exploit the possibilities
Showing 1 - 23 of 23 RSS Feed

Files from Roee Hay

Email addressprivate
First Active2008-10-09
Last Active2017-09-04
View User Profile
Motorola Bootloader Kernel Cmdline Injection / Bypass
Posted Sep 4, 2017
Authored by Roee Hay

Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. Additionally it suffers from a bypass vulnerability.

tags | exploit, kernel, bypass
advisories | CVE-2016-10277
MD5 | f54a07c030c9fe4687175e84ce86bb26
Google Nexus 9 SensorHub Firmware Downgrade
Posted May 9, 2017
Authored by Roee Hay

Google Nexus 9 SensorHub firmware suffers from a downgrade vulnerability.

tags | advisory
advisories | CVE-2017-0582
MD5 | bbcefa87ca229be186695f9a0064d331
Google Nexus 9 Build N4F27B Cypress SAR Firmware Injection
Posted May 5, 2017
Authored by Roee Hay | Site alephsecurity.com

Nexus 9 Android Builds before N4F27B contains a firmware injection vulnerability via I2C bus through a SAR sensor driver flashing flaw. This vulnerability requires access to the I2C bus, which is available via the USB fastboot interface and HBOOT interface, which is exposed via the headphone jack.

tags | advisory
advisories | CVE-2017-0563
MD5 | d42adf741e44e87d3516acfb2d17098d
Attacking Nexus 9 With Malicious Headphones
Posted Mar 13, 2017
Authored by Roee Hay, Sagi Kedmi

Nexus 9 running Android version 7.1.1 build N4F26Q and below allows unauthorized access to the FIQ debugger via its headphones jack, which allows for information theft, weakening of ASLR, leaking of stack canaries, and more.

tags | advisory
advisories | CVE-2017-0510
MD5 | a85db80f865acc493884ac5e7d1cbf2a
Android 6.0.0 MDA89E / 6.0.1 MMB29V OEM Panic
Posted Sep 5, 2016
Authored by Roee Hay

Android versions 6.0.0 MDA89E through 6.0.1 MMB29V suffers from a fastboot oem panic that causes the bootloader to expose a serial-over-USB connection, which would allow an attacker to obtain a full memory dump of the device using tools such as QPST Configuration.

tags | exploit
MD5 | add45a5430a05b3557074d8e50a5bc68
Apache Cordova Android 3.6.4 BridgeSecret Weak Randomization
Posted Nov 21, 2015
Authored by Roee Hay, David Kaplan

Apache Cordova Android versions 3.6.4 and below use a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios.

tags | advisory, javascript
advisories | CVE-2015-5257
MD5 | 99b559e55f240aaddaa21a9964e6680e
Dropbox SDK For Android Remote Exploitation
Posted Mar 11, 2015
Authored by Roee Hay, Or Peles

A vulnerability in the Dropbox SDK for Android may enable theft of sensitive information from apps that use the vulnerable Dropbox SDK both locally by malware and also remotely by using drive-by exploitation techniques.

tags | exploit, paper
advisories | CVE-2014-8889
MD5 | 9274033584a6daa1b2971e6040ac7597
SpoofedMe - Intruding Accounts Using Social Login Providers
Posted Dec 4, 2014
Authored by Roee Hay, Or Peles

In this paper, they authors present an implementation vulnerability found in some popular social login identity providers (including LinkedIn, Amazon and Mydigipass.com) and show how this vulnerability allowed them to impersonate users of third-party websites.

tags | paper
MD5 | b7ac7ad3e6649189ecd29e7c94daf083
Apache Cordova 3.5.0 Data Leak
Posted Aug 12, 2014
Authored by Roee Hay, David Kaplan

Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network. This release is an update to a prior advisory.

tags | advisory, arbitrary, javascript
advisories | CVE-2014-3502
MD5 | 11bd1a4ff480650cd4d04188db43facf
Apache Cordova Bypass / Information Disclosure / Insertion
Posted Aug 5, 2014
Authored by Roee Hay, David Kaplan

Apache Cordova versions up to 3.5.0 suffer from information disclosure, whitelist bypass, and cross application issues.

tags | advisory, bypass, info disclosure
advisories | CVE-2014-3500, CVE-2014-3501, CVE-2014-3502
MD5 | dd860ba5f5204c9fcc1c00d83222f22a
Android KeyStore Stack Buffer Overflow
Posted Jun 23, 2014
Authored by Roee Hay, Avi Dayan

This whitepaper discusses a stack-based buffer overflow vulnerability in the Android KeyStore service which affects Android 4.3 and below.

tags | exploit, overflow
advisories | CVE-2014-3100
MD5 | 57b5c46e9cae6f3219be13865cb059ad
Firefox For Android Information Leak
Posted Mar 26, 2014
Authored by Roee Hay

A series of vulnerabilities have been discovered in Firefox for Android that allows a malicious application to successfully derandomize the Firefox profile directory name in a practical amount of time and then leak sensitive data (such as cookies and cached information) which reside in that directory, breaking Android's sandbox.

