exploit the possibilities
Showing 1 - 25 of 32 RSS Feed

Files from saelo

Email addresssaelo at google.com
First Active2013-05-23
Last Active2019-11-11
iMessage NSSharedKeyDictionary Decode Out-Of-Bounds Read
Posted Nov 11, 2019
Authored by saelo, Google Security Research

iMessage suffers from an issue where decoding NSSharedKeyDictionary can lead to out-of-bounds reads.

tags | advisory
advisories | CVE-2019-8746
MD5 | a2b5e05c79091ab5459b0ba4514324d3
iMessage NSSharedKeyDictionary Decode Incorrect Address Read
Posted Nov 11, 2019
Authored by saelo, Google Security Research

iMessage suffers from an issue where decoding NSSharedKeyDictionary can read an ObjC object at attacker controlled address.

tags | exploit
advisories | CVE-2019-8641, CVE-2019-8662
MD5 | 44b9493651f02f67170dee4980389e1a
JSC Argument Object Reconstruction Type Confusion
Posted Nov 5, 2019
Authored by saelo, Google Security Research

JSC suffers from a type confusion vulnerability during bailout when reconstructing arguments objects.

tags | exploit
advisories | CVE-2019-8820
MD5 | 6a4caa0c9a9e7558705c23bf516ebff4
JavaScriptCore GetterSetter Type Confusion
Posted Oct 30, 2019
Authored by saelo, Google Security Research

JavaScriptCore (JSC) GetterSetter suffers from a type confusion vulnerability during DFG compilation.

tags | exploit
advisories | CVE-2019-8765
MD5 | 63f1952a7a692ab451a162d31ee902ed
V8 Map Migration Type Confusion
Posted Sep 17, 2019
Authored by saelo, Google Security Research

V8 map migration does not respect element kind, leading to a type confusion vulnerability.

tags | exploit
MD5 | f6ab8a5e41409debf546a94e0e445037
iOS Messaging Tools
Posted Aug 7, 2019
Authored by saelo, Google Security Research, natashenka

This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.

tags | tool, telephony, imap, fuzzer
systems | apple, iphone
MD5 | 2e9ddb1606e5ec0f3068837fa5919c6c
NSKeyedUnarchiver ObjC Object Use-After-Free
Posted Jul 29, 2019
Authored by saelo, Google Security Research

NSKeyedUnarchiver suffers from a use-after-free vulnerability with ObjC objects when unarchiving OITSUIntDictionary instances even if secureCoding is required.

tags | exploit
advisories | CVE-2019-8662
MD5 | 70ef6bfcfed7ece0d7495dba139227e2
JSC ValueProfiles JSValue Use-After-Free
Posted Jul 29, 2019
Authored by saelo, Google Security Research

JavaScriptCore suffers from an issue where there's a JSValue use-after-free vulnerability in ValueProfiles.

tags | advisory
advisories | CVE-2019-8672
MD5 | 1ab75d03880956f7d5252f34b059120a
JSC DFG LICM Object Property Access Unguarded
Posted Jul 29, 2019
Authored by saelo, Google Security Research

JavaScriptCore DFG loop-invariant code motion (LICM) has an issue where it leaves object property access unguarded.

tags | advisory
advisories | CVE-2019-8671
MD5 | f7edad8829fb8a634c008e209dbf7127
Spidermonkey Uninitialized Memory Access
Posted Jul 9, 2019
Authored by saelo, Google Security Research

In Spidermonkey, definite properties are incorrectly computed in some cases, leading to uninitialized memory access when unboxed objects are enabled.

tags | advisory
MD5 | 79fc5823bfa08cae2fcfd2ee4bbcd32c
Spidermonkey IonMonkey Incorrect Prediction
Posted Jun 25, 2019
Authored by saelo, Google Security Research

Spidermonkey IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusion vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2019-11707
MD5 | b9cfb835c09f9ff2359a0ac43fb9d908
Safari Webkit Proxy Object Type Confusion
Posted Jun 2, 2019
Authored by saelo, ianbeer, Siguza, niklasb | Site metasploit.com

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

tags | exploit, arbitrary, kernel, javascript, shellcode
advisories | CVE-2017-13861, CVE-2018-4233
MD5 | 394148cda471deeb3abbfdccf622fa46
Spidermonkey IonMonkey JS_OPTIMIZED_OUT Value Leak
Posted May 28, 2019
Authored by saelo, Google Security Research

