Skip to main content

Trenchant Articles

Trenchant Articles


Breaking SIP with Apple-signed Packages

May 2, 2024
By Michael Cowell

The original topic of my first blog post, posted approximately a year ago, was to discuss how command injection vulnerabilities are present in PackageKit on macOS. While writing the article, I found some Apple-signed packages which had command injection vulnerabilities which could be used to bypass SIP.

Read More


JEB Unchained

November 14, 2023
By Antonio Fuerte

JEB is a reverse engineering tool that can analyze several file formats, e.g. Siemens Simatic PLC software, Ethereum smart contracts, as well as native code, and Android.  
We are going to focus on Android, since JEB is the standard de facto for this platform.

Read More


SCUDO HARDENED ALLOCATOR — UNOFFICIAL INTERNALS DOCUMENTATION

September 21, 2023
By Rodrigo Branco 

SCUDO is a user-mode memory allocator developed by Google, based on the LLVM Sanitizers’ Combined allocator and with a focus on practical security. Given that SCUDO’s primary objective is security, this article also covers some of the decisions made, trade-offs and limitations.  

Read More


VMWARE WORKSPACE ONE ACCESS

February 27, 2023
By Steven Seeley

In 2022, I conducted research against VMWare Workspace ONE Access and was able to find a remote code execution vulnerability triggerable by an authenticated administrator. Although authentication is required, past authentication bypass vulnerabilities have been published. As an aside, if you’re interested in this sort of work, here at Trenchant we perform vulnerability research against a wide variety of interesting and challenging targets!

Read More


Two lines of JScript for $20,000

September 29, 2022
By Ben McBride

In 2022, Pwn2Own returned to Miami and was again targeting industrial control systems (ICS) software. I had participated in the inaugural Pwn2Own Miami in 2020 and was eager to participate again this year. My previous work included a nice vulnerability against the Iconics Genesis64 Control Server product. That vulnerability allowed a remote attacker to run arbitrary SQL commands using a custom WCF client. This year I was able to win $20,000 by running arbitrary JScript.NET code! This post will describe the process I took and the vulnerability I found.

Read More


The Evolution of TCC on Ventura

July 8, 2022
By Michael Cowell

In the surprisingly stable first beta release of macOS Ventura, there are a number of simple yet impactful security enhancements. This blog post will ignore lower-level changes, opting instead to talk about higher level changes that users are likely to interact with, and some of the attacks they’re meant to prevent.

Read More


Expanding the dragon: Adding an ISD to ghidra

May 12, 2022
By Tracy Mosley

Ghidra was originally developed by the National Security Agency as a reverse engineering framework, similar to IDA Pro. In 2019 it was released and is now FOSS. It has many processor specifications implemented already, but it is not an exhaustive list. Thus, a new processor module had to be implemented for my particular needs.

Read More


PWN2OWN 2021: Parallels Desktop Guest to Host Escape

September 23, 2021
By Ben McBride

A common challenge when approaching a new vulnerability research problem is getting started. This is especially true when there is little prior research and strict time constraints. I was very interested when Parallels Desktop was announced as a new target for the Zero Day Initiative’s Pwn2Own Vancouver 2021 in the virtualization category. It was intriguing to me as there had been little prior research on it. I suspected there would be a wide range of issues in Parallels, so many different approaches would likely succeed. However, the demands for my time and energy, at the time, were particularly onerous. Our second son was due to be born any day! I would need to be focused and purposeful.

Read More


Permalink to Modern Attacks on the Chrome Browser : Optimizations and Deoptimizations

February 8, 2021
By Jeremy Fetiveau

As part of the Trenchant team’s daily activities, we keep an eye on code being committed. This is the story of a recent one that caught our attention. First, we are going to discuss the underlying mechanisms before explaining what primitives it gives. During the last years, we’ve seen many JIT bugs get patched.

Read More

Read More About Trenchant

Read More