Security Explorations has discovered multiple security vulnerabilities in the reference implementation of Java Card technology from Oracle used in financial, government, transportation and telecommunication sectors among others. As for the impact, the vulnerabilities found make it possible to break memory safety of the underlying Java Card VM. As a result, full access to smartcard memory could be achieved, applet firewall could be broken or native code execution could be gained.
a257c47765f8cfe63cbbecdf5b803bd5A multitude of security issues exist within STMicroelectronics DVB chipsets including, but not limited to credential leakage, buffer overflow, and data leaks. This is the full release of both the whitepaper and dozens of proof of concept details.
36463dd0c95db85c29e0f6e7d4033996This detailed research paper discusses a multitude of security issues with STMicroelectronics DVB chipsets including, but not limited to credential leakage, buffer overflow, and data leaks.
5e5650c12c6dc1fae75bda7ade29648cThis archive holds a 70+ pages long technical paper accompanied by two reverse engineering tools to analyze STMicroelectronics DVB chipsets.
a5d20c1e900110611b12feb7de976edbThe patch for Issue 70 in IBM Java discovered by Security Explorations in 2013 was found to be faulty. Included are the full report and a proof of concept.
0d5c6c7e0a9744495ab910305201e727The patch for Issue 67 in IBM Java discovered by Security Explorations in 2013 was found to be faulty.
ed2de4cdbbff3d22aad9553050f8325bSecurity Explorations has released details and a proof of concept to bypass a broken security fix found in the Oracle Java SE fix from September, 2013.
369b993c622ffb5038ab3ff0a3006afcIn their original report, Security Explorations indicated that Issue 42 in SE-2014-02 had its origin in klassItable::initialize_itable_for_interface method's implementation of Java SE 7 HotSpot VM. They have recently learned that their initial analysis regarding the root cause of Issue 42 was incorrect. This report contains more detailed information about the actual cause of Issue 42, the reasoning that has mislead them into concluding it was caused by an improper initialization of non-public interface method slots and some additional findings regarding this issue.
f5d69d86ab0d1a9e96b53a0507bf6a08Issue number 42 from SE-2014-02 has been addressed by Oracle. Included in this archive are proof of concepts and information regarding the fix.
36d312e4f7e10290eea818c4638e62b0This is a fun write-up detailing vulnerabilities in Oracle products discovered by the security community and how Oracle CSO Mary Ann Davidson's math on the subject just does not add up. No surprise there.
f40203b860dcb9ad58f5a01dd0418a21Security Explorations released technical details, Google advisories, and new proof of concept code for the Google App Engine sandbox bypass vulnerabilities.
956d84b58adbd3d0e9b366bb849df648Full materials and proof of concept code has been released for the Security Explorations discovery of various Google app engine java security sandbox bypasses.
e18212db596c59c0198cd2c6b8801c6fIn excess of 30 issues have been discovered related to the Google App Engine including a complete Java VM security sandbox escape.
d57fed61e0a74a3840bbc85c8108a769This archive contains a couple of pdfs detailing 22 security vulnerabilities in Oracle Database Java VM along with proof of concept code.
824d0169d4241aa782b44f5cbcc7e361Security Explorations discovered multiple security issues in the implementation of a Java VM embedded in Oracle Database software. Among a total of 20 weaknesses discovered, there are issues that allow to create a specific Java security bypass condition or that facilitate the execution of arbitrary Java code on Oracle Database server without proper privileges.
9ee0076d6a57058b84b2ffc0fab7e8a5Security Explorations decided to release technical details and accompanying proof of concept codes for security vulnerabilities discovered in the environment of Oracle Java Cloud Service. Enclosed are two pdfs detailing the issues along with a zip file filled with proof of concept code. The release of data is due to Oracle's continued failure to properly handle vulnerability reports.
52490876d4c01a8d53153d3fe939e0b2Security Explorations discovered multiple security vulnerabilities in the environment of Oracle Java Cloud Service. Among a total of 28 issues found, there are 16 weaknesses that make it possible to completely break Java security sandbox of a target WebLogic server environment. An attacker can further leverage this to gain access to application deployments of other users of Oracle Java Cloud service in the same regional data center.
a0019f8f96169482dd33bb356b68fc81The CPU released Oct 15, 2013 by Oracle included information about a fix for Java SE 7 vulnerability (Issue 69) that was reported to the company in July.
5eeb32459ed3fb2358ee8ce3835f94afSecurity Explorations has submitted a new vulnerability to Oracle that implements a classic attack against Java VM.
82cbd474f2ee8179acbe5cbab1a7d0a0This Metasploit module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.
eb31080dbf4908fe55f6198beec5aae0Security Explorations discovered 7 additional security issues (#62-68) in the latest version of IBM SDK, Java Technology Edition software. A majority of the new flaws are due to insecure use or implementation of Java Reflection API.
7e3988ce8ab0d956e0e2992c18faf34fJava versions 1.7.0_21-b11 and below suffers from an arbitrary code execution vulnerability.
e4cd9e5c7f8d9e28f0422e22ea755816Oracle has released Java SE 7 Update 21, which among other things addresses six security vulnerabilities that were reported to the company earlier this year (Issues 51, 55 and 57-60).
e0160be8fcb86576d553129b539d8ffcThis archive contains proof of concept exploits from Security Explorations. They waited for over a year for vendors to fix the issues in various digital satellite TV platforms and were ignored.
7fd03152a44b970103a49cde19ccd807This document provides the technical details of Issue 54 that was reported to Oracle on Feb 25, 2013 and that was evaluated by the company as the "allowed behavior".
f092afb7346a718a1d6a7c3ff600d9dd
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed