skip to content
/
Research Advisories CodeQL Wall of Fame Events Get Involved
Research
Old Posts Archive

Fuzzing sockets: Apache HTTP, Part 3: Results

In this third and last part, I’ll share the results of my research on Apache HTTP server, and I’ll show some of the vulnerabilities that I’ve found.

Author avatarAntonio Morales

Updates to the Bug Slayer bug bounty program

We're making changes to the Bug Slayer bug bounty program to clarify its scope and improve rewards.

Author avatarGitHub Security Lab

Getting root on Ubuntu through wishful thinking

How to exploit a double-free vulnerability in Ubuntu's accountsservice (CVE-2021-3939)

Author avatarKevin Backhouse

Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver

In this post, I'll use three bugs that I reported to Qualcomm in the NPU (neural processing unit) driver to gain arbitrary kernel code execution as root user and disable SELinux from the untrusted app sandbox in an Android phone.

Author avatarMan Yue Mo

Chrome in-the-wild bug analysis: CVE-2021-37975

This post is a technical analysis of a recently disclosed Chrome vulnerability in the garbage collector of v8 (CVE-2021-37975) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 30, 2021 in Chrome version 94.0.4606.71. I'll cover the root cause analysis of the bug, as well as detailed exploitation.

Author avatarMan Yue Mo

The fugitive in Java: Escaping to Java to escape the Chrome sandbox

In this post, I'll exploit a use-after-free (CVE-2021-30528) in the Chrome browser process that I reported to escape the Chrome sandbox. This is a fairly interesting bug that shows some of the subtleties involved in the interactions between C++ and Java in the Android version of Chrome.

Author avatarMan Yue Mo

Chrome in-the-wild bug analysis: CVE-2021-30632

This post is a technical analysis of a recently disclosed Chrome JIT vulnerability (CVE-2021-30632) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 13, 2021 in Chrome version 93.0.4577.82. I'll cover the root cause analysis of the bug, as well as detailed exploitation.

Author avatarMan Yue Mo

Apache Dubbo: All roads lead to RCE

During an audit of Apache Dubbo v2.7.8 source code, I found multiple vulnerabilities enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers. In this blog post I detailed how I leveraged CodeQL as an audit oracle to help me find these issues.

Author avatarAlvaro Munoz

Fail2exploit: a security audit of Fail2ban

The story of how I failed to find any vulnerabilities in Fail2ban.

Author avatarKevin Backhouse

Fuzzing sockets: Apache HTTP, Part 2: Custom Interceptors

In this second installment, I will focus on how to build our own custom ASAN interceptors in order to catch memory bugs when custom memory pools are implemented and also on how to intercept file system syscalls to detect logic errors in the target application.

Author avatarAntonio Morales

One day short of a full chain: Part 3 - Chrome renderer RCE

In this last post of the series, I'll exploit a use-after-free in the Chrome renderer (CVE-2020-15972), a bug that I reported in September 2020 but turned out to be a duplicate, to gain remote code execution in the sandboxed renderer process in Chrome.

Author avatarMan Yue Mo

One day short of a full chain: Part 2 - Chrome sandbox escape

In this second post of the series, I'll exploit a use-after-free in the Payment component of Chrome (1125614/GHSL-2020-165), a bug that I reported in September 2020 that only affected version 86 of Chrome, which was in beta. I'll use it to escape the Chrome sandbox to gain privilege of a third party App on Android from a compromised renderer.

Author avatarMan Yue Mo

One day short of a full chain: Part 1 - Android Kernel arbitrary code execution

In this series of posts, I'll go through the exploit of three security bugs that I reported, which, when used together, can achieve remote kernel code execution in Qualcomm's devices by visiting a malicious website in a beta version of Chrome. In this first post, I'll exploit a use-after-free in Qualcomm's kgsl driver (CVE-2020-11239), a bug that I reported in July 2020 and that was fixed in January 2021, to gain arbitrary kernel code execution from the application domain.

Author avatarMan Yue Mo

Fuzzing sockets: Apache HTTP, Part 1: Mutations

In this first episode, I’ll do a brief introduction on how Apache HTTP works, and I’ll give you some insights into custom mutators and how they can be applied to the HTTP protocol effectively.

Author avatarAntonio Morales

Security Lab research: a year in review

The GitHub Security Lab is celebrating its very first birthday! In this post we will highlight some of our inaugural research findings and initiatives as we gear up for the 2021 bug hunting season.

