*drum roll* The Call For Papers is now open! Find all the details about your submission on cfp.hexacon.fr/hexacon-2022/c… Discover the awesome panel of experts who will review your papers ⬇️

Video and slides for “UnZiploc”: labs.taszk.io/articles/post/… In our new OTA exploitation research on Huawei phones we explored remote interfaces to get RCE and escalate to TrustZone using logic bugs only.

📱 Hara-Kirin: Dissecting the privileged components of Huawei mobile devices by Maxime Peterlin (Lyte) and Alexandre Adamski (Alex “neat” A.)

Lunch is over and now it’s time for Maxime Peterlin and Alexandre Adamski from Impalabs to talk about « Hara-Kirin: Dissecting the Privileged Components of Huawei Mobile Devices » #HEXACON2022

Here are the slides of our Hexacon talk about breaking the privileged components of Huawei's mobile devices. Thanks to everyone who attended, we hoped you liked it, and stay tuned for the upcoming blog posts! github.com/Impalabs/confe…

If you've missed our talk at Hexacon, the recording of “Hara-Kirin: Dissecting Huawei Mobile Devices” is now available! Come with us for a guided tour of Huawei's Hypervisor and TrustZone, and learn about the cool bugs we discovered along the way. youtu.be/LxoHSrrGaNA

Today we are releasing Hyperpom, a fuzzing framework for ARM64 binaries based on the Apple Silicon hypervisor. Check out our latest blogpost, as well as our GitHub repo, to learn more about the project and its internals. 📙 blog.impalabs.com/2211_hyperpom.… 🗃️ github.com/impalabs/hyper…

Who watches the watchmen? With our latest blogpost and advisory, dive deep into the security hypervisor that protects the Android kernel of Huawei devices, and learn about the vulnerability we exploited to compromise it. 📝 blog.impalabs.com/2212_huawei-se… ⚠️ blog.impalabs.com/2212_advisory_…

Here are some slides and hands-on about Linux x86-64 reverse engineering: github.com/romainthomas/r…

Our newest advisory is about the Secure Monitor, a component of Huawei's TrustZone. It details 3 vulnerabilities (CVE-2021-39994, CVE-2021-22437, CVE-2021-39993) that we exploited to execute code at EL3, the highest privilege level of Android devices. blog.impalabs.com/2212_advisory_…

Software development for embedded systems with limited memory is tedious. We introduce a brand new paradigm called “app-streaming” to overcome these limitations. Check-out the blogpost and the source code (spoiler: 🦀 inside)! github.com/LedgerHQ/app-s… blog.ledger.com/app-streaming/

FaultyUSB: exploiting a TOCTOU race condition bug in recovery to get root on Huawei devices by emulating a malicious USB flash drive labs.taszk.io/articles/post/…

Our latest advisory is about a logic bug in Parallels Desktop that can be used to escape from VMs. It stems from a directory traversal and an incorrect use of Qt's strings resulting in unexpected behavior. 📝 blog.impalabs.com/2303_advisory_… 🗃️ github.com/Impalabs/CVE-2…

Slides and demos of core escalation: github.com/hhj4ck/CoreEsc… Welcome to join me during the meet + greet this afternoon (Booth 3241 - Meetup Lounge, Business Hall)

After a bit of delay, we're finally releasing advisories for 139 vulnerabilities we found in 23 trustlets used on Huawei mobile devices. Some of them can be exploited to access the Secure World and retrieve sensitive data. 🧵 A thread of our most interesting findings

In this post I'll use CVE-2023-3420, an incorrect side effect modelling bug in the JIT compiler that I reported to Chrome, to gain a sandboxed remote code execution in the renderer: github.blog/2023-09-26-get…

Can't get enough of Barbenheimer? Get your Basebanheimer fix at Hardwear.io | Samsung and Mediatek baseband over-the-air to Android vulnerability chains: previewing our upcoming talk and training | labs.taszk.io/articles/post/…

Our baseband exploitation training is coming to offensivecon this year! More info here: offensivecon.org/trainings/2024…

I've written a post on SELinux and some public bypasses for Android kernel exploitation. It's especially relevant for Samsung and Huawei devices due to their use of hypervisors. Check it out here: klecko.github.io/posts/selinux-…

r00tkitsmm.github.io/fuzzing/2024/1… TL;DR I Implemented a super reliable macOS kernel binary rewriting to instrument any KEXT or XNU at BB or edge level.