Anatomy of a Coffee Bean (Wireless Vulnerabilities in Linux Kernel)

Learn how I found wireless vulnerabilities in the Linux Kernel, and variants, thanks to CodeQL.

Nico Waisman

Bug Hunting with CodeQL, an Rsyslog Case Study

Follow GitHub security researcher Agustin Gianni in his bug hunting process, from threat modeling to variant analysis.

Agustin Gianni

In-Memory Data Grid Applications: Finding Common Java Deserialization Vulnerabilities with CodeQL

In-memory data grid applications often make heavy use of serialization to transfer data. Our security researchers look at Java deserialization vulnerabilities in Apache Geode, Red Hat Infinispan, Ignite, and Hazelcast.

Man Yue Mo

U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)

Semmle’s security research team discovers 13 U-Boot RCE vulnerabilities in its bootloader, which is commonly used by IoT, Kindle, and ARM ChromeOS devices.

Fermin J. Serna

Insecure Deserialization: Finding Java Vulnerabilities with CodeQL

Deserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code. We can use CodeQL, the code query technology of LGTM, to find such deserialization vulnerabilities.

Anders Schack-Mulligen

Facebook Fizz integer overflow vulnerability (CVE-2019-3560)

An unauthenticated remote attacker could trigger an infinite loop in Fizz, Facebook's open source TLS library.

Kevin Backhouse

Exploiting CVE-2018-19134: Ghostscript RCE through type confusion

This post describes how I used variant analysis to develop an exploit for Ghostscript CVE-2018-19134, a type confusion vulnerability that allows arbitrary shell command execution.

Man Yue Mo

Ghostscript type confusion: Using variant analysis to find vulnerabilities

This post describes how to perform variant analysis with CodeQL to catch missing type checking in Ghostscript, leading to the discovery of 3 new type confusion vulnerabilities (CVE-2018-19134, CVE-2018-19476, CVE-2018-19477)

Man Yue Mo

CVE-2018-19475: Ghostscript shell command execution in SAFER mode

This post describes how I carried out variant analysis on a vulnerability found by Google Project Zero member Tavis Ormandy and ended up with a new one.

Man Yue Mo

Apple XNU exploits: ICMP proof of concept

A few weeks ago, we disclosed 6 vulnerabilities in Apple's XNU operating system kernel. This post gives the details of our proof-of-concept exploits. It also explains how a query helped us find a path to the vulnerable code.

Kevin Backhouse

OGNL Apache Struts exploit: Weaponizing a sandbox bypass (CVE-2018-11776)

This post reviews various security measures that were implemented in Apache Struts to constrain the power of OGNL, and how to bypass them (up to version 2.5.16).

Man Yue Mo

CVE-2018-18820: Snprintf Vulnerability in Icecast

Our automated analysis found a remote code execution vulnerability in the Icecast streaming media server.

Nick Rolfe

Kernel crash caused by out-of-bounds write in Apple's ICMP packet-handling code (CVE-2018-4407)

The networking implementation in iOS and macOS contained an out-of-bounds write, which could be triggered by sending a malicious packet to the device. No user interaction was required. This post explains how it was found using CodeQL.

Kevin Backhouse

CVE-2018-4259: MacOS NFS vulnerabilties lead to kernel RCE

A custom query, written for Apple's macOS operating system kernel, has found multiple stack and heap buffer overflows which are triggerable by connecting to a malicious NFS file server.

Kevin Backhouse

Apache Struts double evaluation RCE lottery

This post takes a look at a type of RCE vulnerability in Apache Struts known as a double evaluation and explains how to find it using CodeQL.

Man Yue Mo

OGNL injection in Apache Struts: Discovering exploits with taint tracking

This post gives more technical detail about general taint-tracking analysis in Apache Struts. It also provides more information on how to write queries that take the architecture of Struts into account to discover various OGNL injection issues.

Man Yue Mo

CVE-2018-11776: How to find 5 RCEs in Apache Struts with CodeQL

Semmle security researcher Man Yue Mo explains how he used CodeQL's Data Flow library to discover multiple RCE vulnerabilities (CVE-2018-11776) in Apache Struts.

Man Yue Mo

Librelp buffer overflow fix (cve-2018-1000140) - a collaboration between Adiscon and Semmle

This is a joint blog post, from Adiscon and Semmle, about the finding and fixing of CVE-2018-1000140, a security vulnerability in librelp.

