CVEs

Software I've helped secure includes the Valve Source Engine (with 1 upcoming CVE) and Microsoft Windows (security research, no CVEs).


Remote Code Execution in the Valve Source Engine (CVE-2023-XXXX)

The Source Engine is a game engine which powers many of the big name titles with daily user counts in excess of one million.

A bug in the the parsing of map (.BSP) files when connecting to an attacker-controlled server (e.g. through a malicious website, Steam invite, or spoofing high player count on the community server list) could lead to arbitrary code execution on a victim's computer. The result is a full compromise of the remote computer at which point an attacker could install malware, move laterally through out the network to infect more hosts, and more.

The bug (not disclosing details for now) causes a pointer to be tainted with data from an attacker-controlled BSP file. This pointer is later used as part of a virtual call thus allowing the attacker to redirect execution flow and eventually execute arbitrary code.

Affects: Windows, Mac OSX, and Linux
CVSS: * 10.0 *


This bug, while confirmed, is currently still being fixed by Valve.

Once it's been patched, expect to see an article on the vulnerability and exploit. It will cover a lot of things such as why this vulnerability has existed for so long in such a common part of the code despite large efforts in fuzzing the Source Engine, previously unseen techniques I used which made exploit creation and hacking around with the Source Engine 1000x easier, touch on this bug's exploitability even under next-gen exploit mitigations (e.g. Intel CET and memory tagging), and more.

Lastly, I'll talk about how I created my first remote code execution (RCE) exploit from practically no prior binary exploitation experience and give some ideas on how you could easily do the same thing. Additionally, all the tools I created along the way to assist exploitation efforts and greatly increase debugging productivity will be open sourced on GitHub.



HackerOne Report (pending release)


Microsoft Windows Security Findings

  • An easy bypass for Windows Defender Tamper Protection
    • To my knowledge, I was the first to come out with a clean 'bypass' for disabling Tamper Protection which works by editing a registry key ACL (also reporting it to the MSRC)
    • Microsoft has now patched this easy bypass
  • Living off the landing binary findings in the default Windows installation
    • Demonstrates how misuse of programs built into the latest versions of Windows can pose a security threat
    • These are especially helpful for bypassing detection in early post-exploitation phases before loading a custom implant
      • Some of them also work well as hidden persistence mechanisms
  • A couple currently undisclosed remote zero day bugs

I've also made multiple contributions directly to defensive security by solving problems with secure design and code (see my GitHub).


More coming soon...

Elliot on Security