tags | advisory, vulnerability
advisories | CVE-2014-1484, CVE-2014-1506, CVE-2014-1515, CVE-2014-1516
MD5 | 699f64e82b938cd738a1e35d07583fcf
Android Collapses Into Fragments
Posted Dec 11, 2013
Authored by Roee Hay

This paper presents a newly discovered vulnerability in the Android Framework which breaks its sandbox environment. This vulnerability affects many Android applications including ones which are bundled with every Android device. The vulnerability has been patched in Android KitKat.

tags | advisory, paper
MD5 | 403a1b520c6ea916a357ed67df9ae026
Subverting BIND's SRTT Algorithm: Derandomizing NS Selection
Posted Aug 14, 2013
Authored by Roee Hay, Jonathan Kalechstein, Gabi Nakibly

BIND is exposed to a new vulnerability which can be exploited remotely in order to derandomize the name server selection algorithm. Exploitation of this vulnerability can be used in conjunction with other off-path DNS cache poisoning exploits in order to make them more efficient. ISC has acknowledged the vulnerability and plans to address this deficiency by re-implementing the SRTT algorithm in future maintenance releases of the BIND 9 code. This whitepaper goes into great detail regarding this issue.

tags | advisory
MD5 | dfeff92eab9896fa7fecfa797864d3f2
Android 4.0.4 DNS Poisoning
Posted Jul 24, 2012
Authored by Roee Hay

Android versions 4.0.4 and below suffer from a DNS poisoning vulnerability.

tags | advisory
advisories | CVE-2012-2808
MD5 | f0e7d1f6cb180eaacaaf0ea77a3c5d79
Android 2.3.7 SQLite Disclosure
Posted May 3, 2012
Authored by Roee Hay

SQLite databases stored on Android suffer from an insecure permission vulnerability. Version 2.3.7 is affected.

tags | advisory, info disclosure
MD5 | 64654c20829d05716e2aff1208cffd22
DNS Poisoning Via Port Exhaustion
Posted Oct 19, 2011
Authored by Yair Amit, Roee Hay

Whitepaper called DNS Poisoning Via Port Exhaustion. It covers everything from how DNS poisoning works to various methods of performing attacks. It discloses two vulnerabilities. One is in Java which enables remote DNS poisoning using Java applets. The other is in multiuser Windows environments that allows for a local DNS cache poisoning of arbitrary domains.

tags | advisory, paper, java, remote, arbitrary, local, vulnerability
systems | windows
advisories | CVE-2011-3552, CVE-2010-4448
MD5 | c5b8f7158b3d193cd6c9e9cf005ea3ca
Dolphin Browser HD Cross Application Scripting
Posted Sep 21, 2011
Authored by Yair Amit, Roee Hay

Dolphin Browser HD versions prior to 6.1.0 suffer from a cross applications scripting vulnerability.

tags | exploit
advisories | CVE-2011-2357
MD5 | 826ca615f66eec0b96c8a93b6448b8a9
Opera Mobile 11.1 Cross Application Scripting
Posted Sep 21, 2011
Authored by Roee Hay

Opera Mobile version 11.1 suffers from a cross application scripting vulnerability.

tags | exploit, bypass
MD5 | ca15e19694f2748501cf619487d06cdb
Android Browser Cross Application Scripting
Posted Aug 2, 2011
Authored by Yair Amit, Roee Hay

A 3rd party application may exploit Android's Browser URL loading process in order to inject JavaScript code into an arbitrary domain thus break Android's sandboxing. Versions 2.3.4 and 3.1 have been found vulnerable.

tags | exploit, arbitrary, javascript
advisories | CVE-2011-2357
MD5 | 91a911e39a5776f88b435534fba5a165
Babylon Cross-Application Scripting Code Execution
Posted Nov 11, 2010
Authored by Yair Amit, Roee Hay

The Babylon online dictionary and translation software fails to sanitize user input before rendering it on the Trident control, effectively leading to a cross-application scripting vulnerability. The Trident control runs in Local Machine Zone (LMZ) which is not Locked down and due to this the vulnerability can allow for code execution.

tags | advisory, local, code execution
MD5 | 95d9c792fd52924420472ade3d4115d4
AVM2 abcFile Parser Code Integer Overflow
Posted Aug 5, 2009
Authored by Roee Hay

Adobe Flash Player has an integer overflow that exists in the AVM2 abcFile parser code which handles the intrf_count value of the instance_info structure.

tags | advisory, overflow
advisories | CVE-2009-1869
MD5 | c97ab6cd4efe3c255ca6366614aaa159
Posted Oct 9, 2008
Authored by Roee Hay

A vulnerability exists in Graphviz's parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so. Version 2.20.2 is affected.

tags | advisory, overflow
MD5 | f0a4b70321287389f5f51e6a368aeb51
Page 1 of 1

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By