what you don't know can hurt you
Showing 1 - 25 of 174 RSS Feed

Files from natashenka

Email addressnatashenka at google.com
First Active2015-08-19
Last Active2020-07-20
usrsctp Stack Buffer Overflow
Posted Jul 20, 2020
Authored by Google Security Research, natashenka

There is a stack buffer overflow in usrsctp when a server processes a skipped auth block from an incoming connection. Proof of concept exploit included.

tags | exploit, overflow, proof of concept
advisories | CVE-2020-6831
MD5 | f695f6ee0ee2bf74c0b85f014497b37f
WebRTC Layer Info Out-Of-Bounds Write
Posted Apr 23, 2020
Authored by Google Security Research, natashenka

WebRTC suffers from an out-of-bounds memory write in the method RtpFrameReferenceFinder::UpdateLayerInfoH264. This occurs when updating the layer info with the frame marking extension.

tags | exploit
MD5 | 8491bafa68aebbbeaeec3108e1ccc8fa
WebRTC FEC Extension Processing Out-Of-Bounds Write
Posted Apr 23, 2020
Authored by Google Security Research, natashenka

When WebRTC processes a packet using FEC, it does not adequately check bounds when zeroing the video timing extension.

tags | exploit
MD5 | e7646bc10c00f9249d8d1cbc7ec9e677
usersctp sctp_load_addresses_from_init Out-Of-Bounds Read
Posted Feb 7, 2020
Authored by Google Security Research, natashenka

usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.

tags | exploit
MD5 | f7629110af96666d0b8af7e76ecfa60d
libx264 H264 Conversion Out-Of-Bounds Write
Posted Feb 7, 2020
Authored by Google Security Research, natashenka

libx264 suffers from an out-of-bounds write when converting to H264.

tags | exploit
MD5 | a454ee0a3cf6ffcdaf4ffb1e2f6f1ea5
WeChat CAudioJBM::InputAudioFrameToJBM Memory Corruption
Posted Jan 10, 2020
Authored by Google Security Research, natashenka

There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.

tags | exploit
MD5 | d5e852c27b43a4bc7e13605282d84e25
FaceTime _RSU_DecodeByteBuffer Out-Of-Bounds Read
Posted Dec 20, 2019
Authored by Google Security Research, natashenka

FaceTime suffers from an out-of-bounds read vulnerability in _RSU_DecodeByteBuffer.

tags | exploit
advisories | CVE-2019-8830
MD5 | 77e7d5ed9577e8022d167f6d39eeded3
Signal Forced Call Acceptance
Posted Oct 5, 2019
Authored by Google Security Research, natashenka

There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up.

tags | exploit
MD5 | cfd5f34a2c4720cf69df48f6e4d12c1c
iMessage NSSharedKeyDictionary Decoding Out Of Bounds Read
Posted Sep 24, 2019
Authored by Google Security Research, natashenka

An issues exists in iMessage where decoding NSSharedKeyDictionary can read objects out of bounds.

tags | exploit
advisories | CVE-2019-8641
MD5 | 0287ca35c1cc02013b10db0d1e17e7ae
NSKeyedUnarchiver SGBigUTF8String Decoding Information Leak
Posted Aug 13, 2019
Authored by Google Security Research, natashenka

NSKeyedUnarchiver suffers from an information leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead.

tags | exploit
advisories | CVE-2019-8663
MD5 | 5ebdb23ae44a72166cf9916fedd9770a
iOS Messaging Tools
Posted Aug 7, 2019
Authored by saelo, Google Security Research, natashenka

This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.

tags | tool, telephony, imap, fuzzer
systems | apple, iphone
MD5 | 2e9ddb1606e5ec0f3068837fa5919c6c
iMessage URL Deserializing Heap Overflow
Posted Aug 5, 2019
Authored by Google Security Research, natashenka

iMessage suffers from a heap overflow vulnerability when deserializing a URL. This affects Macs only.

tags | exploit, overflow
advisories | CVE-2019-8661
MD5 | 36e18c8532de2e387116a79ad9fb997c
iMessage NSKnownKeysDictionary1 Memory Corruption
Posted Jul 30, 2019
Authored by Google Security Research, natashenka

iMessage suffers from a memory corruption vulnerability when decoding NSKnownKeysDictionary1.

