Archiving the intermediate analysis result and sharing with other researchers is a common practice in the field of binary analysis. Popular disassemblers such as IDA and Ghidra also provide the project archiving functionality to help researchers communicating their results. However, it turns out that such project sharing is not secure (at all). For example, researchers have found that an XXE vulnerability existed in the project parsing logic of Ghidra, which can be abused to achieve arbitrary file read or even command execution on a particular platform(i.e., Windows). In this post, we are presenting an even more powerful exploit chain discovered in Ghidra, which can be exploited via a malicious project archive to execute arbitrary code in the victim machine no matter what platform he is using.
How to heap?
In this post, I will play with some classic heap exploitation tricks in Linux Glibc, in order to better understand the linux kernel heap management.
Pwn the GOT!
In this post we study how system handle dynamically linked functions (external functions). I will first illustrate the process of how system find the linked function address for a given elf. And I will play with a pretty simple ctf example to illustrate how we can hijack related data structure (GOT table) in order to achieve our goal.
What are researchers looking for when they build fuzzing tools
This paper is in fact a literature review on recent fuzz papers. I will first introduce some basic ideas of fuzzing. Second, I will review the state-of-the-art fuzzing research works. Finally, I will conclude several key questions researchers are facing when building a fuzzing framework. I will also analyze related papers to discuss their methodologies to answer these research questions. (I will continuously update this write-up while I read more papers about fuzzing).
Floodlight Remote Command Execution
It is a serious vulnerability in the latest version of Floodlight (V1.2).
With this vulnerability, an adversary can escalate his privilege to compromise the whole network via a compromised OpenFlow switch[1]. For example, he can remotely disconnect the whole network or monitor any traffic with only the switch’s privilege.