deepzero Posted May 4, 2021 Share Posted May 4, 2021 Hi, I want to start a thread to collect root-cause-analysis of vulnerabilities. I am aiming for detailed writeups of real vulnerabilities in real software, preferably in native code. This first post is going to be a bit of a mess, and I will include a bunch of interesting posts that are not technically root-cause-analysis, but I will be more clean in the future. Of course everyone is invited to join in. First a few famous blogarchives full of good content: A whole BUNCH of rootcause analysis by google project zero: https://googleprojectzero.github.io/0days-in-the-wild/rca.html same for ssd-disclosure https://ssd-disclosure.com/advisories-archive/ ZDI blog full of goodies as well: https://www.zerodayinitiative.com/blog --------------------------- Second, a bunch of root-cause-analysis I happen to have had bookmarked: --------------------------- SSD Advisory – Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities https://ssd-disclosure.com/ssd-advisory-oracle-virtualbox-multiple-guest-to-host-escape-vulnerabilities/ SSD Advisory – VirtualBox VRDP Guest-to-Host Escape https://ssd-disclosure.com/ssd-advisory-virtualbox-vrdp-guest-to-host-escape/ Bluetooth → Wi-Fi Code Execution & Wi-Fi Debugging https://naehrdine.blogspot.com/2021/04/bluetooth-wi-fi-code-execution-wi-fi.html CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service CVE-2021-26415 (ntfs link bait and switch) https://www.cloaked.pl/2021/04/cve-2021-26415/ Yet another RenderFrameHostImpl UAF https://microsoftedge.github.io/edgevr/posts/yet-another-uaf/ CVE-2021-1732: win32kfull xxxCreateWindowEx callback out-of-bounds https://iamelli0t.github.io/2021/03/25/CVE-2021-1732.html#root-cause-analysis CVE-2021-26900: Privilege Escalation Via a Use After Free Vulnerability In win32k https://www.zerodayinitiative.com/blog/2021/5/3/cve-2021-26900-privilege-escalation-via-a-use-after-free-vulnerability-in-win32k BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086 https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html A journey into IonMonkey: root-causing CVE-2019-9810. https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/ Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086) https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/ One day short of a full chain: Part 1 - Android Kernel arbitrary code execution One day short of a full chain: Part 2 - Chrome sandbox escape One day short of a full chain: Part 3 - Chrome renderer RCE https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/ --------------------------------- Third, and one-time only, interesting blogposts that are not technically root-cause analysis: --------------------------------- Hardware Reverse Engineering wiki https://wiki.recessim.com/view/Main_Page Playing in the (Windows) Sandbox https://research.checkpoint.com/2021/playing-in-the-windows-sandbox/ Offensive Windows IPC Internals 1: Named Pipes https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html Hyper-V debugging for beginners. 2nd edition. https://hvinternals.blogspot.com/2021/01/hyper-v-debugging-for-beginners-2nd.html Security of the Intel Graphics Stack - Part 1 - Introduction https://igor-blue.github.io/2021/02/10/graphics-part1.html The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day https://research.checkpoint.com/2021/the-story-of-jian/ Link to comment Share on other sites More sharing options...
deepzero Posted May 21, 2021 Author Share Posted May 21, 2021 (edited) Reverse Engineering & Exploiting Dell CVE-2021-21551 https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/ Measured Boot and Malware Signatures: exploring two vulnerabilities found in the Windows loader https://bi-zone.medium.com/measured-boot-and-malware-signatures-exploring-two-vulnerabilities-found-in-the-windows-loader-5a4fcc3c4b66 ZDI-21-502: An Information Disclosure Bug in ISC BIND server https://www.zerodayinitiative.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-bug-in-isc-bind-server Pwning Home Router - Linksys WRT54G https://elongl.github.io/exploitation/2021/05/30/pwning-home-router.html CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier https://www.zerodayinitiative.com/blog/2021/5/26/cve-2021-31440-an-incorrect-bounds-calculation-in-the-linux-kernel-ebpf-verifier Edited June 16, 2021 by deepzero Link to comment Share on other sites More sharing options...
deepzero Posted June 30, 2021 Author Share Posted June 30, 2021 An EPYC escape: Case-study of a KVM breakout https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html?m=1 CVE-2021-26892: An Authorization Bypass on the Microsoft Windows EFI System Partition https://www.zerodayinitiative.com/blog/2021/6/30/cve-2021-26892-an-authorization-bypass-on-the-microsoft-windows-efi-system-partition ZDI-21-502: An Information Disclosure Bug in ISC BIND server https://www.zerodayinitiative.com/blog/2021/6/15/zdi-21-502-an-information-disclosure-bug-in-isc-bind-server Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now