( @mmolgtm ):

0

8

43

xvonfers

@xvonfers

3 months

[Pwn2Own 2024](CVE-2024-2886)[330563095, 330575496] PinArrayBufferContent is insufficient to keep the backing store itself pinned and WebCodecs VideoFrame Race Condition UAF W -> RCE is now public with PoC, exploit and wp. @0x10n

xvonfers

@xvonfers

6 months

(CVE-2024-2886)[330575496] UAF in WebCodecs->RCE. @0x10n

1

9

60

1

11

42

xvonfers

@xvonfers

7 months

(CVE-2024-1694???)[$5000][1505686][Updater]EoP in GoogleUpdate with Windows(can be exploited by an attacker to gain SYSTEM privileges on a PC with Google Chrome).

0

11

41

xvonfers

@xvonfers

28 days

Let's dive into the "Field Confusion" technique used to v8sbx escape thanks @le_douds @ga1ois

xvonfers

@xvonfers

1 month

[slides]Let the Cache Cache and Let the WebAssembly Assemble: Knockin' on Chrome's Shell @ga1ois @le_douds

0

4

30

1

3

41

xvonfers

@xvonfers

3 months

🥲'lsb' and 'width' are not properly checked (CVE-2024-27833)[271491]SBFX offset overflow -> ACE. PoC: 🤔 z = (x << y) ^ (x << (y & 0x10ff)); let r = z ^ 0xf01; let s = z ^ 0xf1f; return (((a>>>r)<<s)>>s); @_manfp @thezdi

0

5

39

xvonfers

@xvonfers

8 months

(CVE-2024-0582)[io_uring] Page UAF via buffer ring mmap. Fix landed in stable release 6.6.5:

0

7

40

xvonfers

@xvonfers

2 months

[design doc][40931165, 42204201]V8 Sandbox + Leaptiering(a new design for JS function invocation and tiering, with the goal of achieving sandbox compatibility and better performance). @5aelo

0

11

40

xvonfers

@xvonfers

9 months

CVE-2023-6702: Type Confusion in V8(CaptureAsyncStackTrace). [1501326]Fix the case when the closure has run We were using the closure pointing to NativeContext as a marker that the closure has run, but async stack trace code was confused about it.

1

6

37

xvonfers

@xvonfers

10 months

CVE-2023-6345: Integer overflow in Skia. Reported by Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group on 2023-11-24(exists in the wild)

0

11

38

xvonfers

@xvonfers

6 months

(CVE-2023-7024)[1513170] Heap buffer overflow in WebRtcAudioSink::DeliverRebufferedAudio-> renderer process RCE(exploited ITW) - reported by Clément Lecigne and Vlad Stolyarov is now open with a PoC. Minified PoC:

xvonfers

@xvonfers

9 months

[1513170] CVE-2023-7024: Heap buffer overflow in WebRTC(exploited ITW) - reported by Clément Lecigne and Vlad Stolyarov. [WebRtcAudioSink]Stop on invalid configuration @_clem1

1

2

17

0

8

38

xvonfers

@xvonfers

7 months

(CVE-2023-6347)[1494461][Mojo]UAF in Mojo(IPC Channel pipe teardown) is now open with a PoC: ➡️python3 -m http.server 8000 ➡️out/asan/chrome.exe --user-data-dir=xxxx " http://localhost:8000/poc.html

xvonfers

@xvonfers

10 months

CVE-2023-6347: Use after free in Mojo(IPC Channel pipe teardown) . Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2023-10-21 (trigger inside)

1

0

2

1

11

38

xvonfers

@xvonfers

5 months

(CVE-2024-3833)[$10000][331383939]Object corruption in WebAssembly. Regression test: @mmolgtm

0

5

38

xvonfers

@xvonfers

9 months

Recent changes in the Maglev deoptimizer. The slide is taken from the presentation by @P4nda20371774 and @xmzyshypnc1 "Reviving JIT Vulnerabilities: Unleashing the Power of Maglev Compiler Bugs on Chrome Browser"

1

10

36

xvonfers

@xvonfers

2 months

(CVE-2024-7520)[1903041][Wasm][WasmTypeDef]Type Confusion in Wasm -> RCE

1

3

37

xvonfers

@xvonfers

8 months

(CVE-2024-228620)[FFmpeg][libavformat][jpegxl_anim_dec]Integer overflow in jpegxl_anim_read_packet function(when size > INT_MAX)->ACE. jpegxl_anim_read_packet->ff_read_packet->read_frame_internal

1

6

35

xvonfers

@xvonfers

2 months

(CVE-2024-36971)[343727534][net]fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF -> ... -> RCE(exploited ITW) @_clem1

2

9

37

xvonfers

@xvonfers

3 months

wow😅 (CVE-2024-5839)[$100115][340122160]Inappropriate Implementation in MiraclePtr() Now, any increment operation that would set the MSB triggers an overflow check(now compares against kMaxPtrCount and kMaxUnprotectedPtrCount instead of the previous masks)

Use-after-freedom: MiraclePtr

Posted by Adrian Taylor, Bartek Nowierski and Kentaro Hara on behalf of the MiraclePtr team Memory safety bugs are the most numerous cat...

security.googleblog.com

xvonfers

@xvonfers

4 months

[340122160][MiraclePtr]Reserves the most significant bit of the reference count to prevent races with overflow detection.

