https://www.msuiche.com/categories/exploitation/Recent content in Exploitation on Matt SuicheHugoen-usSat, 20 Jul 2024 12:00:00 +0200https://www.msuiche.com/posts/bob-and-alice-in-kernel-land/Sat, 20 Jul 2024 12:00:00 +0200https://www.msuiche.com/posts/bob-and-alice-in-kernel-land/<p><p class="markdown-image"> <img src="./images/main.webp" alt="Blue Screens Everywhere" /> </p></p> <p>Already dubbed &ldquo;<a href="https://www.telegraph.co.uk/business/2024/07/19/world-is-horrifying-close-to-total-economic-collapse/" target="_blank" rel="noopener">The Largest IT</a>, <a href="https://www.wired.com/story/crowdstrike-outage-update-windows/" target="_blank" rel="noopener">Outage In History</a>, the CrowdStrike update from July 18, 2024, has affected at least <a href="https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/" target="_blank" rel="noopener">8.5 million Windows devices, according to Microsoft</a>. Several of these devices are critical assets and run multiple essential services. For instance, I was unable to pay for my coffee in Dubai because the payment systems used by the coffee shop were down, and a friend lost her passport while stranded in Barcelona due to flight disruptions. The full impact and scope of the incident remain unknown, and it is likely be the main topic of discussion at DEFCON and BlackHat this summer and beyond.</p>https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures./Sat, 30 Dec 2023 12:00:00 +0200https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures./<p>As part of the attack chain, the initial infection starts with attackers dispatching a malicious PDF as an iMessage attachment. This particular attachment is crafted to stealthily leverage a remote code execution vulnerability in the FontParser, identified as <a href="https://support.apple.com/en-us/HT213842" target="_blank" rel="noopener">CVE-2023-41990</a> and reported by Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky to Apple.</p> <blockquote class="twitter-tweet"><p lang="en" dir="ltr">As someone who worked at the NSA, I always think it&#39;s hilarious when people feel like real APTs can be minimized to the MITRE matrix. <a href="https://t.co/BMywfpIS7K">https://t.co/BMywfpIS7K</a></p>https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/Sun, 24 Dec 2023 12:00:00 +0200https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/<p>More than 14 weeks pasted since <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1479274" target="_blank" rel="noopener">Apple Product Security team reported</a> the issue affecting WebP open source project to Google, in follow up to the BLASTPASS iOS exploit that was discovered in the wild by <a href="https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/" target="_blank" rel="noopener">CitizenLab</a> and <a href="https://www.msuiche.com/posts/researching-blastpass-detecting-the-exploit-inside-a-webp-file/" target="_blank" rel="noopener">discussed in September</a>. This means that the email chain is now public as of December 14, 2023.</p> <p>We also learn that that Brotli compression algorithm almost got impacted by the <a href="https://chromium.googlesource.com/chromium/src/third_party/&#43;/refs/heads/main/brotli/dec/huffman.c#169" target="_blank" rel="noopener">same issue</a> (c.f. <code>BrotliBuildHuffmanTable</code>) but the shape of Huffman tree is checked before actual lookup table is built so it was not vulnerable.</p>