Kevin Backhouse

CVE-2018-4249 & CVE-2017-13904: Remote code execution in Apple's packet mangler

The packet-mangler component of Apple's macOS operating system kernel contained a remote code execution vulnerability which could be triggered by sending a malicious network packet to the Mac over the internet. This post explains how it we found it using CodeQL.

Kevin Backhouse

Apple NFS Diskless Boot: Negative integer overflow vulnerabilities (CVE-2018-4136 & CVE-2018-4160)

TThis post explains how to use CodeQL to find calls to bcopy where the size argument might be negative.

Kevin Backhouse

Etherpad reflected file download: Vulnerability hunting with CodeQL (CVE-2018-6835)

This blog post explains how CodeQL can be used to discover so-called 'Reflected File Download' vulnerabilities in JavaScript applications. As an example, we look at CVE-2018-6835 which we recently found in the Etherpad collaborative editor.

Man Yue Mo

Spring Data REST exploit (CVE-2017-8046): Finding a RCE vulnerability with CodeQL

The query language that forms the foundation of LGTM's code analysis makes it very easy to find new security vulnerabilities and variants of it. In this post we look at Spring Data REST, and how CodeQL helped making sure a remote code execution vulnerability was truly eradicated.

Man Yue Mo

Android Deserialization Vulnerabilities: A Brief history

This post describes some past Android deserialization vulnerabilities that exploited C++ pointers wrapped inside Java objects. Using a single query, we can find the classes responsible for them with great precision.

Man Yue Mo

Stack buffer overflow in Qualcomm MSM 4.4 - Finding bugs with CodeQL

This post describes how we can use CodeQL to find unsafe uses of copy_from_user - a C function that is used to copy data from user memory into kernel memory. When used incorrectly, it could cause a stack buffer overflow in the kernel.

Kevin Backhouse

Castor and Hessian java deserialization vulnerabilities

This post shows how to use the new TaintTracking library to easily identify unsafe deserialization vulnerabilities associated with the Castor and Hessian deserialization framework. In particular, two new vulnerabilities, CVE-2017-12633 and CVE-2017-12634 are discovered in Apache Camel.

Man Yue Mo

XXE attack example using jBoss vulnerability (jBPM) CVE-2017-7545

This post shows how the out-of-the-box XXE query in LGTM catches an exploitable XXE vulnerability in the JBoss business process manager that is difficult to find using fuzzing or testing.

Man Yue Mo

Apple's XNU Kernel: Finding a memory exposure vulnerability with CodeQL (CVE-2017-13782)

Apple's macOS XNU kernel can be tricked into leaking sensitive kernel memory. This post describes how we can use CodeQL to find such vulnerabilities in C code.

Kevin Backhouse

Restlet XXE vulnerability (CVE-2017-14949)

Unsafe parsing of user input XML data in Restlet leads to remote information disclosure by sending a malicious request to applications built using Restlet's REST API. In this post I will explain the details of the vulnerability, how it is found using CodeQL and why this type of mistake is easy to make when configuring XML parsers.

Man Yue Mo

Swagger YAML Parser Vulnerability (CVE-2017-1000207 and CVE-2017-1000208)

Parsing YAML data from untrusted source can lead to arbitrary code execution. This post discusses a vulnerability of this type in Swagger Parser (caused by unsafe use of SnakeYaml), and shows how such vulnerabilities can be found using QL.

Man Yue Mo

Restlet XML External Entity Expansion Vulnerability (CVE-2017-14868)

Unsafe parsing of user input XML data allows remote attacker arbitrary file access.

Man Yue Mo

Spring AMQP Exploit (CVE-2017-8045): Remote Code Execution Vulnerability

Deserialization of untrusted user data caused a severe remote code execution vulnerability in Spring AMQP's implementation for handling errors. This post explains the details of the vulnerability and how we found it using our query language.

Man Yue Mo

CVE-2017-9805: How CodeQL found a remote code execution vulnerability in Apache Struts

Deserialization of untrusted user data caused a remote code execution vulnerability in Apache Struts. This post explains how CodeQL, LGTM's code query technology, was used to find this vulnerability.

Man Yue Mo