SixSixSix

OpenConnect Fortinet: server-induced chosen-offset stack write via snprintf-return-value cursor arithmetic

A ten-line C block in OpenConnect's Fortinet handler builds a version-info string with the classic snprintf-cursor idiom: advance a pointer by snprintf's return value across successive calls into a fixed stack buffer. Because snprintf returns the length it *would have* written — not the length it did — a single oversized field advances the cursor past the buffer end. The subsequent size argument computed as `e - p` is a negative ptrdiff_t that implicitly converts to a near-SIZE_MAX size_t. The next call happily writes a short, format-string-controlled payload at a caller-chosen offset — including the saved-RIP slot of the parent stack frame. Full walkthrough of the C language semantics that make the primitive, the stack-frame math that lands the write on saved RIP, the mitigation matrix (FORTIFY catches, SSP does not), and the pattern to grep for in any C codebase that builds strings incrementally.

Case-variant path aliases in Rust denial gates: anatomy of a canonicalize-fallback bypass

A four-line Rust function that gates a real-world sandbox against overlap between allow and deny lists reduces to raw byte comparison on the common case. Combined with NTFS's default case-insensitivity and Rust's PathBuf equality semantics, the gate silently admits any policy whose colliding entries differ only in case, so long as one side of the collision does not yet exist on disk. Deep walkthrough of the primitive, its NTFS/Rust interaction, an end-to-end reproducer, a minimal fix, and the static-analysis pattern that identifies the same shape across any Rust codebase.

Android IncFS verity-signature race — and what Google ASR "Won't Fix (Infeasible)" actually means

fs/incfs/verity.c::incfs_read_signature() declares its working pointer to the verity-signature heap buffer as `static`. The qualifier puts the pointer in a single BSS slot shared across every invocation from every thread or process on the system. Two racing ioctl calls produce a KASAN double-free in kmalloc-256, a cross-process information leak, a KASLR-relevant kernel pointer disclosure, and — on a kernel with CONFIG_SLAB_FREELIST_HARDENED + RANDOM + KASLR all on — SLUB freelist corruption with attacker-controlled bytes. Reported to Google ASR, closed Won't Fix (Infeasible) five weeks later. This post walks the bug from first principles — what IncFS is, what fs-verity does, why the `static` keyword turns a function-local pointer into a global weapon, what each runtime primitive actually buys an attacker, how Google's vulnerability reward program triages, and what the "Infeasible" verdict really communicates.

An Android Bluetooth ISO out-of-bounds write that lands RIP on `commit_creds`, marked Infeasible by Google ASR

A pre-auth, adjacent-network OOB write in `iso_connect_ind()` in `net/bluetooth/iso.c` on Android Common Kernel 15 (6.6). Eight reboots of attacker-byte RIP control. Twelve reboots reaching `commit_creds+0x8f8`. Two sibling bugs in the same handler. Reported to the Android & Devices VRP on 2026-05-11, updated 2026-05-28 with the RIP-control + sibling-bug package. Closed by Google as **Infeasible** on 2026-06-11. This is the full technical writeup and the experience around the verdict.

Two Lenovo Power Manager kernel drivers, one Everyone:RW DACL — a class-pattern in TPPWR64V and ibmpmdrv

Two Lenovo Power Manager kernel drivers ship with their device DACL granting Everyone (S-1-1-0) read+write. Any local user — including restricted-token sandboxes — can open the device and reach the IOCTL dispatcher. On `TPPWR64V.SYS` the dispatcher is a gateway to SMAPI Embedded Controller port I/O; on `ibmpmdrv.sys` it returns 18+ kernel-side state values. The identical SDDL on two unrelated devices points at a shared driver-creation template that's worth a class-level audit. Disclosed to Lenovo PSIRT 2026-06-05; this post is the full technical writeup.

LnvMSRIO.sys, the 13 IOCTLs nobody audited, and an eight-round walk past Cortex XDR

CVE-2025-8061 covered one IOCTL of Lenovo's signed `LnvMSRIO.sys`. The driver's dispatch table contains eighteen. This is the full audit — every IOCTL reversed instruction-level, the five new primitives nobody published (8/16/32-bit unprivileged port-I/O R/W, PCI configuration space R/W via the CF8/CFC bus, an unprotected kernel `HLT`, and an `rdpmc` info-leak), and the eight-round walk past Cortex XDR's `sync.suspicious_driver_service_creation` rule family that ended with `NtLoadDriver` returning `STATUS_SUCCESS` from inside a hollowed `dllhost.exe` while the EDR stayed silent. Plus the defender side — the technique is detectable, just not by the rules deployed today.

Eight rounds against Cortex XDR's driver-load coverage — process hollowing, the IAT trap, and a 2.7 KB shellcode that finally landed

Cortex XDR ships a behavioural rule family called `sync.suspicious_driver_service_creation` that catches every textbook BYOVD loader vector on a default Windows 11 24H2. This post is the full walkthrough of eight iterations against it — what each round revealed, why six of them died, the rabbit hole of "my PE payload runs inside dllhost but crashes before the first instruction" (spoiler: it was never the entry point), and the 2.7 KB position-independent shellcode that finally went end-to-end while Cortex stayed silent. Code is included verbatim — shellcode, dropper, linker script, the lot.

BYOVD LSASS Dump in 2026 — PDFWKRNL, PPL Toggle, and a Cloned Target

LSASS dumping from a vanilla admin shell stopped being a one-liner the day PPL went mainstream. The modern shape is BYOVD — bring a signed driver with an arbitrary-kernel-memmove primitive, flip the Protection byte on yourself, clone the target, and dump the clone. This post walks through a from-scratch implementation against PDFWKRNL.sys (AMD USB-C Power Delivery driver, IOCTL 0x80002014), the HVCI block-list math that picks the right sample, and the full chain — driver load → EPROCESS walk → PPL flip → NtCreateProcessEx clone → in-memory MiniDump → XOR-obfuscated write. Validated on Win11 26200.

One byte of URL-encoding past a WAF: notes on CVE-2026-40050 and the GraphQL endpoint nobody fenced

CVE-2026-40050 is a routing-tree exposure on LogScale lightweight-ingest nodes. The advisory lists 1.224.0–1.234.0 as vulnerable and the SaaS fleet as "patched" because a perimeter WAF rule was deployed in April. The rule is one URL-encoded byte wide. The same hosts also expose a GraphQL endpoint that the rule never covered, which resolves `meta` and `installedLicense` pre-auth. The vendor declined the report. This is the walkthrough of the bug, the bypass, the JAR diff that shows the code fix lives in 1.235.x and not in 1.234.x, and the lesson about treating "WAF deployed" as a synonym for "fixed".

Found the same Linux iSCSI CHAP base64 overflow 25 days early — and what 'review-ready' really means

In May I found a pre-auth heap overflow in the Linux LIO iSCSI target's CHAP BASE64 decoder. I built the patch, took a KASAN trace, wrote the review document — and then sat on it for two weeks. While the patch was in "operator review", another researcher (ahossu) found the same bug independently, sent upstream, and got the fix merged. This is the walkthrough of the bug, the math, the patch I almost shipped, and the lesson I actually learned about review cadence.