0

1

5

35

xvonfers

@xvonfers

1 month

[343407073][$5000] V8 Sandbox Bypass: control-flow hijacking via WASM Table Indirect call V8 sbx ecape technique(writeup): ./d8 --sandbox-testing sbx_bypass.js @le_douds @ga1ois

xvonfers

@xvonfers

1 month

[slides]Let the Cache Cache and Let the WebAssembly Assemble: Knockin' on Chrome's Shell @ga1ois @le_douds

0

4

30

0

10

36

xvonfers

@xvonfers

4 months

xvonfers

@xvonfers

4 months

(CVE-2024-5158)[338908243][$10000][builtins]The HasOnlySimpleElements function could incorrectly assume that certain non-JSObjects have simple elements -> ... -> Type Confusion @Kipreyyy

0

2

21

0

3

35

xvonfers

@xvonfers

9 months

(CVE-2024-0193)[netfilter]UAF->LPE in nf_tables. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This causes a UAF on an NFT_CHAIN object or NFT_OBJECT object.

0

5

35

xvonfers

@xvonfers

3 months

[Pwn2Own 2024][330589218]Missing underflow check -> V8 sbx bypass(really interesting and is part of an exploit chain) is now public. @_manfp

xvonfers

@xvonfers

3 months

wow... [330575498][wasm][Pwn2Own 2024] v8 wasm type confusion, which allows for the execution of arbitrary shellcode inside the ”renderer” processis with V8 sbx bypass is now open with exploit: Whitepaper: @_manfp

3

18

64

1

7

35

xvonfers

@xvonfers

2 months

(CVE-2023-41111)Samsung Baseband RLC Data Re-Assembly BoF (CVE-2023-41112)Samsung Baseband RLC Data Re-Assembly Heap-BoF @TaszkSecLabs @kutyacica @szabolor @

CVE-2023-41112: Samsung Baseband RLC Data Re-Assembly Heap Buffer Overflow

Samsung Baseband RLC Data Re-Assembly Heap Buffer Overflow

labs.taszk.io

0

10

35

xvonfers

@xvonfers

5 months

(CVE-2024-27228)[Critical][316354570]Memory corruption in the MFC media processing core on the Pixel 7 -> RCE. @natashenka

0

11

34

xvonfers

@xvonfers

4 months

CVE-2024-4367(arbitrary JS execution in PDF.js) fixed in Firefox ESR 115.11, Firefox 126 and Thunderbird 115.11:

Security Vulnerabilities fixed in Thunderbird 115.11

www.mozilla.org

Codean

@CodeanIO

5 months

We found a vulnerability in Mozilla’s PDF.js (CVE-2024-4367 and CVE-2024-34342 via react-pdf) resulting in arbitrary JavaScript execution when opening a malicious PDF. This results in XSS on many web- and even desktop apps. Blog post coming soon!

0

8

27

0

4

34

xvonfers

@xvonfers

9 months

[v8,14519]Segfault in V8 poc.js function main() { for (let v3 = 0; v3 < 10000; v3++) { const v9 = { "maxByteLength": 9943683 }; const v11 = new ArrayBuffer(1632, v9); } %DebugPrint(); } main(); ./d8 --allow-natives-syntax poc.js

xvonfers

@xvonfers

9 months

[v8, 14519][runtime] Bug fix for DebugPrint %DebugPrint() may log some undefined behavior, we may not allow this method with an empty argument list.

0

1

3

0

3

33

xvonfers

@xvonfers

6 months

[1510709]Type confusion -> RCE in the renderer process. ./d8 --harmony-set-methods ex.js ./google-chrome --no-sandbox --js-flags="--harmony-set-methods" ex.html @h0meb0dysj

0

6

33

xvonfers

@xvonfers

4 months

Needs to find a way to control where the JIT compiler allocates code -> by controlling the allocation, we can overlap different code regions -> PAC signing gadget(instruction sequences that can be used to sign arbitrary pointers) in JIT code.

