#ASLR

Alexandre Borges

@alexandreborges.bsky.social

3 months ago

No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE

No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE;

modzero.com/en/blog/no-l...

#exploitation #cve #rce #rop #aslr #arm #iot

CySecurity News

@cysecuritynews.bsky.social

5 months ago

Project Zero Exposes Apple ASLR Bypass via NSDictionary Serialization Flaw  Google Project Zero has uncovered a sophisticated technique for bypassing Address Space Layout Randomization (ASLR) protections on Apple devices, targeting a fundamental issue in Apple’s serialization framework. Security researcher Jann Horn described how deterministic behaviors in NSKeyedArchiver and NSKeyedUnarchiver could enable attackers to leak memory pointer values without exploiting conventional bugs or timing-based side channels. The vulnerability centers on the interaction between singleton objects, pointer-based hash values, and serialization routines. Specifically, Horn identified that NSNull—a singleton object within Apple’s Core Foundation (CFNull)—exposes its memory address through its hash value. Because this object resides in a fixed location in the shared cache, it creates a reliable oracle for leaking memory addresses, defeating standard ASLR defenses. Attackers can exploit this by crafting malicious serialized input which, when de-serialized and then re-serialized by a victim application, can allow inference of key memory locations. By leveraging the predictable hashing of NSNumber keys and understanding how NSDictionary structures its internal hash table based on prime-numbered bucket counts, an attacker controls where keys are placed during serialization. The relative position of the NSNull key reveals the outcome of hash_code % num_buckets, letting attackers deduce the memory address used by NSNull. Scaling this approach involves using dictionaries with different prime-sized bucket counts, repeatedly measuring key placements, and applying the Extended Euclidean Algorithm. This enables precise reconstruction of the NSNull pointer address. Horn’s proof-of-concept demonstrated the feasibility, though no real-world application was found with this pattern in production services. The attacker’s tooling involved generating specialized serialized input and computing memory addresses after receiving the victim’s output. Apple addressed the issue in its March 31, 2025 security updates. Horn cautioned against frameworks using raw memory addresses as hash values, especially when those addresses are static, and recommended strict allowlisting during deserialization, not returning re-serialized attacker input, and keeping outputs within trusted boundaries—aligning with broader best practices for deserialization risks. Horn linked this exploit to earlier research on hash-based attacks, such as hashDoS, but highlighted that this method exploits hash order determinism for information leakage rather than denial-of-service. Ultimately, the finding broadens the understanding of how seemingly safe serialization behavior can be weaponized, and underscores the importance of robust serialization hygiene in software security.

Project Zero Exposes Apple ASLR Bypass via NSDictionary Serialization Flaw #ASLR #NSDictionary #ProjectZero

ilQuaderno.it

@ilquaderno.bsky.social

6 months ago

Novartis-ASL Roma2, nuovo studio sui soggetti a rischio cardiovascolare ROMA (ITALPRESS) – Sono 145.000 le persone a rischio di sviluppare un evento cardiovascolare nella ASL Roma 2, di cui 41.800 a rischio alto e molto alto, ma circa il 40% di loro non ha effettuato alcuna visita cardiologica e il...

Novartis-ASL Roma2, nuovo studio sui soggetti a rischio cardiovascolare ... LEGGI TUTTO #salute #cardiologia #prevenzione #benessere #aslr

2rZiKKbOU3nTafniR2qMMSE0gwZ

@2rzikkbou3ntafnir2qmmse0gwz.activitypub.awakari.com.ap.brid.gy

1 year ago

MIT researchers develop ‘Oreo’ to protect against hardware attacks Researchers at the MIT Com...

www.developer-tech.com/news/mit-researchers-dev...

#Hacking #& #Security #Linux #Platforms #Windows #aslr #csail […]

[Original post on developer-tech.com]

Ramona

@ramonazero.bsky.social

1 year ago

Must…not…get into ASLR rabbit hole, need sleep 💀

#Programming #Assembly #ASLR #Sleep

Ahmed

@mawg0ud.bsky.social

1 year ago

If you're serious about offensive security,

Master ROP chains👌

Start with ROPgadget & ROP Emporium before moving to manual device hunting in IDA.

#DEP & #ASLR are jokes once you chain the right pivots. 😌

#ExploitDev #Binary #Exploitation #Infosec #ROP #Cybersecurity

The Tisburys / new album out now

@tisburys.bandcamp.com

1 year ago

Pre-save the new single “Forever” by The Tisburys, out Wednesday Jan 29th: ffm.to/tisburysfore...

🎥: @billy.denham

#thetisburys #indierock #newmusic #tisburys4ever #aslr

Ahmed

@mawg0ud.bsky.social

1 year ago

Memory corruption is old-school ?

Think again !

Modern heap exploitation uses techniques like tcache poisoning in glibc. Combine it with ASLR bypass tricks

then ....

You’re back to popping shells in 2025. 🎩

#Exploitation #ASLR #CyberSecurity #Infosec #tcache #Memory

The Tisburys / new album out now

@tisburys.bandcamp.com

1 year ago

soon #ASLR #thetisburys #tisburys4ever

0xor0ne

@0xor0ne.bsky.social

2 years ago

Nice reading about a technique to bypass ASLR without the need of an InfoLeak

github.com/nick0ve/how-...

#aslr #exploit #infosec

Grégory PAUL

@paulgreg.bsky.social

9 years ago

ASLR^CACHE Attack Defeats Address Space Layout Randomization

ASLR^CACHE Attack Defeats Address Space Layout Randomization via @hackaday hackaday.com/2017/02/15/aslrcache-att... #security #ASLR #hack