Opens profile photo
Follow
Man Yue Mo
@mmolgtm
Security researcher at GitHub Security Lab. Tweets/views/opinions are my own.
Joined September 2017

Man Yue Mo’s Tweets

CVE-2022-25664 is one of the most interesting bug I've reported. It's "only" an info leak, but a very powerful one that allows an untrusted Android app to read pages of memory from the kernel or other apps any number of times.
365
In this post I'll use CVE-2022-38181, a use-after-free I reported last year in the Arm Mali GPU driver to gain arbitrary kernel code execution and root from untrusted Android app. Not sure if the bug or the disclosure is more interesting:
2
374
Show this thread
file: "mali_app/app/src/main/cpp/hello-jni.c": 4b66a16931b96fdf14a32aa9963c25326a2a8b217e7a842d886d5885ef01956d The email I sent: 234646839712e54fb7179ab74ddeb6bb8857d9bd853b29be2596fdb21d22a4c7 (Plain text starts from "Hi" and ends with "Mo") Thanks!
3
Show this thread
Bug trigger: 1. file with "main", shorter file name: b50887cdcd53c2d63ea8253bae534aa079f99aac93fa5ff900c34f9475cb4086 2. file with "main", longer file name: c20576e4895e6d4ddd1b40eb05375d274b2788867d0aa921699b9dddd945732a
1
3
Show this thread
If someone from security is reading this, please reply to my email on 5 Aug about a bug report that Android security team shared with you privately, thanks. SHA256 of various files for verification (next tweets)
3
25
Show this thread
This might be the best bug I found. Never thought I'd be writing a kernel exploit as reliable, clean and fast as a browser exploit. For a while I actually used this to root my research phone when can't be bothered to patch the rom:
7
389
This is probably the most complex exploit I've done so far. A UAF in Android kernel freed by kfree_rcu (introduces a delay) in a tight race + kCFI + Samsung RKP. Yet its still possible to gain arbitrary kernel RW, disable SE and root from untrusted app.
4
519
In this post I'll go through 3 bugs in the Qualcomm NPU driver that I reported, which allowed me to execute arbitrary kernel code from the untrusted app domain in Android, disable SELinux and bypass task cred protection to gain root on a Samsung phone:
5
318
In this second part of the Chrome beta + Android full chain series, I'll use a sandbox escape in the beta version of Chrome v86 that I reported last September to gain App privilege from the Chrome renderer sandbox:
1
165
In this series of posts I'll exploit 3 bugs that I reported last year. Together they can form a full chain from Chrome beta v86 to the Android kernel. The first post is about exploiting a UAF in the kernel reachable from the App sandbox:
2
357
For people looking into intrusion detection of CVE-2018-11776. From what is available in public, it should be clear that the attack is done via a url with ognl. So look for url that contains ognl. An exploit won't tell you more than that.
13
As some people have asked about exploits of CVE-2018-11776. I don't plan to release it at the moment so that users can have time to upgrade, I would also like to urge others to refrain from releasing exploits just yet.
2
9