📱 Hara-Kirin: Dissecting the privileged components of Huawei mobile devices by Maxime Peterlin (Lyte) and Alexandre Adamski (Alex “neat” A.)

This might be the best bug I found. Never thought I'd be writing a kernel exploit as reliable, clean and fast as a browser exploit. For a while I actually used this to root my research phone when can't be bothered to patch the rom: github.blog/2022-07-27-cor…

Lunch is over and now it’s time for Maxime Peterlin and Alexandre Adamski from Impalabs to talk about « Hara-Kirin: Dissecting the Privileged Components of Huawei Mobile Devices » #HEXACON2022

Here are the slides of our Hexacon talk about breaking the privileged components of Huawei's mobile devices. Thanks to everyone who attended, we hoped you liked it, and stay tuned for the upcoming blog posts! github.com/Impalabs/confe…

If you've missed our talk at Hexacon, the recording of “Hara-Kirin: Dissecting Huawei Mobile Devices” is now available! Come with us for a guided tour of Huawei's Hypervisor and TrustZone, and learn about the cool bugs we discovered along the way. youtu.be/LxoHSrrGaNA

Today we are releasing Hyperpom, a fuzzing framework for ARM64 binaries based on the Apple Silicon hypervisor. Check out our latest blogpost, as well as our GitHub repo, to learn more about the project and its internals. 📙 blog.impalabs.com/2211_hyperpom.… 🗃️ github.com/impalabs/hyper…

Who watches the watchmen? With our latest blogpost and advisory, dive deep into the security hypervisor that protects the Android kernel of Huawei devices, and learn about the vulnerability we exploited to compromise it. 📝 blog.impalabs.com/2212_huawei-se… ⚠️ blog.impalabs.com/2212_advisory_…

Going live for the binary episode of the podcast. Today we have a Huawei Hypervisor vuln, a FreeBSD stack overflow in ping, and some discussion on ChatGPT. twitch.tv/dayzerosec

Our newest advisory is about the Secure Monitor, a component of Huawei's TrustZone. It details 3 vulnerabilities (CVE-2021-39994, CVE-2021-22437, CVE-2021-39993) that we exploited to execute code at EL3, the highest privilege level of Android devices. blog.impalabs.com/2212_advisory_…

Binary episode is live in about 10 minutes. Today we have a browser bug, a post by project zero on a linux kernel exploit, and some Huawei secure monitor bugs. twitch.tv/dayzerosec

In this post I'll use CVE-2022-38181, a use-after-free I reported last year in the Arm Mali GPU driver to gain arbitrary kernel code execution and root from untrusted Android app. Not sure if the bug or the disclosure is more interesting: github.blog/2023-01-23-pwn…

FaultyUSB: exploiting a TOCTOU race condition bug in recovery to get root on Huawei devices by emulating a malicious USB flash drive labs.taszk.io/articles/post/…

Our latest advisory is about a logic bug in Parallels Desktop that can be used to escape from VMs. It stems from a directory traversal and an incorrect use of Qt's strings resulting in unexpected behavior. 📝 blog.impalabs.com/2303_advisory_… 🗃️ github.com/Impalabs/CVE-2…

Live with this week's bounty episode in about 10 minutes. Today we have a Parallels Desktop toolgate bug, bypassing CloudTrail, and some GPT discussion. twitch.tv/dayzerosec

In this post I'll look at a patching issue that leaves Pixel 6 vulnerable to an already fixed bug for more than 5 months. This allows arbitrary kernel code execution and root from an untrusted app and shows some potential problems with backporting: github.blog/2023-04-06-pwn…

Escaping Parallels Desktop with Plist Injection pwn.win/2023/05/08/par…

Slides and demos of core escalation: github.com/hhj4ck/CoreEsc… Welcome to join me during the meet + greet this afternoon (Booth 3241 - Meetup Lounge, Business Hall)

Slide is online: i.blackhat.com/BH-US-23/Prese…

After a bit of delay, we're finally releasing advisories for 139 vulnerabilities we found in 23 trustlets used on Huawei mobile devices. Some of them can be exploited to access the Secure World and retrieve sensitive data. 🧵 A thread of our most interesting findings

Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos labs.taszk.io/articles/post/…