Frame by Frame, Kernel Streaming Keeps Giving Vulnerabilities
2025-05-17In-depth research into Windows Kernel Streaming vulnerabilities, revealing MDL misuse, buffer misalignment, and exploitation techniques used in CVE-2024-38238 and others.
作者文章
Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II
2024-10-05這篇研究將延續 Kernel Streaming 的攻擊面,深入探討在 Kernel Streaming 的另一個功能中找到的新漏洞,並揭露如何利用這個 Bug Class 成功攻擊 Windows 11,此議題亦發表於 HEXACON 2024 中。
Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II
2024-10-05This research continues to explore the attack surface of Kernel Streaming, delving into newly discovered vulnerabilities within another feature of Kernel Streaming and demonstrating how to leverage this bug class to successfully attack Windows 11. This topic was also presented at HEXACON 2024.
Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part I
2024-08-23在這篇研究將講述一個長期被忽視的攻擊面,讓我們在兩個月內就找出了超過 10 個漏洞。此外,也將深入探討了一種 Proxy-Based 的邏輯漏洞類型,使我們可以忽略掉大多數的檢查,最終成功在 Pwn2Own Vancouver 2024 中,攻下 Windows 11 的項目。
Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part I
2024-08-23This research will discuss an overlooked attack surface that allowed us to find more than ten vulnerabilities within two months. Additionally, we will delve into a proxy-based logical vulnerability type that allows us to bypass most validations, enabling us to successfully exploit Windows 11 in Pwn2Own Vancouver 2024.
Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II
2023-11-06我們在 Canon 的印表機找到了 Pre-auth RCE 漏洞 (CVE-2023-0853、CVE-2023-0854),同時在 HP 印表機也有找到 Pre-auth RCE 的漏洞。最終拿下 Pwn2Own Toronto 2022 Master of Pwn。我們將在本文介紹 Canon 及 HP 漏洞的細節及利用方式。
Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II
2023-11-06We identified Pre-auth RCE vulnerabilities in Canon printers (CVE-2023-0853, CVE-2023-0854) and also discovered Pre-auth RCE flaws in HP printers, which led to our achievement of the Master of Pwn title at Pwn2Own Toronto 2022. This article will detail the vulnerabilities and exploitation methods for both Canon and HP printers.
Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I
2023-10-05我們在 Canon 和 HP 的印表機中發現了 Pre-auth RCE 的漏洞(CVE-2022-24673 及 CVE-2022-3942) 及 Lexmark 發現漏洞(CVE-2021-44734),並在 Pwn2Own Austin 2021 中取得所有印表機的控制權,成功獲得 Pwn2Own 中駭客大師(Master of Pwn) 的點數,這篇研究將講述 Canon 及 HP 漏洞的細節及我們的利用方式。
Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I
2023-10-05In 2021, we found Pre-auth RCE vulnerabilities(CVE-2022-24673 and CVE-2022-3942) in Canon and HP printers, and vulnerability(CVE-2021-44734) in Lexmark. We used these vulnerabilities to exploit Canon ImageCLASS MF644Cdw, HP Color LaserJet Pro MFP M283fdw and Lexmark MC3224i in Pwn2Own Austin 2021. Following we will describe the details of the Canon and HP vulnerabilities and exploitation.
Your NAS is not your NAS !
2022-03-28我們已成功在 NAS 中找到一個嚴重漏洞,並且成功寫出概念證明程式,證實可以利用在 Synology、QNAP 及 Asustor 等主流 NAS 上利用。我們也認為 Netatalk 是在 NAS 中新一代的後門!
Your NAS is not your NAS !
2022-03-28We have successfully found a serious vulnerability in the NAS, and successfully wrote a proof-of-concept, which proved that it can be exploited on many NAS such as Synology, QNAP and Asustor.