I wrote a thing about a Chakra RCE for which the JIT trigger is tweetable :) function opt(o) { o.pwn = o.a; } phoenhex.re/2019-07-10/ten…

About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and MITRE did not even check their claim. Thread:

I'm publishing some 🔥 research today, a major design flaw in Windows that's existed for almost *two decades*. I wrote a blog post on the story of the discovery all the way through to exploitation. googleprojectzero.blogspot.com/2019/08/down-r…

ねば Hope it helps! Hopefully you've also seen Takahiro Haruyama extensions to the code (blog carbonblack.com/2019/02/25/def…, code github.com/carbonblack/He…)

JSON originally had comments. They were removed. (This was explained on Google+. Then Google removed the explanation. Luckily archive.org saved it.)

Good PE parsing finds by j00ru//vx that were fixed this month One of the issues he found was a bug that I introduced when refactoring code for RFG :( Takeaway: devs who know how to write secure code are still prone to make mistakes (if the lang lets them) bugs.chromium.org/p/project-zero…

#CVE-2019-11043 PHP-FPM Remote Command Execution github.com/neex/phuip-fpi…

A random bit of trivia I remembered recently. Got a DOS box with a password protected BIOS and no tools handy? Corrupt CMOS checksum with this simple command and get inside after reboot: echo “dummy” > CLOCK$

Archive of kernelmode.info is now available | All attachments are public | Note that attachments have PHP file extension but are actually archives | Rename according to its file type (ZIP, RAR, ...) and open it | Thanks for everybody who contributed over those ~10 years!

Fifty shades darker: no safe wor(l)d in SMM by Bruno synacktiv.com/posts/exploit/…

After a lot of work and some crypto-related delays, I couldn't be more proud to publish Alex Ionescu's and mine latest research - The complete overview of CET internals on Windows (so far!): windows-internals.com/cet-on-windows/

svchost.exe is so passé, I hope Metasploit and CobaltStrike are ready to migrate into oemsvchost.exe. Is your EDR/EPP/NGAV/Cloud Blockchain Enclave Regex Engine ready for Windows 10X?

Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy! Advisory: srcincite.io/advisories/src… Exploit: srcincite.io/pocs/src-2020-…

Guys & girls! Exactly a year ago I promised over 15 bugs in win32k. You're welcome to read and find out about my biggest research so far: #win32k #SmashTheRef bug class - github.com/gdabah/win32k-… Check out the paper and the POCs, there are some crazy stuff going on. Promise!

Well, I complained about signed drivers the other day, but a Microsoft partner *cheating on their test* to get WHQL certification (and getting a nice EV cert with it) takes the icing on the cake. And the 15 these IOCTLs. Because as Joxean Koret (@[email protected]) said, there’s never any bugs in AV 🤦🏻‍♂️

Well I was gone for a month so apologies if this old news but, Windows 21H1 is adding: * Authenticated Pointers (PAC) on ARM64 (🥳!!!) * Dynamic relocations to allow user shared data to be relocated (omg!!!) * Kernel Mode TLS (Thread Local Storage) with PsTls* APIs * Kernel CET

6C594985CF95F4832E82235F67C26F7A5F18080DB668178D99F1E5D4E5D300B7E71C89854D08F8D4ACDEF2508551808A T8010 SEPGID PROD

AddressSanitizer for MSVC is no longer experimental. Check out this runtime analysis tool to find and fix memory bugs in your code: devblogs.microsoft.com/cppblog/addres…

Happy Solstice! Time to celebrate Truth and Justice. I appreciate your support; and I want to let you try one of my value-packed & expensive commercial masterclasses: ☀️ Masterclass: Hacking Fuzzers for Smarter Bughunting (on-demand video) zerodayengineering.com/training/maste… This class