Author avatarGitHub Security Lab

Increased bounty rewards for the GitHub Security Lab community!

In this post we look back on one year of building a home for the security research' community on GitHub, and announce exciting milestones and next steps for our bounty program

Author avatarGitHub Security Lab

Now you C me, now you don't, part two: exploiting the in-between

Aimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.

Author avatarBas Alberts

Securing the fight against COVID-19 through open source

This blog describes a security vulnerability in the infrastructure that supports Germany’s COVID-19 contact tracing efforts. The mobile (Android/iOS) apps are not affected by the vulnerability and do not collect and/or transmit any personal data other than the device’s IP address. The infrastructure takes active measures to disassociate true positives from client IP addresses.

Author avatarAlvaro Munoz

How to get root on Ubuntu 20.04 by pretending nobody’s /home

Ubuntu 20.04 local privilege escalation using vulnerabilities in gdm3 and accountsservice (CVE-2020-16125, CVE-2020-16126, CVE-2020-16127)

Author avatarKevin Backhouse

Exploiting a textbook use-after-free in Chrome

In this post I'll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I'll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.

Author avatarMan Yue Mo

Hack this repository: The EkoParty 2020 GitHub CTF challenges

In this post we recap the intended solutions for the GitHub levels of the EkoParty 2020 main CTF.

Author avatarBas Alberts

The Grey area of software security - whose responsibility is it?

Security is a complex area. One software component may break the assumptions made by another component and it is not always clear who should fix the code to remediate the security implications.

Author avatarJaroslav Lobačevski

The weakest link

In this post we will talk about how we identified an important design detail in a C library called eventmachine and how it undermined the security of several ruby packages.

Author avatarAgustin Gianni

Now you C me, now you don't: An introduction to the hidden attack surface of interpreted languages

Aimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.

Author avatarBas Alberts

Bean Stalking: Growing Java beans into RCE

In this post I'll show how input validation which should be used to prevent malformed inputs to enter our applications, open up the doors to Remote Code Execution (RCE).

Author avatarAlvaro Munoz

The Octopus Scanner Malware: Attacking the open source supply chain

This post details how an open source supply chain malware spread through build artifacts. 26 open source projects were backdoored by this malware and were actively serving backdoored code.

Author avatarAlvaro Munoz

Hot lava: A case study in hunting for network integer arithmetic flaws

We examine the dangers of network integer arithmetic based on a case study of flaws reported to the ntop project.

Author avatarBas Alberts

Triggering garbage collection with rejected promises to cause use-after-free in Chrome

In this post I'll show how garbage collections (GC) in Chrome may be triggered with small memory allocations in unexpected places, which was then used to cause a use-after-free bug.

Author avatarMan Yue Mo

CVE-2020-0688 Losing the keys to your kingdom

Learn about how reusing hardcoded HMAC keys led to remote code execution on Exchange servers.

Author avatarAlvaro Munoz

CVE-2020-5398 Reflected File Download in Spring MVC/WebFlux

Learn about Reflected File Downloads by reviewing how Spring MVC and WebFlux were affected.

Author avatarAlvaro Munoz

CVE-2019-10779: Cross-site scripting in GCHQ Stroom

GCHQ Stroom is vulnerable to Cross-Site Scripting due to the ability to load the Stroom dashboard on another site and insufficient protection against window event origins.

Author avatarJonathan Leitschuh

Ubuntu whoopsie integer overflow vulnerability (CVE-2019-11484)

This is the fourth and final post in a series about Ubuntu's crash reporting system. We'll review CVE-2019-11484, a vulnerability in whoopsie which enables a local attacker to get a shell as the whoopsie user, thereby gaining the ability to read any crash report.

Author avatarKevin Backhouse

Ubuntu apport PID recycling vulnerability (CVE-2019-15790)

This is the third post in a series about Ubuntu's crash reporting system. We'll review CVE-2019-15790, a vulnerability in apport that enables a local attacker to obtain the ASLR offsets for any process they can start (or restart).

Author avatarKevin Backhouse

Ubuntu apport TOCTOU vulnerability (CVE-2019-7307)

This is the second post in our series about Ubuntu's crash reporting system. We'll review CVE-2019-7307, a TOCTOU vulnerability that enables a local attacker to include the contents of any file on the system in a crash report.