Spidermonkey IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption.

tags | exploit
advisories | CVE-2019-9792
MD5 | f548194e2e5ce1c18bacbf389f666b48
JavaScript V8 Turbofan Out-Of-Bounds Read
Posted May 28, 2019
Authored by saelo, Google Security Research

JavaScript V8 Turbofan may read a Map pointer out-of-bounds when optimizing Reflect.construct.

tags | advisory, javascript
MD5 | 36998fe03e21e2360e63455dcd1824ed
Spidermonkey IonMonkey Unsafe Code Execution
Posted May 28, 2019
Authored by saelo, Google Security Research

Spidermonkey IonMonkey suffers from an issue where an unexpected ObjectGroup in the ObjectGroupDispatch operation might lead to potentially unsafe code being executed.

tags | advisory
advisories | CVE-2019-9816
MD5 | 9fd40f0341879df02a9860af01e711aa
JSC DFG Incorrect Decision On Behavior
Posted May 21, 2019
Authored by saelo, Google Security Research

JSC DFG's doesGC() is incorrect about the HasIndexedProperty operation's behavior on StringObjects.

tags | advisory
advisories | CVE-2019-8622
MD5 | 447815ba563e6a4e43af5179de5f3476
JavaScriptCore LICM Uninitialized Stack Variable
Posted May 21, 2019
Authored by saelo, Google Security Research

JavaScriptCore loop-invariant code motion (LICM) in DFG JIT leaves a stack variable uninitialized.

tags | exploit
advisories | CVE-2019-8623
MD5 | e3d6af3254ffc8f7e66b61e4895a6d8a
JavaScriptCore AIR Optimization Incorrectly Removes Assignment To Register
Posted May 21, 2019
Authored by saelo, Google Security Research

JavaScriptCore AIR optimization incorrectly removes assignment to register.

tags | advisory
advisories | CVE-2019-8611
MD5 | fbb7e0f88cf0da1880e1e46b1ff5975a
Chrome V8 Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Failed Check
Posted May 10, 2019
Authored by saelo, Google Security Research

Chrome V8 has an issue where JSCallReducer::ReduceArrayIndexOfIncludes in turbofan fails to insert Map checks.

tags | exploit
MD5 | c3cedb648ac563ef9c4a151be439bf86
JavaScriptCore Out-Of-Bounds Access
Posted Apr 2, 2019
Authored by saelo, Google Security Research

JavaScriptCore suffer from an out-of-bounds access vulnerability in FTL JIT due to LICM moving array access before the bounds check.

tags | advisory
advisories | CVE-2019-8518
MD5 | 666ca0b0b1f37dcfd1113b475c267cad
JavaScriptCore CodeBlock Use-After-Free
Posted Apr 2, 2019
Authored by saelo, Google Security Research

JavaScriptCore suffers from CodeBlock use-after-free vulnerabilities due to dangling Watchpoints.

tags | advisory, vulnerability
advisories | CVE-2019-8558
MD5 | 44941500a9bd200e3ded8e6050b94b65
XNU Unsafe Pidversion Increment During Execve
Posted Apr 1, 2019
Authored by saelo, Google Security Research

XNU has an issue where pidversion increment during execve is unsafe.

tags | exploit
advisories | CVE-2019-8514
MD5 | 98cad986f696210bc1f2b23ff3589ba7
JavaScriptCore createRegExpMatchesArray Fails To Respect Inferred Types
Posted Apr 1, 2019
Authored by saelo, Google Security Research

JavaScriptCore has an issue where createRegExpMatchesArray does not respect inferred types.

tags | exploit
advisories | CVE-2019-8506
MD5 | 890d106035374c388ef370b205c1ca00
SpiderMonkey IonMonkey Type Confusion
Posted Mar 29, 2019
Authored by saelo, Google Security Research

A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.

tags | exploit, arbitrary
advisories | CVE-2019-9813
MD5 | cdcb535655303de5282b8e9ce3804be5
SpiderMonkey IonMonkey Type Confusion
Posted Mar 27, 2019
Authored by saelo, Google Security Research

A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.

tags | exploit, arbitrary
advisories | CVE-2019-9791
MD5 | 2d9234f04f13771cc4ba74f08b736649
Page 1 of 2
Back12Next

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    12 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close