Here’s what we’ve found interesting this past month:

Blogs posts and articles

• Fuzzing Android Native libraries with libFuzzer + QEMU: Provides an approachable introduction to QEMU internals and how to integrate with libfuzzer for user-mode emulation/fuzzing of Android native libraries, which we hope to build on in our application assessments

• The WebP 0day: This bug has been all the rage recently, and in this post Ben Hawkes (formerly lead of Google Project Zero, now founder of Isosceles) explains the vulnerability, demonstrates the process of creating a proof-of-concept that triggers ASAN, and theorizes on how the bug was found

• Exploiting the libwebp Vulnerability, Part 1: Playing with Huffman Code: Building on the previous entry, this post dives into the process of actually exploiting the vulnerability, ending in a rather restrictive OOB write primitive

• Exploiting the libwebp Vulnerability, Part 2: Diving into Chrome Blink: Again building on the previous entry, describes the process of turning the restrictive OOB write primitive into RCE in Chromium

• That’s FAR-out, Man: Nice XNU info leak patched in iOS 17.1 beta 2, with a solid description of exception handling on arm64, which can be used to leak kernel memory, bypass SMAP, and defeat ASLR

• A Touch of Pwn - Part 1: Our friends at Blackwing Intelligence released some research on bypassing Windows Hello fingerprint authentication. There’s also a video of their presentation at BlueHat.

Stuff we’ve published

• On the Corellium blog, Using Corellium Kernel Hooks to Disable Exploit Mitigations: Looking at an old vulnerability in XNU (CVE-2020-27932) and exploring how Corellium kernel hooks can help to temporarily disable exploit mitigations to make research a bit easier.