Author avatarKevin Backhouse

Another libssh2 integer overflow (CVE-2019-17498)

GitHub security researcher Kevin Backhouse describes a new integer overflow vulnerability in libssh2 and explains the benefits of using variant analysis with QL when reporting a vulnerability.

Author avatarKevin Backhouse

In-Memory Data Grid Applications: Finding Common Java Deserialization Vulnerabilities with CodeQL

In-memory data grid applications often make heavy use of serialization to transfer data. Our security researchers look at Java deserialization vulnerabilities in Apache Geode, Red Hat Infinispan, Ignite, and Hazelcast.

Author avatarMan Yue Mo

VLC Vulnerabilities Discovered by the GitHub Security Research Team

GitHub Security Lab’s research team discovers 11 bugs in VLC, the popular media player. The VLC vulnerability CVE-2019-14438 could potentially allow an attacker to take control of the user’s computer.

Author avatarAntonio Morales

U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)

Semmle’s security research team discovers 13 U-Boot RCE vulnerabilities in its bootloader, which is commonly used by IoT, Kindle, and ARM ChromeOS devices.

Author avatarFermin J. Serna

libssh2 integer overflows and an out-of-bounds read (CVE-2019-13115)

Get a technical deep dive into some libssh2 integer overflows and an out-of-bounds read. GitHub security researcher Kevin Backhouse shows how the vulnerability can be triggered by connecting to a malicious ssh server.

Author avatarKevin Backhouse

Insecure Deserialization: Finding Java Vulnerabilities with CodeQL

Deserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code. We can use CodeQL, the code query technology of LGTM, to find such deserialization vulnerabilities.

Author avatarAnders Schack-Mulligen

Facebook Fizz integer overflow vulnerability (CVE-2019-3560)

An unauthenticated remote attacker could trigger an infinite loop in Fizz, Facebook's open source TLS library.

Author avatarKevin Backhouse

Exploiting CVE-2018-19134: Ghostscript RCE through type confusion

This post describes how I used variant analysis to develop an exploit for Ghostscript CVE-2018-19134, a type confusion vulnerability that allows arbitrary shell command execution.

Author avatarMan Yue Mo

Ghostscript type confusion: Using variant analysis to find vulnerabilities

This post describes how to perform variant analysis with CodeQL to catch missing type checking in Ghostscript, leading to the discovery of 3 new type confusion vulnerabilities (CVE-2018-19134, CVE-2018-19476, CVE-2018-19477)

Author avatarMan Yue Mo

CVE-2018-19475: Ghostscript shell command execution in SAFER mode

This post describes how I carried out variant analysis on a vulnerability found by Google Project Zero member Tavis Ormandy and ended up with a new one.

Author avatarMan Yue Mo

Apple XNU exploits: ICMP proof of concept

A few weeks ago, we disclosed 6 vulnerabilities in Apple's XNU operating system kernel. This post gives the details of our proof-of-concept exploits. It also explains how a query helped us find a path to the vulnerable code.

Author avatarKevin Backhouse

OGNL Apache Struts exploit: Weaponizing a sandbox bypass (CVE-2018-11776)

This post reviews various security measures that were implemented in Apache Struts to constrain the power of OGNL, and how to bypass them (up to version 2.5.16).

Author avatarMan Yue Mo

CVE-2018-18820: Snprintf Vulnerability in Icecast

Our automated analysis found a remote code execution vulnerability in the Icecast streaming media server.

Author avatarNick Rolfe

CVE-2018-4259: MacOS NFS vulnerabilties lead to kernel RCE

A custom query, written for Apple's macOS operating system kernel, has found multiple stack and heap buffer overflows which are triggerable by connecting to a malicious NFS file server.

Author avatarKevin Backhouse

Kernel crash caused by out-of-bounds write in Apple's ICMP packet-handling code (CVE-2018-4407)

The networking implementation in iOS and macOS contained an out-of-bounds write, which could be triggered by sending a malicious packet to the device. No user interaction was required. This post explains how it was found using CodeQL.

Author avatarKevin Backhouse

Apache Struts double evaluation RCE lottery

This post takes a look at a type of RCE vulnerability in Apache Struts known as a double evaluation and explains how to find it using CodeQL.

Author avatarMan Yue Mo

OGNL injection in Apache Struts: Discovering exploits with taint tracking

This post gives more technical detail about general taint-tracking analysis in Apache Struts. It also provides more information on how to write queries that take the architecture of Struts into account to discover various OGNL injection issues.

