本实验室使用syzkaller对linux-5.19-rc2版本的io_uring模块进行fuzz时, 在io_register_pbuf_ring()函数中发现了了一枚由于错误的异常处理导致的UAF漏洞, 通过slab跳跃与kernel unlink attack等技巧, 本文较为简单的堆环境下成功实现了提权. 但是目前该漏洞已经在5.19-rc8中被修复, 因此决定将该0day漏洞发现的过程与漏洞利用细节进行公布

¶Abstract

The Android Application Sandbox is the cornerstone of the Android Security Model, which protects and isolates each application’s process and data from the others. Attackers usually need kernel vulnerabilities to escape the sandbox, which by themselves proved to be quite rare and difficult due to emerging mitigation and attack surfaces tightened.

However, we found a vulnerability in the Android 11 stable that breaks the dam purely from userspace. Combined with other 0days we discovered in major Android vendors forming a chain, a malicious zero permission attacker app can totally bypass the Android Application Sandbox, owning any other applications such as Facebook and WhatsApp, reading application data, injecting code or even trojanize the application ( including unprivileged and privileged ones ) without user awareness. We named the chain "Mystique" after the famous Marvel Comics character due to the similar ability it possesses.

In this talk we will give a detailed walk through on the whole vulnerability chain and bugs included. On the attack side, we will discuss the bugs in detail and share our exploitation method and framework that enables privilege escalation, transparently process injection/hooking/debugging and data extraction for various target applications based on Mystique, which has never been talked about before. On the defense side, we will release a detection SDK/tool for app developers and end users since this new type of attack differs from previous ones, which largely evade traditional analysis.

¶摘要

Android 应用程序沙箱是 Android 安全模型的基石，它保护并隔离每个应用程序的进程和数据。攻击者通常需要内核漏洞来逃离沙箱，由于新兴的缓解措施和攻击面收紧，这本身被证明是非常罕见和困难的。

但是，我们在 Android 11 稳定版中发现了一个漏洞，该漏洞完全来自用户空间。结合我们在主要Android供应商中发现的其他0day形成链，恶意零权限攻击者应用程序可以完全绕过Android应用程序沙箱，拥有Facebook和WhatsApp等任何其他应用程序，在用户无意识的情况下，读取应用程序数据，注入代码甚至木马化应用程序（包括非特权和特权的）。我们以著名的漫威漫画角色命名该连锁店“Mystique”，因为它拥有类似的能力。

在本次演讲中，我们将详细介绍整个漏洞链和包含的错误。在攻击方面，我们将详细讨论漏洞并分享我们的利用方法和框架，该方法和框架可以实现基于 Mystique 的各种目标应用程序的权限提升、透明进程注入/挂钩/调试和数据提取，这是以前从未讨论过的。在防御方面，我们将为应用程序开发人员和最终用户发布检测 SDK/工具，因为这种新型攻击与以前的攻击不同，很大程度上规避了传统分析。

Binary Ninja is an easy-to-use binary analysis platform that provides rich API interfaces to help security researchers perform automated analysis.

Binary Ninja是一款简单易用的二进制分析平台，它提供了丰富的API接口，可以帮助安全研究人员进行自动化的分析。

Parallels Desktop is a virtual machine software under the macOS system that helps users run Windows, Linux and other operating systems. In September 2021, I started security research on Parallels Desktop, during which I discovered several high-severity vulnerabilities. Unfortunately, in the latest update, my vulnerabilities were patched. I wrote this article to describe my Parallels Desktop research process, as well as the technical details of finding and exploiting vulnerabilities.

Parallels Desktop是在macOS系统下的一款虚拟机软件，帮助用户在macOS上运行Windows、Linux等操作系统。在2021年9月份我开始了Parallels Desktop的安全研究，期间发现了若干高危漏洞，非常不幸地是在最近一次更新中，我的漏洞被修补掉了。我写这篇文章用于介绍我的Parallels Desktop研究过程，以及发现漏洞、利用漏洞的技术细节。

概述

CVE-2021-31956是微软2021年6月份披露的一个内核堆溢出漏洞，攻击者可以利用此漏洞实现本地权限提升，nccgroup的博客已经进行了详细的利用分析，不过并没有贴出exploit的源代码。

本篇文章记录一下自己学习windows exploit的过程，使用的利用技巧和nccgroup提到的大同小异，仅供学习参考。

    近年来国内外机器人产业不断升温，智能服务机器人已逐渐进入大众视野。其中不少厂家都在使用Robot Operation System（机器人操作系统，简称ROS）但由于ROS最初诞生于实验室环境并以科研为目标场景，因此一开始缺乏系统整体性安全设计。随着ROS项目开源和广泛应用，很多安全问题随之暴露，成为安全从业者研究的热门方向。