New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Google now pays $250,000 for KVM zero-day vulnerabilities
Google has announced a new bug bounty program, named kvmCTF, to help find vulnerabilities in the Kernel-based Virtual Machine or KVM hypervisor.
Thanked by 1emgh
Comments
Nice. I don't have much good to say about Google but that's the sort of bounty that should hoover up 0days before they end up on the open market
@FlorinMarian now is your chance to get that villa up the road you always dreamed of.
today $250,000 would get you some bricks and paint.
Tagging @vitobotta, our in-house bug hunter.
Is it? I know full zero click takeovers of IOS or Graphene OS can pay 2-3M with stock android not being too far behind. I'm not saying anything bad about google for this as what they are doing is still helpful no doubt but do black markets pay more for a full VM escape ? Seems like a pretty powerful exploit if combined with 1-2 other exploits.
Yes.
It’s a good thing, but the sum is a piss in the ocean for them. It’s like 1/3rd of a house in a bigger city in Sweden.
Considering it’s a technology they use, a bump couldn’t hurt.
mean ! @ehab u sexy hater !
250K are barely enuff for the new CEO car he needs
if only @Not_Oles turns on Evil mode for some time he will screw CTF twice.
@vitobotta it's your time to shine
Google has always had a bug bounty program and from what I've heard this is on a lower end.
Damn, Micay is that rich I see.
Nice, given the prize I definitely need to explore this
I have more experience with web apps but this looks like an interesting area. I have worked with KVM and other stuff when I used to work for OnApp years ago but not recently. Time to rediscover it 
If you get the money, can I get an idler?
Not going to be easy money i fear. Unless there's some kind of blatant design error most bugs allowing to break out of the VM will likely be side channel stuff and researching this isn't for faint.
Completely different from pentesting web apps for clients which are more or less closed source. KVM being open source will be an order of magnitude tougher to discover a exploit. But probably bugs these days are initially found by fuzzers like AFL and not through manual source code review. Like for example fuzz the guest-host communication channel like virtio-vsock with AFL by building a suitable harness around the to be tested code. A crash found by AFL may not necessarily be vulnerable and that is where manual analysis of the crashes begins.
Good point. Forgot about virtio and friends. Getting those to crash might obviously also pave the path to freedom. Still certainly no easy money there.
Definitely. This stuff is A LOT more complex than regular web apps.
If I manage to get that sort of prize I will give you 100 idlers
LET Giveaway sponsored by @vitobotta
BTW, speaking of bug bounties, yesterday I pocketed another $7K for 3 hours work
(I haven't received the payment yet but it's confirmed)
There is some sanitization against XSS in this app but I found I could bypass it and potentially execute javascript with an object tag.
The "problem" is that this app restricts CSP to script tags to "self" so I cannot use inline scripts and I cannot load a js file from a domain I control even though with the aforementioned object tag I can render a script tag bypassing the sanitization.
Did I stop there? Of course not 🤪
The CSP also allows youtube as origin for embedding of videos.
Here's a trick I used and that you may not be aware of. So I give you a free bug bounty hunting tip
YouTube allows requests with URLs in the format
Note the
callbackparameter. This request returns a JSONP response that allows me to execute code, like in the example a simple alert. So I used that URL in my PoC and got code execution (XSS) even though I can't load scripts from my domains and I cannot use inline script tags or tags with attributes with event handlers.Thanks YouTube! 🤣
Thanks!
And good luck
Can I get one too since I tagged you first ? 😁
MOOOAAR Tips
I'll buy an idler for everyone if I get 250K with a bounty 🤣
If people are interested I can start a thread and update it every now and then with some tips and case I come across.
Are the idlers powered by KVM? :P
Obviously
Just saying, if I was a nation-state looking to looking to break into, say, a hosting provider for a military contractor, I would pay a lot more the 250k.
I’m definitely interested
I can see if I remember.