Author avatarMan Yue Mo

CVE-2018-11776: How to find 5 RCEs in Apache Struts with CodeQL

Semmle security researcher Man Yue Mo explains how he used CodeQL's Data Flow library to discover multiple RCE vulnerabilities (CVE-2018-11776) in Apache Struts.

Author avatarMan Yue Mo

Librelp buffer overflow fix (cve-2018-1000140) - a collaboration between Adiscon and Semmle

This is a joint blog post, from Adiscon and Semmle, about the finding and fixing of CVE-2018-1000140, a security vulnerability in librelp.

Author avatarKevin Backhouse

CVE-2018-4249 & CVE-2017-13904: Remote code execution in Apple's packet mangler

The packet-mangler component of Apple's macOS operating system kernel contained a remote code execution vulnerability which could be triggered by sending a malicious network packet to the Mac over the internet. This post explains how it we found it using CodeQL.

Author avatarKevin Backhouse

Apple NFS Diskless Boot: Negative integer overflow vulnerabilities (CVE-2018-4136 & CVE-2018-4160)

TThis post explains how to use CodeQL to find calls to bcopy where the size argument might be negative.

Author avatarKevin Backhouse

Etherpad reflected file download: Vulnerability hunting with CodeQL (CVE-2018-6835)

This blog post explains how CodeQL can be used to discover so-called 'Reflected File Download' vulnerabilities in JavaScript applications. As an example, we look at CVE-2018-6835 which we recently found in the Etherpad collaborative editor.

Author avatarMan Yue Mo

Spring Data REST exploit (CVE-2017-8046): Finding a RCE vulnerability with CodeQL

The query language that forms the foundation of LGTM's code analysis makes it very easy to find new security vulnerabilities and variants of it. In this post we look at Spring Data REST, and how CodeQL helped making sure a remote code execution vulnerability was truly eradicated.

Author avatarMan Yue Mo

Stack buffer overflow in Qualcomm MSM 4.4 - Finding bugs with CodeQL

This post describes how we can use CodeQL to find unsafe uses of copy_from_user - a C function that is used to copy data from user memory into kernel memory. When used incorrectly, it could cause a stack buffer overflow in the kernel.

Author avatarKevin Backhouse

Castor and Hessian java deserialization vulnerabilities

This post shows how to use the new TaintTracking library to easily identify unsafe deserialization vulnerabilities associated with the Castor and Hessian deserialization framework. In particular, two new vulnerabilities, CVE-2017-12633 and CVE-2017-12634 are discovered in Apache Camel.

Author avatarMan Yue Mo

XXE attack example using jBoss vulnerability (jBPM) CVE-2017-7545

This post shows how the out-of-the-box XXE query in LGTM catches an exploitable XXE vulnerability in the JBoss business process manager that is difficult to find using fuzzing or testing.

Author avatarMan Yue Mo

Apple's XNU Kernel: Finding a memory exposure vulnerability with CodeQL (CVE-2017-13782)

Apple's macOS XNU kernel can be tricked into leaking sensitive kernel memory. This post describes how we can use CodeQL to find such vulnerabilities in C code.

Author avatarKevin Backhouse

Restlet XXE vulnerability (CVE-2017-14949)

Unsafe parsing of user input XML data in Restlet leads to remote information disclosure by sending a malicious request to applications built using Restlet's REST API. In this post I will explain the details of the vulnerability, how it is found using CodeQL and why this type of mistake is easy to make when configuring XML parsers.

Author avatarMan Yue Mo

Swagger YAML Parser Vulnerability (CVE-2017-1000207 and CVE-2017-1000208)

Parsing YAML data from untrusted source can lead to arbitrary code execution. This post discusses a vulnerability of this type in Swagger Parser (caused by unsafe use of SnakeYaml), and shows how such vulnerabilities can be found using QL.

Author avatarMan Yue Mo

Restlet XML External Entity Expansion Vulnerability (CVE-2017-14868)

Unsafe parsing of user input XML data allows remote attacker arbitrary file access.

Author avatarMan Yue Mo

Spring AMQP Exploit (CVE-2017-8045): Remote Code Execution Vulnerability

Deserialization of untrusted user data caused a severe remote code execution vulnerability in Spring AMQP's implementation for handling errors. This post explains the details of the vulnerability and how we found it using our query language.

Author avatarMan Yue Mo