my network security work in #NetBSD is still having an effect, it seems support.apple.com/en-us/HT210090

ah, so they finally found CVE-2019-5608, one less item in my collection I guess

reversing your bios is fun and all, until you realize there's a bugdoor in it

I guess I should one day publish my "NetBSD Privileged Kernel" research on #NetBSD, here for example running the motherboard's SMM in a container to protect the kernel from firmware vulns and backdoors

full code exec when attaching malicious USB devices, among other #BSD surprises today

a #FreeBSD zero day I've had for a looooooong time freebsd.org/security/advis…

and six months later some of them are still not fixed

by the way there's some real savage VM escape in #Bhyve, guest can take complete control of the host -- exploit is crazy, but easy!

A new guest blog with an excellent analysis from ~ shows a fast and smooth privilege escalation exploit in #FreeBSD. His write-up includes PoC and a video demo. Read the details at bit.ly/3jAjnwW

Trivial VM escape in #Bhyve: if you're a guest, allocate a GPA, use a VMLOAD+RDMSR probe to determine its HPA, use SKINIT to reinit the CPU core at that HPA. The CPU core restarts and executes your instructions in host mode. That's it, you're the host.

The recent ICMPv6 stuff in Windows reminded me I still had similar BSD vulns in my garage, so here we go Remote use-after-free in #OpenBSD via ICMPv6: ftp.openbsd.org/pub/OpenBSD/pa… Remote use-after-free in #FreeBSD via ICMPv6: lists.freebsd.org/pipermail/free… RCE possible in the first one.

Ah lol so I'm not the only one who developed KASAN for #FreeBSD: cgit.freebsd.org/src/commit/?id… I didn't release my impl and rather piled up the vulns I found with it, old pic related. A lot of crazy kernel vulns.

Dudes, you don't seem to have noticed there are some nicer big-ass vulns in that hypervisor. This one for example, host stack r/w overflow, full VM escape, and no, retguard does not mitigate it. #OpenBSD

SMAP bypass in the PlayStation 5: hackerone.com/reports/1048322

Kernel RCE in #FreeBSD via WiFi frames: freebsd.org/security/advis… Also affects #pfSense / #OPNsense / etc

Remote kernel heap overflow in the PlayStation 5: hackerone.com/reports/1350653

CVE-2022-23088: A new guest blog from ~ describes a 13-yr-old heap overflow in the Wi-Fi stack that allows network-adjacent attackers to execute code on affected installations of FreeBSD Kernel. Includes root cause & PoC. Read the details at zerodayinitiative.com/blog/2022/6/15…

Read about kernel sanitizers, powerful detection features that can uncover bugs in kernel-mode components, and how they enable Microsoft engineering teams to identify and fix vulnerabilities earlier in the software development cycle: msft.it/6014eCpbq