Research
deep technical & strategy
JavaScript Engines Exploitation: a Jscript9 Case Study
A brief writeup for the exploit that I wrote for a JavaScript JIT Type Confusion vulnerability in Jscript9.dll (2017). In the exploit I show one classical technique of JavaScript engines exploitation with a fully dynamic ASLR bypass, plus state-of-the-art process continuation to avoid crash. Full exploit code is included.
Read more
Advanced Exploitation of Simple Bugs: a Parallels Desktop Case Study (Pwn2Own 2021)
At Pwn2Own Vancouver 2021 I have demonstrated an 0day VM escape exploit for Parallels Desktop hypervisor. The exploit chain that I developed was based on logic issues. In this deep technical presentation I share the technical details of the exploit, as well as various preliminary and contextual knowledge related to it. (Slides)
Read more
From Binary Patch to Proof-of-concept: a VMware ESXi vmxnet3 Case Study
How to recover a complex vulnerability details from a binary security patch and create a proof of concept. A case study of VMware ESXi vmxnet3 Uninitialized Variable (CVE-2018-6981).
Read more
Don't Share Your $HOME with Untrusted Guests
A story of a trivial *no-bug, by-design* guest-to-host VM escape on latest Parallels Desktop for Mac with bonus persistence, as enabled by the software vendor's product design decisions and certain properties of the Unix interactive shells.
Read more
Microsoft Hyper-V Virtual Network Switch Out of Bounds Read
Deep technical analysis of a security bug in Microsoft Hyper-V root partition kernel component, discovered by me.
Read more
Hyper-V Internals & Linux Integrations Services Drivers
This research note documents some core internals of Microsoft Hyper-V through the implementation perspective of the official Hyper-V paravirtualization drivers package for Linux virtual machines: the LIS.
Read more