what you don't know can hurt you
Showing 1 - 25 of 185 RSS Feed

Files from natashenka

Email addressnatashenka at google.com
First Active2015-08-19
Last Active2022-05-12
AppleVideoDecoder CreateHeaderBuffer Out-Of-Bounds Free
Posted May 12, 2022
Authored by Google Security Research, natashenka

AppleVideoDecoder suffers from an out-of-bounds free vulnerability. The attached video file contains a malformed HEVC Decoder Configuration Record that leads to an out-of-bounds free in CreateHeaderBuffer. When copying the VPS, PPS and SPS, the destination pointer is incremented, and if the copied data is larger than the length specified in the input file, it breaks and falls through to a condition that frees the destination pointer, even though it has been incremented. This could free the chunk allocated next to the destination memory.

tags | exploit
advisories | CVE-2022-22666
SHA-256 | a49f6411c8b8733ea1c031b562f4509169b737f83ae46d802b8cf4aed5bd1cb1
Zoom MMR Server Information Leak
Posted Jan 3, 2022
Authored by Google Security Research, natashenka

Zoom suffers from an information leak vulnerability in the MMR server.

tags | exploit
advisories | CVE-2021-34424
SHA-256 | ceaa806e1faea132492fe57be7bbd693988b712326fabb4aec96193d0e3374d0
Zoom Chat Message Processing Buffer Overflow
Posted Jan 3, 2022
Authored by Google Security Research, natashenka

Zoom suffers from a buffer overflow vulnerability related to the processing of chat message.

tags | exploit, overflow
advisories | CVE-2021-34423
SHA-256 | a6e816c46fce3985cc7b2b11b9e6f3edebe9b65dcbbbf65037027c3d32e954f0
QT TIFF Processing Heap Overflow
Posted Jun 4, 2021
Authored by Google Security Research, natashenka

There is a heap corruption bug that can occur when QT processes a malformed TIFF image. It happens because the size of the QImageData backing the image is calculated is calculated using the format of the image, meanwhile TIFFReadScanline calculates the length to be read based on TIFFScanlineSize, which determines the size base on three tags in the TIFF file, width, samples per pixel and bits per sample.

tags | exploit
SHA-256 | 765990ea3bd9f2c14232bcfa3535efba165c1990d1e7949df33a649783e33d0b
Gstreamer Matroska Demuxing Use-After-Free
Posted Jun 3, 2021
Authored by Google Security Research, natashenka

Gstreamer suffers from a use-after-free vulnerability in Matroska demuxing.

tags | exploit
advisories | CVE-2021-3498
SHA-256 | c5185c2d6107c05661116151a51a24e93e1142b438889272be0f92a6c3fe8e61
QT PNG ICC Processing Out-Of-Bounds Read
Posted May 27, 2021
Authored by Google Security Research, natashenka

The QImage class can read out-of-bounds when reading a specially-crafted PNG file, where a tag byte offset goes out of bounds. This could potentially allow an attacker to determine values in memory based on the QImage pixels, if QT is used to process untrusted images.

tags | exploit
SHA-256 | f89e3b09d6fb627d5b5269e3b5d3b0c770cd2aefc3bbd97c7b659ae459e07be2
QT TIFF Processing Out-Of-Bounds Read
Posted May 25, 2021
Authored by Google Security Research, natashenka

The QImageReader class can read out-of-bounds when converting a specially-crafted TIFF file into a QImage, where the TIFF tile length is inconsistent with the tile size. This could potentially allow an attacker to determine values in memory based of the QImage pixels, if QT is used to process untrusted images.

tags | exploit
SHA-256 | 766b77fab4c5903f5bd4ca7cb9d967ba5f26ec50db568fd2f7147cf8314ad4bc
Facebook Messenger For Android Forced Answer
Posted Dec 7, 2020
Authored by Google Security Research, natashenka

Facebook Messenger for Android has an issue where an SdpUpdate message can cause an audio call to connect before the callee has answered the call.

tags | exploit
SHA-256 | 04464f2fe392295e7708a1e61a2b9787bbae3f555ff1d70e748d2bc354c01184
Google Duo Race Condition
Posted Dec 7, 2020
Authored by Google Security Research, natashenka

A race condition in Google Duo can cause callee to leak video packets from an unanswered call.

tags | exploit
SHA-256 | 75c4a6bf7b5879fefad93fa040fba864edc81a79c13824706bd13a0117456a85
Mocha For Android Audio Interception
Posted Oct 19, 2020
Authored by Google Security Research, natashenka

Mocha for Android suffers from an issue where a call can cause the callee device to send audio without user interaction.

tags | exploit
SHA-256 | 078a2b1dbfd8b4b095b8a8f5aa7337b720212abfd0a23556c214315335c030be
JioChat For Android Audio Sniffing
Posted Oct 12, 2020
Authored by Google Security Research, natashenka

JioChat for Android has an issue where a caller can cause the callee device to send audio without user interaction.

tags | exploit
SHA-256 | edecbfc8b4a9983d43bc2e09c3718b3a564b9282a9cb1a917263dc101dee08da
usrsctp Stack Buffer Overflow
Posted Jul 20, 2020
Authored by Google Security Research, natashenka

