exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 113 RSS Feed

Files from Ivan Fratric

Email addressifratric at google.com
First Active2007-03-08
Last Active2023-01-13
libCoreEntitlements CEContextQuery Arbitrary Entitlement Returns
Posted Jan 13, 2023
Authored by Ivan Fratric, Google Security Research

On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.

tags | exploit, kernel
systems | apple, ios
advisories | CVE-2022-42855
SHA-256 | 9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8
Cisco Jabber XMPP Stanza Smuggling
Posted Oct 20, 2022
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.

tags | exploit, arbitrary
systems | cisco
advisories | CVE-2022-20917
SHA-256 | ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914c
macOS RawCamera Out-Of-Bounds Write
Posted Aug 22, 2022
Authored by Ivan Fratric, Google Security Research

There is an out-of-bounds write vulnerability when decoding a certain flavor of RAW image files on macOS. The vulnerability has been confirmed on macOS 12.3.1. Although the advisory notes an attached poc, Google did not have one attached.

tags | advisory
advisories | CVE-2022-32802
SHA-256 | b0cdd2ef0c901dd72ddd0b3fa6f8cc6fcb53635705915e5ec0c9100853c07cb3
Kik Messenger XMPP Stanza Smuggling
Posted Jun 10, 2022
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in Kik Messenger for Android that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Kik client, including XMPP stanzas that are normally sent only by the Kik server. Included is a proof of concept that demonstrates sending of the stc stanza which triggers a captcha dialog and opens an arbitrary attacker-control webpage on the victim client. However, the full impact is likely larger than this, and includes any application features accessible over XMPP.

tags | exploit, arbitrary, proof of concept
SHA-256 | 3f66b31a34e395df392668d6453b6eee4bbfd623765c95d99108116f95c8a143
Tigase XMPP Server Stanza Smuggling
Posted May 26, 2022
Authored by Ivan Fratric, Google Security Research

Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).

tags | exploit, arbitrary
SHA-256 | 80c339179764f04e39876070e482957638cbcf822ccdb04b5cc72ea035585e1e
Zoom XMPP Stanza Smuggling Remote Code Execution
Posted May 24, 2022
Authored by Ivan Fratric, Google Security Research

This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.

tags | exploit, arbitrary, code execution, protocol
systems | windows
advisories | CVE-2022-22787, CVE-2022-25236
SHA-256 | c5835f3651ef4f351fdd27038787c6bd633712398f3562132cf3224e2a0a5e16
Internet Explorer JIT Optimization Memory Corruption
Posted Sep 10, 2021
Authored by Ivan Fratric, Google Security Research

Internet Explorer suffers from an issue where incorrect JIT optimization in jscript9.dll leads to memory corruption.

tags | exploit
advisories | CVE-2021-34480
SHA-256 | cb83b562636ea76e2bb8cf3458b612c7c7976ae831087491f462b16ec9a8758e
JavaScriptCore Crash Proof Of Concept
Posted Aug 19, 2021
Authored by Ivan Fratric, Google Security Research

JavaScriptCore suffers from a crash condition due to an uninitialized register in slow_path_profile_catch. Proof of concept that affects Safari is included.

tags | exploit, proof of concept
advisories | CVE-2021-30797
SHA-256 | 8dd2cde7c2edb66fc6061ca48debe795fc639981944e4354c301b47af6a7c4b1
Internet Explorer jscript9.dll Memory Corruption
Posted Jun 9, 2021
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in jscript9 that could potentially be exploited to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2020-1380, CVE-2021-31959
SHA-256 | 606c70d052dc8c1d7e1341312dd04cc58864a77781e24662e763b3034ce543ce
Internet Explorer jscript9.dll Memory Corruption
Posted May 13, 2021
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2021-26419
SHA-256 | a69629e9e2a8eed322ffb78022a68eb8a35d57aa71fce77bfd75edc522377bec
macOS CoreGraphics Integer Overflow / Out-Of-Bounds Write
Posted Mar 15, 2021
Authored by Ivan Fratric, Google Security Research

CoreGraphics can be made to write out-of-bounds memory when rendering a specially crafted font. This vulnerability can also be triggered through Safari. The vulnerability was confirmed on macOS Big Sur version 11.1.

tags | exploit
advisories | CVE-2021-1776
SHA-256 | e8027d05a6dd6acb716ee4876e073b6e72b34b7dfda2f94a9e8c4770517e1ddd
Microsoft Windows WindowsCodecsRaw!COlympusE300LoadRaw Out-Of-Bounds Write
Posted Mar 9, 2021
Authored by Ivan Fratric, Google Security Research

There is an out-of-bounds write vulnerability in WindowsCodecsRaw.dll in the COlympusE300LoadRaw::olympus_e300_load_raw function that can be triggered by parsing a crafted Olympus E300 raw image with Windows Imaging Component (WIC). The vulnerability has been reproduced on Windows 10 64-bit with the most recent patches applied.

tags | exploit
systems | windows
advisories | CVE-2021-24091
SHA-256 | d01f7ca6621863dce70b509fef4e28ee4b3568035e8e437b4e161e9285c8ecbb
macOS ImageIO Out-Of-Bounds Write
Posted Dec 16, 2020
Authored by Ivan Fratric, Google Security Research

There is an out-of-bounds write vulnerability when decoding a malformed PICT image on macOS. The vulnerability has been confirmed on the latest stable macOS version.

tags | exploit
advisories | CVE-2020-29611
SHA-256 | c35348d97c283eb70c823e79074d302b25abb42fe776372cea3414d300e1ce0d
Microsoft Windows WindowsCodecsRaw!CCanonRawImageRep::GetNamedWhiteBalances Out-Of-Bounds Read
Posted Nov 13, 2020
Authored by Ivan Fratric, Google Security Research

There is an out-of bounds read vulnerability in WindowsCodecsRaw.dll while processing a malformed Canon raw image. This can potentially lead to disclosing the memory of the affected process. All applications that use Windows Image Codecs for image parsing are potentially affected. The vulnerability has been confirmed on Windows 10 v2004 with the most recent patches applied.

tags | advisory
systems | windows
advisories | CVE-2020-17113
SHA-256 | 449ae24e2e05dd0778a7ef251c34dfe7a3baf77ef865a69c498ccb7a059d82e3
Microsoft Internet Explorer Use-After-Free
Posted Nov 21, 2019
Authored by Ivan Fratric, Google Security Research

Microsoft Internet Explorer suffers from a use-after-free vulnerability in Script arguments during toJSON callback.

tags | exploit
advisories | CVE-2019-1429
SHA-256 | 8028683bdacfe9537d7aa6ebec7ccf45a6d6f6e1549c16b0e3cc53a6d8853f2b
Microsoft Edge Flash click2play Bypass
Posted Mar 19, 2019
Authored by Ivan Fratric, Google Security Research

Microsoft Edge suffers from a Flash click2play bypass with CObjectElement::FinalCreateObject.

tags | exploit
advisories | CVE-2019-0612
SHA-256 | fdda336815ac63fe08759882eed8c25471acba4310abb045c2527612f4538060
VBScript VbsErase Memory Corruption
Posted Mar 19, 2019
Authored by Ivan Fratric, Google Security Research

There is an issue in VBScript in the VbsErase function. In some cases, VbsErase fails to clear the argument variable properly, which can trivially lead to crafting a variable with the array type, but with a pointer controlled controlled by an attacker.

tags | exploit
advisories | CVE-2019-0667
SHA-256 | e3cbf1077875f9a05eea70f53538809230cbe1a14641ae99c456cce2835e9409
Microsoft Edge Insecure click2play Whitelist
Posted Feb 19, 2019
Authored by Ivan Fratric, Google Security Research

Microsoft Edge has an issue where the default flash click2play whitelist is insecure.

tags | advisory
advisories | CVE-2019-0641
SHA-256 | b67a708bf7118de58f25eedb37a2a8891d000105b033f1e3397bcf8d54354a2a
Skia Buffer Overflow
Posted Feb 6, 2019
Authored by Ivan Fratric, Google Security Research

Incorrect convexity assumptions in Skia can lead to multiple buffer overflow vulnerabilities.

tags | exploit, overflow, vulnerability
SHA-256 | 3a576a2a2e1e3f21c3c1af4f1257d137b7f010a80f1df3c8ddb7ca7a404aec6d
VBScript MSXML Policy Bypass
Posted Dec 19, 2018
Authored by Ivan Fratric, Google Security Research

Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default. However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.

tags | exploit
systems | windows
advisories | CVE-2018-8619
SHA-256 | b0f1afdfeed7b58164b0ac07caec27811ba02f778e45365490b8d741eb009e35
VBScript VbsErase Reference Leak
Posted Dec 19, 2018
Authored by Ivan Fratric, Google Security Research

There is an reference leak in Microsoft VBScript that can be turned into an use-after-free given sufficient time. The vulnerability has been confirmed in Internet Explorer on various Windows versions with the latest patches applied.

tags | exploit
systems | windows
advisories | CVE-2018-8625
SHA-256 | bbed7824f89e9377c1a62b7a38d9841ad9be96f597755fed927b3e56bee44b2c
Microsoft Windows jscript!JsArrayFunctionHeapSort Out-Of-Bounds Write
Posted Dec 18, 2018
Authored by Ivan Fratric, Google Security Research

There is an out-of-bounds write vulnerability in jscript.dll in the JsArrayFunctionHeapSort function. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network.

tags | exploit, local
advisories | CVE-2018-8631
SHA-256 | 44579881567c53e64a8aab7be8ad5b9de9c62e57487408187bfa4fe7b1adbd56
Microsoft VBScript rtFilter Out-Of-Bounds Read
Posted Nov 30, 2018
Authored by Ivan Fratric, Google Security Research

There is an out-of-bounds vulnerability in Microsoft VBScript in rtFilter. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied.

tags | exploit
systems | windows
advisories | CVE-2018-8552
SHA-256 | 787b477ccfcf4e5ec10751b188d5bc87141748ffcd37526a29a5654c900f7593
Microsoft VBScript OLEAUT32!VariantClear / scrrun!VBADictionary::put_Item Use-After-Free
Posted Nov 30, 2018
Authored by Ivan Fratric, Google Security Research

There is a use-after-free vulnerability in Microsoft VBScript. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied. There are possibly two vulnerabilities triggerable by the same proof of concept included.

tags | exploit, vulnerability, proof of concept
systems | windows
advisories | CVE-2018-8544
SHA-256 | 4d368e653a42596f0318f358cc51225567ac7ae3f445045de8e6e98d697a4007
WebKit WebCore::InlineTextBox::paint Out-Of-Bounds Read
Posted Sep 25, 2018
Authored by Ivan Fratric, Google Security Research

WebKit suffers from a WebCore::InlineTextBox::paint out-of-bounds read vulnerability.

tags | exploit
advisories | CVE-2018-4328
SHA-256 | 994518e9454b66b07b1cd4ca2b9c80bad5057866a1f0bfc7cba8cbaab2478e58
Page 1 of 5
Back12345Next

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close