Tencent Security Xuanwu Lab2024-01-26T01:50:31.733Zhttps://xlab.tencent.com/en/xlabHexoA Mirage of Safety: Bug Finding and Exploit Techniques of Top Android Vendor's Privacy Protection Appshttps://xlab.tencent.com/en/2021/05/14/A-Mirage-of-Safety-Bug-Finding-and-Exploit-Techniques-of-Top-Android-Vendors-Privacy-Protection-Apps/2021-05-13T16:00:00.000Z2024-01-26T01:50:31.733Z
<p><em>Author: Xiangqian Zhang, Huiming Liu of Tencent Security Xuanwu Lab</em></p>
<h1 id="0x0-Introduction"><a href="#0x0-Introduction" class="headerlink" title="0x0 Introduction"></a>0x0 Introduction</h1><p>In this blog, we will detail our research on Android privacy protection apps. We investigated the privacy protection applications provided by the top five Android vendors and found that many applications do not protect our privacy well. </p>
<p>We proposed three threat models based on our research. And we will show four attack examples for the privacy protection applications.</p>
CVE-2020-9971 Abusing XPC Service mechanism to elevate privilege in macOS/iOShttps://xlab.tencent.com/en/2021/01/11/cve-2020-9971-abusing-xpc-service-to-elevate-privilege/2021-01-11T10:26:30.000Z2024-01-26T01:50:31.733Z
<p><em>Author: Zhipeng Huo(<a href="https://twitter.com/R3dF09" target="_blank" rel="noopener">@R3dF09</a>) of Tencent Security Xuanwu Lab</em></p>
<h1 id="0x0-Introduction"><a href="#0x0-Introduction" class="headerlink" title="0x0 Introduction"></a>0x0 Introduction</h1><p>In this blog, I will detail an interesting logic vulnerability I found in <code>launchd</code> process when it is managing the XPC Services. It’s easy be exploited and 100% stable to get high privilege in macOS/iOS. Because <code>launchd</code> is the most fundamental and important component in the OS, the vulnerability would also work even from the most restricted app sandbox. The vulnerability should work before macOS Big Sur and iOS 13.5.</p>
Deep Analysis of CVE-2019-8014: The Vulnerability Ignored 6 Years Agohttps://xlab.tencent.com/en/2019/09/12/deep-analysis-of-cve-2019-8014/2019-09-12T06:14:22.000Z2024-01-26T01:50:31.733Z
<p><em>This post provides detailed analysis for CVE-2019-8014 which was fixed in Adobe Acrobat Reader / Pro DC recently. Interestingly, it’s a patch bypass of CVE-2013-2729 which was fixed six years ago. This post also discusses how to exploit the vulnerability.</em></p>
<p>Author: <strong>Ke Liu of Tencent Security Xuanwu Lab</strong></p>
Ghidra From XXE to RCEhttps://xlab.tencent.com/en/2019/03/18/ghidra-from-xxe-to-rce/2019-03-18T10:21:19.000Z2024-01-26T01:50:31.733Z
<p>Authors: tomato, salt of Tencent Security Xuanwu Lab</p>
Investigating WinRAR Code Execution Vulnerability (CVE-2018-20250) at Internet Scalehttps://xlab.tencent.com/en/2019/02/22/investigating-winrar-code-execution-vulnerability-cve-2018-20250-at-internet-scale/2019-02-22T12:15:35.000Z2024-01-26T01:50:31.733Z
<p>Authors: lywang, dannywei</p>
<h1 id="0x00-Background"><a href="#0x00-Background" class="headerlink" title="0x00 Background"></a>0x00 Background</h1><p>As one of the most popular archiving software, WinRAR supports compress and decompress of multiple file archive formats. Check Point security researcher Nadav Grossman recently discovered a series of security vulnerabilities he found in WinRAR, with most powerful one being a remote code execution vulnerability in ACE archive decompression module (CVE-2018-20250).<br>To support decompression of ACE archives, WinRAR integrated a 19-year-old dynamic link library unacev2.dll, which never updated since 2006, nor does it enable any kind of exploit mitigation technologies. Nadav Grossman uncovered a dictionary traversal bug in unacev2.dll, which could allow an attacker to execute arbitrary code or leak Net-NTLM hashes.</p>
