Rubiks Cube!

Sagi Kedmi

CVE-2016-2437: Untrusted App to Kernel Heap Overflow

05.05.2016, in { android, kernel, vuln }

The nvhost GPU driver for the Tegra kernel contains a heap overflow in the NVHOST_IOCTL_CTRLL_MODULE_REGRDWR ioctl command. The bug results from an integer overflow that makes the kernel allocate a small heap buffer, and eventually overruns it with an attacker controllable payload. The current SELinux sepolicy allows any untrusted_app to trigger it.

Android Dissection

Blackhat Europe: Attacking /dev/urandom on Android

20.10.2014, in { android, kernel, vuln }

Our paper was accepted to both Usenix WOOT and Blackhat Europe! So Nadja and I got to go to Amsterdam :) !

Dead Canary

We wanted to exploit CVE-2014-3100 - a stack based buffer overflow in Android’s Keystore. We needed to bypass the stack canary. Long story short, we devised probablistic attacks that enables an attacker to predict random bytes that are extracted from the underlying entropy pool of /dev/urandom during device boot, such as Keystore’s canary value.