Man Yue Mo

Posts by this author

Vulnerability research Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver

In this post, I’ll use three bugs that I reported to Qualcomm in the NPU (neural processing unit) driver to gain arbitrary kernel code execution as root user and disable SELinux from the untrusted app sandbox in an Android phone.

Man Yue MoNovember 18, 2021

Vulnerability research
Chrome in-the-wild bug analysis: CVE-2021-37975
This post is a technical analysis of a recently disclosed Chrome vulnerability in the garbage collector of v8 (CVE-2021-37975) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 30, 2021 in Chrome version 94.0.4606.71. I’ll cover the root cause analysis of the bug, as well as detailed exploitation.Man Yue MoOctober 19, 2021
Learn more
Vulnerability research
The fugitive in Java: Escaping to Java to escape the Chrome sandbox
In this post, I’ll exploit a use-after-free (CVE-2021-30528) in the Chrome browser process that I reported to escape the Chrome sandbox. This is a fairly interesting bug that shows some of the subtleties involved in the interactions between C++ and Java in the Android version of Chrome.Man Yue MoSeptember 30, 2021
Learn more
Vulnerability research
Chrome in-the-wild bug analysis: CVE-2021-30632
This post is a technical analysis of a recently disclosed Chrome JIT vulnerability (CVE-2021-30632) that was believed to be exploited in the wild. This vulnerability was reported by an anonymous researcher and was patched on September 13, 2021 in Chrome version 93.0.4577.82. I’ll cover the root cause analysis of the bug, as well as detailed exploitation.Man Yue MoSeptember 27, 2021
Learn more
Application security
One day short of a full chain: Real world exploit chains explained
When it comes to security research, the path from bug to vulnerability to exploit can be a long one. Security researchers often end their research journey at the “Proof of…Man Yue MoMarch 24, 2021
Learn more
Vulnerability research
One day short of a full chain: Part 3 – Chrome renderer RCE
In this last post of the series, I’ll exploit a use-after-free in the Chrome renderer (CVE-2020-15972), a bug that I reported in September 2020 but turned out to be a duplicate, to gain remote code execution in the sandboxed renderer process in Chrome.Man Yue MoMarch 24, 2021
Learn more
Vulnerability research
One day short of a full chain: Part 1 – Android Kernel arbitrary code execution
In this series of posts, I’ll go through the exploit of three security bugs that I reported, which, when used together, can achieve remote kernel code execution in Qualcomm’s devices by visiting a malicious website in a beta version of Chrome. In this first post, I’ll exploit a use-after-free in Qualcomm’s kgsl driver (CVE-2020-11239), a bug that I reported in July 2020 and that was fixed in January 2021, to gain arbitrary kernel code execution from the application domain.Man Yue MoMarch 16, 2021
Learn more
Vulnerability research
One day short of a full chain: Part 2 – Chrome sandbox escape
In this second post of the series, I’ll exploit a use-after-free in the Payment component of Chrome (1125614/GHSL-2020-165), a bug that I reported in September 2020 that only affected version 86 of Chrome, which was in beta. I’ll use it to escape the Chrome sandbox to gain privilege of a third party App on Android from a compromised renderer.Man Yue MoMarch 16, 2021
Learn more
Vulnerability research
Exploiting a textbook use-after-free security vulnerability in Chrome
In this post I’ll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I’ll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.Man Yue MoOctober 27, 2020
Learn more
Vulnerability research
Triggering garbage collection with rejected promises to cause use-after-free in Chrome
In this post I’ll show how garbage collections (GC) in Chrome may be triggered with small memory allocations in unexpected places, which was then used to cause a use-after-free bug.Man Yue MoApril 28, 2020
Learn more