blog.cr0.org
cr0 blog: CVE-2009-2793: Iret #GP on pre-commit handling failure: the NetBSD case
http://blog.cr0.org/2009/09/cve-2009-2793-iret-gp-on-pre-commit.html
A blog about IT security and other geek interests. Wednesday, September 16, 2009. CVE-2009-2793: Iret #GP on pre-commit handling failure: the NetBSD case. A few months ago, Tavis Ormandy and myself have used the fact that iret can fail with a General Protection (#GP) exception before the processor "commits" to user-mode (switches privileges by setting CS) on multiple occasions (more on this at upcoming PacSec). The stack with be marked as executable but the code segment limit will not be raised yet: on s...
blog.cr0.org
cr0 blog: November 2009
http://blog.cr0.org/2009_11_01_archive.html
A blog about IT security and other geek interests. Saturday, November 28, 2009. Virtualization security and the Intel privilege model. Earlier this month, Tavis and I spoke at PacSec 2009. In Tokyo about virtualisation security on Intel architectures, with a focus on CPU virtualisation. We released some details about MS09-33. CVE-2009-1542), a bug we found in VirtualPC's instructions decoding. We mentioned two of the awesome bugs found by Derek Soeder. In VMware, CVE-2008-4915 and CVE-2008-4279. Virtuali...
blog.cr0.org
cr0 blog: Old school local root vulnerability in pulseaudio (CVE-2009-1894)
http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html
A blog about IT security and other geek interests. Thursday, July 16, 2009. Old school local root vulnerability in pulseaudio (CVE-2009-1894). Today was chosen as disclosure day for CVE-2009-1894. Tavis Ormandy and myself have recently used the fact that pulseaudio. Was set-uid root to bypass Linux' NULL pointer dereference prevention. This technique is relying on a limitation in the Linux kernel and not on a bug in pulseaudio. But we also found one unrelated bug in pulseaudio. Getenv("LD BIND NOW") {.
blog.cr0.org
cr0 blog: July 2009
http://blog.cr0.org/2009_07_01_archive.html
A blog about IT security and other geek interests. Thursday, July 16, 2009. Old school local root vulnerability in pulseaudio (CVE-2009-1894). Today was chosen as disclosure day for CVE-2009-1894. Tavis Ormandy and myself have recently used the fact that pulseaudio. Was set-uid root to bypass Linux' NULL pointer dereference prevention. This technique is relying on a limitation in the Linux kernel and not on a bug in pulseaudio. But we also found one unrelated bug in pulseaudio. Getenv("LD BIND NOW") {.
blog.cr0.org
cr0 blog: October 2009
http://blog.cr0.org/2009_10_01_archive.html
A blog about IT security and other geek interests. Friday, October 30, 2009. CVE-2009-2267: Mishandled exception on page fault in VMware. Tavis Ormandy and myself have recently released an advisory for CVE-2009-2267. This is a vulnerability in VMware's virtual CPU which can lead to privilege escalation in a guest. All VMware virtualisation products were affected, including in hardware virtualisation mode. For further details, check our advisory. And the non weaponized PoC ( vmware86.c. Note that VMware s...
blog.cr0.org
cr0 blog: January 2010
http://blog.cr0.org/2010_01_01_archive.html
A blog about IT security and other geek interests. Thursday, January 21, 2010. CVE-2010-0232: Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack. Two days ago, Tavis Ormandy has published. One of the most interesting vulnerabilities I've seen so far. It's one of those rare, but fascinating design-level errors dealing with low-level system internals. Its exploitation requires skills and ingenuity. Making it 17 years old. And the forging of cs:eip in VM86 mode. If you've ever tried t...
blog.cr0.org
cr0 blog: Introducing Chrome's next-generation Linux sandbox
http://blog.cr0.org/2012/09/introducing-chromes-next-generation.html
A blog about IT security and other geek interests. Thursday, September 6, 2012. Introducing Chrome's next-generation Linux sandbox. Starting with Chrome 23.0.1255.0, recently released to the Dev Channel. You will see Chrome making use of our next-generation sandbox on Linux and ChromeOS for renderers. We are using a new facility, introduced in Linux 3.5 and developed by Will Drewry called Seccomp-BPF. Seccomp-BPF builds on the ability. To send small BPF (for BSD Packet Filter. Let's talk about the second...
blog.cr0.org
cr0 blog: Virtualization security and the Intel privilege model
http://blog.cr0.org/2009/11/virtualisation-security-and-intel.html
A blog about IT security and other geek interests. Saturday, November 28, 2009. Virtualization security and the Intel privilege model. Earlier this month, Tavis and I spoke at PacSec 2009. In Tokyo about virtualisation security on Intel architectures, with a focus on CPU virtualisation. We released some details about MS09-33. CVE-2009-1542), a bug we found in VirtualPC's instructions decoding. We mentioned two of the awesome bugs found by Derek Soeder. In VMware, CVE-2008-4915 and CVE-2008-4279. Virtuali...
blog.cr0.org
cr0 blog: September 2009
http://blog.cr0.org/2009_09_01_archive.html
A blog about IT security and other geek interests. Wednesday, September 16, 2009. CVE-2009-2793: Iret #GP on pre-commit handling failure: the NetBSD case. A few months ago, Tavis Ormandy and myself have used the fact that iret can fail with a General Protection (#GP) exception before the processor "commits" to user-mode (switches privileges by setting CS) on multiple occasions (more on this at upcoming PacSec). The stack with be marked as executable but the code segment limit will not be raised yet: on s...
SOCIAL ENGAGEMENT