-
CVE-2022-38694: Unisoc BootROM Arbitrary Address Write (AAW)
This was an Arbitrary Address Write (AAW) vulnerability discovered by the NCC group 1 in the Unisoc BootROM where an attacker with physical access to a vulnerable device can exploit the bug to overwrite a function pointer in the address space of the BootROM or a return address stored on the stack to execute their own code with BootROM priviledges.
-
Understanding the Unisoc BROM Protocol
This blog post will explore the Unisoc BROM protocol (Download Mode) used to flash firmware on devices running on unisoc chipsets. BROM mode is a universal low-level pre-boot state that is mostly used to program or write firmware on a device by the OEM.
-
Linux Kernel: Exploiting an AAW & Heap Ovf (Blunder Driver)
This blog post will cover the exploitation of vulnerable a Linux Kernel Driver by chaining a Heap Overflow bug with a ‘sandboxed’ Arbitrary Address Write (AAW) for Local Priviledge Escalation to root by overwriting core_pattern with most mitigations enabled.
-
Linux Remote Process Injection: (Injecting into a Firefox Browser Process)
This blog will cover Remote Process Injection in Linux — a common evasion technique popular in Windows malware. The aim will be to write an injector in
C/C++that injects into another remote process and for the purpose of this blog, the running process will be a browser process — Firefox. -
Linux Malware: Defense Evasion Techniques
This post will cover some different detection evasion techniques that can be employed to custom agents in a compromised Linux host. A malware author needs to have good OPSEC making sure that their agent remains stealthy leaving little to no IOCs — this is obviously on top of using a secure and stealthy Red Team Infrastructure.
-
Introduction to Linux Kernel Stack Overflows
In the
Linux Kernel 'ring (0)'a stack is also allocated for local variables defined in functions. These functions are mainly implemented for device drivers that are defined in different Loadable Kernel Modules (LKMs). The same stack is also vulnerable to stack overflow attacks that aim at overwriting the return address saved on the stack — this post will cover exploiting these vulnerabilities. -
Linux: Local Process Injection
Process Injection is a defense evasion technique that is often employed within malware and entails a method of executing arbitrary code in the address space of a separate live process, therefore, allowing access to the process’s memory, system resources and possibly network resources.
-
Sig-Return Oriented Programming Attack (SROP)
This post covers yet another Binary Exploitation attack that is somewhat similar to return-oriented-programming (ROP) to understand how this works, we first need to understand Linux signals.
-
Pwnkit: Linux Priviledge Escalation (CVE-2021-4034)
This was a Linux Priviledge Escalation vulnerability in polkit’s pkexec that affected almost every Linux distro running the vulnerable version(s). This post covers the RCA of the vulnerability and how this was weaponized for a Local Priviledge Escalation attack.