Cherry-pick f442fbe222f3. rdar://125596635 · WebKit/WebKit@81c26e6

Make it harder to get a PAC signing gadget in JIT code. https://bugs.webkit.org/show_bug.cgi?id=272750 rdar://125596635 Reviewed by Yusuke Suzuki. Right now if an attacker can...

github.com

xvonfers

@xvonfers

4 months

(CVE-2024-27834)Integer underflow -> RCE + PAC bypass. @_manfp #Pwn2Own #P2OVancouver

4

21

122

0

3

34

xvonfers

@xvonfers

23 days

V8 CFI - Wasm Forward-Edge

V8 CFI - WebAssembly Forward-Edge

V8 CFI - WebAssembly Forward-Edge Created: Author: Visibility: PUBLIC Internal version: go/v8-cfi:wasm-forward-edge Overview We want to build forward-edge CFI for WebAssembly. There are three...

docs.google.com

1

3

33

xvonfers

@xvonfers

1 month

😂😂😂 "We don't want b2dc7aec2c6d2ffa28219ac288e4750c_exploit.rar and it's contents to be shared publicly because it is a fully weaponized exploit that could be used by other threat actors once it becomes public."

xvonfers

@xvonfers

1 month

(CVE-2024-4947)[340221135][MaglevGraphBuilder] Debug check failed: access_info.IsDataField() || access_info.IsFastDataConstant()-> ... -> Type Confusion -> RCE(exploited ITW) is now public with PoC @vaber_b @oct0xor

1

8

26

3

5

33

xvonfers

@xvonfers

16 days

[342866373][$5000]v8sbx bypass JSToWasmWrapperAsm accessible and allows type confusion PoC: @clubby789

0

7

32

xvonfers

@xvonfers

2 months

🤣🤣🤣 [335331437]Exploiting V8 ArrayBuffer Type Confusion for ACE in Google Chrome. [334281964]RCE in V8 JSE _Not reproducible_

1

4

33

xvonfers

@xvonfers

24 days

(CVE-2024-5499)[$11000][339877167][Streams]Memory corruption in ReadableByteStreamController::FillPullIntoDescriptorFromQueue-> OOB Write is now public with PoC PoC:

xvonfers

@xvonfers

4 months

(CVE-2024-5499)[339877167][Streams]The pull-into descriptor can become out-of-sync with the array buffer when the buffer is detached -> OOB Write

0

4

1

10

32

xvonfers

@xvonfers

7 months

V8 Sandbox - External Pointer Sandboxing: Naive logger that dumps the contents of EPT for a given isolate:

Dump EPT contents for an isolate

Dump EPT contents for an isolate. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

0

7

32

xvonfers

@xvonfers

1 month

./d8 --sandbox-testing pwn.js

xvonfers

@xvonfers

1 month

[334120897][$6000]Wasm function signature confusion -> out of sandbox arbitrary r/w(v8sbx escape, crashing instruction is `mov [rcx+rax], rdx` so the target page won't appear in the registers (rcx+rax == target_page)) Kyle Zeng

0

3

13

1

9

32

xvonfers

@xvonfers

18 days

(CVE-2024-8385)[1911909][wasm]A difference in the handling of StructFields and ArrayTypes in WASM -> exploitable type confusion -> RCE Seunghyun Lee ( @0x10n ) of KAIST Hacking Lab

Security Vulnerabilities fixed in Firefox 130

www.mozilla.org

0

5

33

xvonfers

@xvonfers

4 months

[324864439][$7000]OOB in WebRTC-MultiplexCodec PoC: ./chrome --disable-gpu --use-fake-ui-for-media-stream --use-fake-device-for-media-stream --incognito --user-data-dir=/tmp/xx1 --enable features=WebRTC-MultiplexCodec http://localhost:8880/crash.html

1

4

30

xvonfers

@xvonfers

9 months

Hi folks, looking for a conference to talk about browser exploitation. Where can I go in 2024 with minimal difficulties with a visa?

12

0

30

xvonfers

@xvonfers

4 months

After studying tens of thousands of commits related to browsers and JS engines, I realized that I didn't understand anything😅

3

31

xvonfers

@xvonfers

9 months

Safari, Hold Still for NaN Minutes @sherl0ck__ @n30m1nd @XI_Research #VulnerabilityAnalysis #JavaScriptCore #ASLR #Safari

Safari, Hold Still for NaN Minutes! - Exodus Intelligence

By Vignesh Rao and Javier Jimenez Introduction In October 2023 Vignesh and Javier presented the discovery of a few bugs affecting JavaScriptCore, the JavaScript engine of Safari. The presentation...

blog.exodusintel.com

0

12

31

xvonfers

@xvonfers

8 months

(CVE-2024-0519, exploited ITW )[1517354][v8][runtime] Drop fast last-property deletion(OOB memory access in V8). This interacts badly with other optimizations and isn't particularly common.

1

3

29

xvonfers

@xvonfers

4 months

(CVE-2024-4671)[339266700][Viz][FrameSinkBundleImpl]UAF in Visuals(exploited ITW) A SinkGroup is responsible for batching messages out to a group of bundled CompositorFrameSink clients who all share a common BeginFrameSource.