Spoof All Domains Containing 'd' in Apple Products [CVE-2018-4277]https://xlab.tencent.com/en/2018/11/13/cve-2018-4277/2018-11-13T07:53:50.000Z2024-01-26T01:50:31.733Z
<p>During this time I have been researching security issues on the browser front end, and I have found dozens of vulnerabilities in browsers such as Chrome, Safari, and Firefox. Unicode visual security and IDN homograph attack have also been the subject of my research.</p>
Pay attention to the Ethereum hash collision problem from the "Stealing coins" incidenthttps://xlab.tencent.com/en/2018/11/09/pay-attention-to-the-ethereum-hash-collision-problem-from-the-stealing-coins-incident/2018-11-09T04:15:37.000Z2024-01-26T01:50:31.733Z
<p><strong>Author : Kai Song(exp-sky) , hearmen , salt , sekaiwu of Tencent Security Xuanwu Lab</strong></p>
<h2 id="“Stealing-coins”"><a href="#“Stealing-coins”" class="headerlink" title="“Stealing coins”"></a>“Stealing coins”</h2><p>On November 6th, we observed that such a <a href="https://etherscan.io/address/0x5170a14aa36245a8a9698f23444045bdc4522e0a#code" target="_blank" rel="noopener">contract</a> appeared on Ethereum. After investigation, it was found that a blockchain security vendor issued a contract to let everyone “Stealing coins”.</p>
Pwning PHP developershttps://xlab.tencent.com/en/2018/04/02/pwning-php-developers/2018-04-02T02:48:18.000Z2024-01-26T01:50:31.733Z
<p><em>TL;DR</em><br>A php programmer who use xdebug’s remote debugging feature may affects RCE when he just access to attacker’s website in modern browsers.</p>
Return Flow Guardhttps://xlab.tencent.com/en/2016/11/02/return-flow-guard/2016-11-02T06:29:27.000Z2024-01-26T01:50:31.733Z
<p>[DannyWei, lywang, FlowerCode] of Tencent Xuanwu Lab</p>
<p>Here is a preliminary documentation of the RFG implementation. We will update it once we have new findings and corrections.</p>
<p>We analyzed the Return Flow Guard introduced in Windows 10 Redstone 2 14942, released on October 7, 2016.</p>
CVE-2016-1707 Chrome Address Bar URL Spoofing on IOShttps://xlab.tencent.com/en/2016/10/10/cve-2016-1707-chrome-address-bar-url-spoofing-on-ios/2016-10-10T03:18:36.000Z2024-01-26T01:50:31.733Z
<p>Address Bar URL Spoofing on IOS Chrome (CVE-2016-1707), I report the vulnerability to Google in June 2016. Spoofing URL vulnerability can be forged a legitimate Web site address. Attacker can exploit this vulnerability to launch phishing attack.</p>
Pulse Secure Desktop Client (Juniper Junos Pulse) Privilege Escalationhttps://xlab.tencent.com/en/2016/07/19/xlab-16-001/2016-07-19T10:00:11.000Z2024-01-26T01:50:31.733Z
<p><strong>XLAB ID:</strong> XLAB-16-001 </p>
<p><strong>CVE ID:</strong> CVE-2016-2408 </p>
<p><strong>Patch Status:</strong> Fixed</p>
BadTunnel - A New Hopehttps://xlab.tencent.com/en/2016/06/17/badtunnel-a-new-hope/2016-06-17T08:20:27.000Z2024-01-26T01:50:31.733Z
<p>This article purposes a new attack model to hijack TCP/IP broadcast protocol across different network segment, named “BadTunnel”.</p>
Exceptions in Exceptions - Abusing Special Cases in System Exception Handling to Achieve Unbelievable Vulnerability Exploitationhttps://xlab.tencent.com/en/2016/04/19/exception-in-exception/2016-04-19T08:21:21.000Z2024-01-26T01:50:31.733Z