There is a stack buffer overflow in usrsctp when a server processes a skipped auth block from an incoming connection. Proof of concept exploit included.

tags | exploit, overflow, proof of concept
advisories | CVE-2020-6831
SHA-256 | b4818f86982c067d7cd9afcbfcee314e412f968d7d9b859927f8e3573839fad7
WebRTC Layer Info Out-Of-Bounds Write
Posted Apr 23, 2020
Authored by Google Security Research, natashenka

WebRTC suffers from an out-of-bounds memory write in the method RtpFrameReferenceFinder::UpdateLayerInfoH264. This occurs when updating the layer info with the frame marking extension.

tags | exploit
SHA-256 | 06971daf4e8e1b40696e457b7e355f90460b37a0e0308f2559ba4a2fa0af726f
WebRTC FEC Extension Processing Out-Of-Bounds Write
Posted Apr 23, 2020
Authored by Google Security Research, natashenka

When WebRTC processes a packet using FEC, it does not adequately check bounds when zeroing the video timing extension.

tags | exploit
SHA-256 | 157cd64dc55515807088f940f00ae62c6d3ee089d4b0fc465f7fca79aaf47e9a
usersctp sctp_load_addresses_from_init Out-Of-Bounds Read
Posted Feb 7, 2020
Authored by Google Security Research, natashenka

usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.

tags | exploit
SHA-256 | 97c80f0acd4440a67c9cef234fa02985f9feafd4eb0418feb0ed3a434ae21930
libx264 H264 Conversion Out-Of-Bounds Write
Posted Feb 7, 2020
Authored by Google Security Research, natashenka

libx264 suffers from an out-of-bounds write when converting to H264.

tags | exploit
SHA-256 | 111be6fbb98fc110e6e2b2c9221c300e8a2b5fde3c040bd6803fb5b1d6f39185
WeChat CAudioJBM::InputAudioFrameToJBM Memory Corruption
Posted Jan 10, 2020
Authored by Google Security Research, natashenka

There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.

tags | exploit
SHA-256 | a0b85c6f0d5c0b58add65cb309bf9193d2b63ceb17c68e1f5561d25888f0f991
FaceTime _RSU_DecodeByteBuffer Out-Of-Bounds Read
Posted Dec 20, 2019
Authored by Google Security Research, natashenka

FaceTime suffers from an out-of-bounds read vulnerability in _RSU_DecodeByteBuffer.

tags | exploit
advisories | CVE-2019-8830
SHA-256 | fa09fd95c1d80107456b04a936a43a4bc80318ba53f17a4669d03b5c70a1f8d0
Signal Forced Call Acceptance
Posted Oct 5, 2019
Authored by Google Security Research, natashenka

There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up.

tags | exploit
SHA-256 | 3b9a4c627b9644243c268bf86ee703b8a5487f12549034ded884f920a1b96ec3
iMessage NSSharedKeyDictionary Decoding Out Of Bounds Read
Posted Sep 24, 2019
Authored by Google Security Research, natashenka

An issues exists in iMessage where decoding NSSharedKeyDictionary can read objects out of bounds.

tags | exploit
advisories | CVE-2019-8641
SHA-256 | ec6fed9513fd047a8b8dda36d5bd4db2dcf6f3e0aa1d06d56adc0e4f1bd3e3ea
NSKeyedUnarchiver SGBigUTF8String Decoding Information Leak
Posted Aug 13, 2019
Authored by Google Security Research, natashenka

NSKeyedUnarchiver suffers from an information leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead.

tags | exploit
advisories | CVE-2019-8663
SHA-256 | 350595d4b62128692b25160fd0dc54b6e14a6ff528c3e77b5bce0cd7797ace73
iOS Messaging Tools
Posted Aug 7, 2019
Authored by saelo, Google Security Research, natashenka

This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.

tags | tool, telephony, imap, fuzzer
systems | apple, iphone
SHA-256 | fa8f560293640c4759f220069490d2498cf18f75ce1183b3ab8f77dd819585e5
iMessage URL Deserializing Heap Overflow
Posted Aug 5, 2019
Authored by Google Security Research, natashenka

iMessage suffers from a heap overflow vulnerability when deserializing a URL. This affects Macs only.

tags | exploit, overflow
advisories | CVE-2019-8661
SHA-256 | 2f5c0ce4f32d1e01da4624b1c0fc401f0c5871abc917b01bf2bfc9d63f3d6a34
iMessage NSKnownKeysDictionary1 Memory Corruption
Posted Jul 30, 2019
Authored by Google Security Research, natashenka

iMessage suffers from a memory corruption vulnerability when decoding NSKnownKeysDictionary1.

tags | exploit
advisories | CVE-2019-8660
SHA-256 | f3f3a02ba980c223208ec503d2c4f3f27010697688b8d75d71b43f8085694f67
iMessage NSArray Deserialization
Posted Jul 30, 2019
Authored by Google Security Research, natashenka

iMessage suffers from a vulnerability where NSArray deserialization can invoke a subclass that does not retain references.

tags | exploit
advisories | CVE-2019-8647
SHA-256 | 06b590135e589bcd01f211a6bf1d481e9256276cf36f296ebd6050a735c1853a
Page 1 of 8
Back12345Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close