In October 2024, RET2 participated in the “Small Office / Home Office” (SOHO) flavor of Pwn2Own, a competition which challenges top security researchers to c...| RET2 Systems Blog
In October, we attended Pwn2Own Ireland 2024 and successfully exploited the Synology DiskStation DS1823xs+ to obtain remote code execution as root. This issu...| RET2 Systems Blog
Our previous post explored some of the bugs we discovered in the CHARX SEC-3100 ControllerAgent service for Pwn2Own Automotive. We’ll now walk through how these bugs were weaponized to produce a fully remote exploit. We left off with a use-after-free (UAF) primitive. Notably however, the UAF occurs on process teardown (a “one-shot” style bug), and we don’t have any information leaks to easily deal with ASLR (address space layout randomization). If you want to try exploiting a similar ...| RET2 Systems Blog
The first Pwn2Own Automotive introduced an interesting category of targets: electric vehicle chargers. This post will detail some of our research on the Phoe...| RET2 Systems Blog
Released in November 2001, the original Xbox was Microsoft’s first venture into the game console industry. With its hardware closely resembling a cheap but v...| RET2 Systems Blog
With the broad adoption of Kernel Address Space Layout Randomization (KASLR) by modern systems, obtaining an information leak is a necessary component of mos...| RET2 Systems Blog
To escape the Safari sandbox for our Pwn2Own 2021 submission, we exploited a vulnerability in the Intel graphics acceleration kernel extensions (drivers) on ...| RET2 Systems Blog
This post details the development of a guest-to-host virtualization escape for Parallels Desktop on macOS, as used in our successful Pwn2Own 2021 entry. Give...| RET2 Systems Blog
Tenet is an IDA Pro plugin which enables reverse engineers to explore execution traces of native code. It is a testbed for evaluating how omniscient traces m...| RET2 Systems Blog
Several months ago I found an issue (now CVE-2020-27348) with Ubuntu’s new package management system, Snapcraft. This bug introduced a classic pattern of ins...| RET2 Systems Blog