<p>Memory Read / Write / Execute attributes are one of the most important part of system security. Usually it is mandatory to have writable attribute set before overwriting a block of memory, and executable attribute set before executing code in a block of memory, otherwise an exception is generated. However, there are some special cases in the Windows exception handling procedure that we can take advantage of. By abusing such exceptions, we could write to the unwritable, and execute the unexecutable.</p>
Use Chakra engine again to bypass CFGhttps://xlab.tencent.com/en/2016/01/04/use-chakra-engine-again-to-bypass-cfg/2016-01-04T08:19:56.000Z2024-01-26T01:50:31.733Z
<p>This post is initially inspired by a talk with @<a href="https://twitter.com/tombkeeper" target="_blank" rel="noopener">TK</a>, during which I learned the process and detail on how to successfully bypass CFG (reference: use Chakra JIT to bypass DEP and CFG). Due to my interest in its technology, I spent some time reading related materials and found another position to bypass CFG. I would like to thanks @<a href="https://twitter.com/tombkeeper" target="_blank" rel="noopener">TK</a> for enlightening me on the ideas and techniques mentioned in this post.</p>
Microsoft Internet Explorer And Microsoft Edge Object Use-After-Free Remote Code Execution Vulnerabilityhttps://xlab.tencent.com/en/2015/12/29/xlab-15-025/2015-12-29T09:59:19.000Z2024-01-26T01:50:31.733Z
<p><strong>XLAB ID:</strong> XLAB-15-025 </p>
<p><strong>CVE ID:</strong> CVE-2015-1752 </p>
<p><strong>Patch Status:</strong> Fixed</p>
Flash Player Memory Corruption in Display List Handlinghttps://xlab.tencent.com/en/2015/12/29/xlab-15-024/2015-12-29T09:56:34.000Z2024-01-26T01:50:31.733Z
<p><strong>XLAB ID:</strong> XLAB-15-024 </p>
<p><strong>CVE ID:</strong> CVE-2015-8459 </p>
<p><strong>Patch Status:</strong> Fixed</p>
Drag & Drop Security Policy of IE Sandboxhttps://xlab.tencent.com/en/2015/12/18/drag-drop-security-policy-of-ie-sandbox/2015-12-18T11:03:51.000Z2024-01-26T01:50:31.733Z
<p>There is a kind of vulnerability that uses the flaw of whitelist applications in ElevationPolicy settings to accomplish sandbox bypass. A DragDrop policy setting similar to ElevationPolicy in the IE registry attracts our attention. In this post, the writer will try every possible means to break IE sandbox from the perspective of an attacker by analyzing all obstacles ahead to detail the drag drop security policy of IE sandbox.</p>
Bypass DEP and CFG using JIT compiler in Chakra enginehttps://xlab.tencent.com/en/2015/12/09/bypass-dep-and-cfg-using-jit-compiler-in-chakra-engine/2015-12-09T05:19:41.000Z2024-01-26T01:50:31.733Z
<p>JIT Spray is a popular exploitation technique first appeared in 2010. It embeds shellcode as immediate value into the executable code the JIT compiler generates. Currently, all major JIT engine, including Chakra, already have many mitigations in place against this technique, such as random NOP instruction insertion, constant blinding, etc.</p>
<p>This article points out two weaknesses in Chakra’s JIT Spray mitigation (in Windows 8.1 and older operating systems, and Windows 10, respectively), allowing attackers to use JIT Spray to execute shellcode, bypassing DEP. I will also discuss a method to bypass CFG using Chakra’s JIT compiler.</p>
Trend Micro Vulnerabilityhttps://xlab.tencent.com/en/2015/12/02/xlab-15-023/2015-12-02T09:54:44.000Z2024-01-26T01:50:31.733Z
<p><strong>XLAB ID:</strong> XLAB-15-017 </p>
<p><strong>CVE ID:</strong> CVE-2015-8301 </p>
<p><strong>Patch Status:</strong> fixed</p>
Apple Safari Dialog Origin Spoofing Vulnerabilityhttps://xlab.tencent.com/en/2015/12/02/xlab-15-022/2015-12-02T09:54:03.000Z2024-01-26T01:50:31.733Z
<p><strong>XLAB ID:</strong> XLAB-15-022 </p>
<p><strong>CVE ID:</strong> CVE-2015-7093 </p>
<p><strong>Patch Status:</strong> Fixed</p>