A collection of root-cause-analysis of real vulnerabilites in real software

Posted May 4, 20214 yr

Hi,

I want to start a thread to collect root-cause-analysis of vulnerabilities.

I am aiming for detailed writeups of real vulnerabilities in real software, preferably in native code.

This first post is going to be a bit of a mess, and I will include a bunch of interesting posts that are not technically root-cause-analysis, but I will be more clean in the future.

Of course everyone is invited to join in.

First a few famous blogarchives full of good content:

A whole BUNCH of rootcause analysis by google project zero:

https://googleprojectzero.github.io/0days-in-the-wild/rca.html

same for ssd-disclosure

https://ssd-disclosure.com/advisories-archive/

ZDI blog full of goodies as well:

https://www.zerodayinitiative.com/blog

---------------------------

Second, a bunch of root-cause-analysis I happen to have had bookmarked:

---------------------------

SSD Advisory – Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities

https://ssd-disclosure.com/ssd-advisory-oracle-virtualbox-multiple-guest-to-host-escape-vulnerabilities/

SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

https://ssd-disclosure.com/ssd-advisory-virtualbox-vrdp-guest-to-host-escape/

Bluetooth → Wi-Fi Code Execution & Wi-Fi Debugging

https://naehrdine.blogspot.com/2021/04/bluetooth-wi-fi-code-execution-wi-fi.html

CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service

https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service

CVE-2021-26415 (ntfs link bait and switch)

https://www.cloaked.pl/2021/04/cve-2021-26415/

Yet another RenderFrameHostImpl UAF

https://microsoftedge.github.io/edgevr/posts/yet-another-uaf/

CVE-2021-1732: win32kfull xxxCreateWindowEx callback out-of-bounds

https://iamelli0t.github.io/2021/03/25/CVE-2021-1732.html#root-cause-analysis

CVE-2021-26900: Privilege Escalation Via a Use After Free Vulnerability In win32k

https://www.zerodayinitiative.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-via-a-use-after-free-vulnerability-in-win32k

BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution

https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html

Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html

A journey into IonMonkey: root-causing CVE-2019-9810.

https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/

Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086)

https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/

One day short of a full chain: Part 1 - Android Kernel arbitrary code execution

One day short of a full chain: Part 2 - Chrome sandbox escape

One day short of a full chain: Part 3 - Chrome renderer RCE

https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/

---------------------------------

Third, and one-time only, interesting blogposts that are not technically root-cause analysis:

---------------------------------

Hardware Reverse Engineering wiki

https://wiki.recessim.com/view/Main_Page

Playing in the (Windows) Sandbox

https://research.checkpoint.com/2021/playing-in-the-windows-sandbox/

Offensive Windows IPC Internals 1: Named Pipes

https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html

Hyper-V debugging for beginners. 2nd edition.

https://hvinternals.blogspot.com/2021/01/hyper-v-debugging-for-beginners-2nd.html

Security of the Intel Graphics Stack - Part 1 - Introduction

https://igor-blue.github.io/2021/02/10/graphics-part1.html

The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day

https://research.checkpoint.com/2021/the-story-of-jian/

May 21, 20214 yr

Author

Reverse Engineering & Exploiting Dell CVE-2021-21551

https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/

Measured Boot and Malware Signatures: exploring two vulnerabilities found in the Windows loader

https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66

ZDI-21-502: An Information Disclosure Bug in ISC BIND server

https://www.zerodayinitiative.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-bug-in-isc-bind-server

Pwning Home Router - Linksys WRT54G

https://elongl.github.io/exploitation/2021/05/30/pwning-home-router.html

CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier

https://www.zerodayinitiative.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-calculation-in-the-linux-kernel-ebpf-verifier

Edited June 16, 20214 yr by deepzero

June 30, 20214 yr

Author

An EPYC escape: Case-study of a KVM breakout

https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html?m=1

CVE-2021-26892: An Authorization Bypass on the Microsoft Windows EFI System Partition

https://www.zerodayinitiative.com/blog/2021/6/30/cve-2021-26892-an-authorization-bypass-on-the-microsoft-windows-efi-system-partition

ZDI-21-502: An Information Disclosure Bug in ISC BIND server

https://www.zerodayinitiative.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-bug-in-isc-bind-server

Sign In

A collection of root-cause-analysis of real vulnerabilites in real software

Featured Replies

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)