voidsecurity

Yet another blog by a security enthusiast !

Vulnerabilities

Writeups
List of Vulnerabilities
Papers and other blogs

Papers and other blogs

Collection of research published outside this blog.

Papers

Phrack Magazine - Tale of two hypervisor bugs - Escaping from FreeBSD bhyve

Hardware side-channel attacks

PagedOut Magazine - Leaking Guest Physical Address Using Intel Extended Page Table Translation
More details can be found in github repository - SLATMMU
PagedOut Magazine - Leaking Host kASLR from Guest VMs Using Tagged TLB
More details can be found in github repository - TagBleedVMM

Vulnerability modelling and variant analysis

Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting Using Binary Ninja
Static Taint Analysis Using Binary Ninja: A Case Study of Mysql Cluster Vulnerabilities
Clang Checkers and CodeQL Queries for Detecting Untrusted Pointer Derefs and Tainted Loop Conditions
MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures Using Binary Ninja
MindShaRE: Using Binary Ninja API to Detect Potential Use-after-free Vulnerabilities

Symbol porting and patch gap analysis

MindShaRE: Analysis of VMware Workstation and ESXi Using Debug Symbols from Flings
Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack

Virtualization vulnerability research

Virtualization Vulnerability Research (2019–2020)
FreeBSD grub-bhyve bootloader virtual machine escapes
Detailing Two VMware Workstation TOCTOU Vulnerabilities
An Analysis of a VMware ESXi TCP Socket Keepalive Type Confusion LPE
Parallels Desktop RDPMC Hypercall Interface and Vulnerabilities
Bash Privileged-Mode Vulnerabilities in Parallels Desktop and CDPATH Handling in MacOS

Reverse engineering

Flare-On Challenge #2
Flare-On Challenge #3

Email This BlogThis! Share to X Share to Facebook

No comments :

Post a Comment

Subscribe to: Posts ( Atom )

About Me

Reno Robert

View my complete profile

Follow @renorobertr

Blog Archive

▼ 2019
- ▼ January
  - VirtualBox TFTP server vulnerabilities

► 2018
- ► November
- ► August

► 2017
- ► July

► 2016
- ► April
- ► February

► 2015
- ► December
- ► October
- ► September
- ► July
- ► June
- ► April
- ► February
- ► January

► 2014
- ► December
- ► October
- ► September
- ► August
- ► July
- ► May
- ► March
- ► February
- ► January

► 2013
- ► December
- ► November
- ► October
- ► September
- ► August
- ► July
- ► June
- ► May
- ► April
- ► March
- ► February
- ► January

► 2012
- ► December
- ► November
- ► October
- ► September

Labels

Popular Posts

Exploit Exercise - Orphan Process and Race Condition

Lets see how to solve level [19] in Nebula. The code given checks whether its parent process is root using /proc entry. int mai...
From Compiler Optimization to Code Execution - VirtualBox VM Escape - CVE-2018-2844

Oracle fixed some of the issues I reported in VirtualBox during the Oracle Critical Patch Update - April 2018. CVE-2018-2844 was an inter...
Return to VDSO using ELF Auxiliary Vectors

This post is about exploiting a minimal binary without SigReturn Oriented Programming (SROP). Below is demo code, thanks to my frie...
Exploit Exercise - Python Pickles

Level [ 17 ] in nebula is pretty straight forward. The first look of it reveals the use of python's potentially vulnerable fun...
Defeating anti-debugging techniques using IDA and x86 emulator plugin

Recently I was trying to reverse a small crackme by Tosh. The challenge was to find a password by reversing the binary, bypassing ...
Exploiting PHP Bug #66550 - SQLite prepared statement use-after-free - [A local PHP exploit]

As the title says, this bug is useful only for post exploitation to bypass protections when the attacker already has arbitrary PHP...
VirtualBox NAT DHCP/BOOTP server vulnerabilities

Continuing from my previous blog posts, this is another old set of VirtualBox bugs which can lead to VM escape. VirtualBox guest in NAT m...
Data Structure Recovery using PIN and PyGraphviz

This is a simple POC PIN tool to recover data structures in dynamically linked stripped executables, mainly for analyzing small pr...
Plaid CTF 2016 - Fixedpoint

The binary simply reads integers from user, performs floating point operations on it and stores it in a mmap'ed region with RW...
VirtualBox VMSVGA VM Escape

VirtualBox emulates VMware virtual SVGA device whose interface details and programming model is available publicly [2]. Moreover, the pap...

Followers

Powered by Blogger.