tags | exploit
advisories | CVE-2019-8660
MD5 | bf2f6285feb8eb7cd9887c632a64facd
iMessage NSArray Deserialization
Posted Jul 30, 2019
Authored by Google Security Research, natashenka

iMessage suffers from a vulnerability where NSArray deserialization can invoke a subclass that does not retain references.

tags | exploit
advisories | CVE-2019-8647
MD5 | 01c2017aca9bca7c917b924efac2b31f
iMessage NSKeyedUnarchiver Deserialization
Posted Jul 30, 2019
Authored by Google Security Research, natashenka

iMessage suffers from a vulnerability where NSKeyedUnarchiver deserialization allows file backed NSData objects.

tags | exploit
advisories | CVE-2019-8646
MD5 | f8873dd6fc5e38d1e8f8c8678775b889
iMessage DigitalTouch Out-Of-Bounds Read
Posted Jul 26, 2019
Authored by Google Security Research, natashenka

iMessage suffers from an out-of-bounds read vulnerability in DigitalTouch tap message processing.

tags | exploit
advisories | CVE-2019-8624
MD5 | 7cc38755d991fb1a5a101045bfa32cee
iPhone iMessage Malformed Message Bricking
Posted Jul 4, 2019
Authored by Google Security Research, natashenka

An issue exists where a malformed iMessage can brick an iPhone. A method in IMCore can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString.

tags | exploit
systems | apple, iphone
advisories | CVE-2019-8664
MD5 | fb007a18977fff5d77770c60f17d53df
Visual Voicemail For iPhone IMAP NAMESPACE Use-After-Free
Posted May 21, 2019
Authored by Google Security Research, natashenka

Visual Voicemail for iPhone suffers from a use-after-free vulnerability in IMAP NAMESPACE processing.

tags | exploit, imap
systems | apple, iphone
advisories | CVE-2019-8613
MD5 | ee209f50afa19dc15f5533506c05c21c
FaceTime Texture Processing Memory Corruption
Posted Feb 19, 2019
Authored by Google Security Research, natashenka

FaceTime suffers from a memory corruption vulnerability in texture processing.

tags | exploit
advisories | CVE-2019-6224
MD5 | b453c6f5d49e62c37885c285bc9f79cd
FaceTime RTP Video Processing Heap Corruption
Posted Nov 6, 2018
Authored by Google Security Research, natashenka

There is a memory corruption issue when processing a malformed RTP video stream in FaceTime that leads to a kernel panic due to a corrupted heap cookie or data abort. This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS, it does not crash on a Mac.

tags | exploit, kernel
systems | ios
advisories | CVE-2018-4384
MD5 | e1efd0319dcc1218c75d95f35d08574b
FaceTime VCPDecompressionDecodeFrame Memory Corruption
Posted Nov 6, 2018
Authored by Google Security Research, natashenka

There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.

tags | exploit
advisories | CVE-2018-4366
MD5 | 98ed8bf1539b036052ee59ec0d5239fd
FaceTime readSPSandGetDecoderParams Stack Corruption
Posted Nov 6, 2018
Authored by Google Security Research, natashenka

FaceTime suffers from a stack corruption vulnerability in readSPSandGetDecoderParams.

tags | exploit
advisories | CVE-2018-4367
MD5 | 17c8ace8d98479a7e023a22b0a94235c
WhatsApp RTP Processing Heap Corruption
Posted Oct 11, 2018
Authored by Google Security Research, natashenka

WhatsApp suffers from a heap corruption vulnerability in RTP processing.

tags | exploit
MD5 | f6b01d303fe816031bf7b45feaa16a08
WebRTC VP9 Processing Use-After-Free
Posted Sep 20, 2018
Authored by Google Security Research, natashenka

There is a use-after-free vulnerability in VP9 processing in WebRTC.

tags | exploit
advisories | CVE-2018-16071
MD5 | 46a569d07b8a5affa552ca7aa5867a06
WebRTC FEC Out-Of-Bounds Read
Posted Sep 20, 2018
Authored by Google Security Research, natashenka

There is an out-of-bounds read in FEC processing in WebRTC. If a very short RTP packet is received, FEC will assume the packet is longer and process data outside of the allocated buffer.

tags | exploit
advisories | CVE-2018-16083
MD5 | f5cc50595786ed774a0112b7002d39e0
Page 1 of 7
Back12345Next

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    14 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close