Welcome to BFS Labs
Here you will be presented with the latest and most exciting security research activities undertaken by the Blue Frost Security research team. You will find whitepapers, tools, advisories and blog posts.
Advisories
-
Microsoft Hyper-V Type Confusion leading to Arbitrary Memory Dereference
A bug present in the Hyper-V (hvix64) hash-table implementation allows to dereference memory near (or belonging to) the hash-table struct object.
-
Microsoft Hyper-V NULL Pointer Dereference Denial of Service
A bug present in Hyper-V's (hvix64) emulation handler for VMLAUNCH/VMRESUME allows a malicious L2 hypervisor to trigger a NULL pointer dereference in the L1 hypervisor.
-
Microsoft Hyper-V Stack Overflow Denial of Service
A bug present in the hvix64 module (hypervisor) causes infinite recursion, leading to a stack overflow.
-
LG PC Suite Insecure Update Mechanism
A vulnerability inside the update mechanism was identified which allows an attacker to remotely execute arbitrary code on the target system.
Publications
-
A bug collision tale
The inside story of our CVE-2019-2025 exploit
-
TEE Exploitation
Exploiting Trusted Apps on Samsung’s TEE
-
Abusing GDI for Ring0 Exploit Primitives: Evolution
Windows 10 kernel exploitation techniques based on the latest Windows 10 RS3 insider preview
-
Look Mom! I Don’t Use Shellcode
A Browser Exploitation Case Study for Internet Explorer 11
-
Exploiting CVE-2014-4113 on Windows 8.1
Analysis of the Windows kernel vulnerability CVE-2014-4113, demonstrating how it can successfully be exploited on Windows 8.1.
Blog
-
Meltdown Reloaded: Breaking Windows KASLR by Leaking KVA Shadow Mappings
This blogpost explains how Meltdown can still be used to leak some specific kernel data and break Windows KASLR in the latest Windows versions, including "Windows 10" 20H1, despite the KVA Shadow mechanism introduced to mitigate Meltdown.
-
Exploiting CVE-2020-0041 - Part 2: Escalating to root
Exploiting the kernel with CVE-2020-0041 to achieve root privileges
-
Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox
Description of CVE-2020-0041 we reported to Google in December 2019, and the exploit for escaping the Google Chrome sandbox we wrote using this bug.
-
CVE-2019-1215 Analysis of a Use After Free in ws2ifsl
Root cause analysis and exploit for a Windows kernel ws2ifsl.sys use-after-free vulnerability.
-
BFS Ekoparty 2019 Exploitation Challenge - Override Banking Restrictions to get US Dollars
Show us your skills, get invites to the BFS-IOACTIVE party and an opportunity to join BFS!
Advisories including technical details and PoCs for the Hyper-V bugs CVE-2020-0751, CVE-2020-0890 and CVE-2020-0904… https://t.co/l4BpURuwat
1 month, 2 weeks ago
Thought Meltdown was dead? See how @NicoEconomou revived it by leaking the KVA Shadow Mappings and breaking KASLR o… https://t.co/Qztpp6Wocn
3 months, 4 weeks ago
With our Offensive Threat Intelligence service, we continuously test your systems for new threats as they arise in… https://t.co/f3uzMTamBI
4 months, 2 weeks ago
RT @_ringzer0: Discover how @bluefrostsec exploits #Android Binder to escape the Google #Chrome sandbox, attack the kernel, and ob… https://t.co/Q3vEfzzyOb
4 months, 4 weeks ago
RT @offensive_con: Bored in isolation? Do not despair! #OffensiveCon20 videos are now up! https://t.co/JpPpX4oUoz
6 months, 1 week ago