![]() Looking over the past always gives us insight over future, which is quite true for …. The Samsung Internet Browser has a quite different UI than Chrome but its core is still largely based on Chrome, so as the sandbox architecture. Given Samsung did not open loophole for us to directly exploit from isolated context, we fall back to the good old ways to attack the browser IPC. starting activity is prohibited.įor those who are interested in the Chrome browser sandbox architecture, you can refer to my CanSecWest presentation. The sandbox process is still limited to access very few services and IPCs, e.g. No additional service attack surface revealed. Isolated process is heavily restricted in android, both in SElinux context and traditional DAC permission.ĭoing a quick check on the SELinux profile reveals Samsung doing a good job. Using the first V8 bug (CVE-2018-10496, credit to Gengming Liu and Zhen Feng of KeenLab), we have get initial code execution in the Samsung Internet Browser isolated process. (Chinese version here) Bug 0: Pwning and Examining the browser’s renderer process The detail of the V8 bug will be covered in another post. ![]() ![]() This very first post is about the chain of bugs we used in the end of 2017 to get remote arbitrary application install via clicking malicious link on newest Galaxy S8 at that time, prepared for Mobile Pwn2Own, with a V8 bug to get initial code execution in sandbox and 5 logical bugs to finally get arbitrary application install, with demo video. Hello everyone, long time no see! Now begins a series of blog posts about bugs I found before and now on Android vendors, including memory corruption and logical bugs, reported and fixed via Pwn2Own or official bug channel.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |