exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 45 RSS Feed

Files from saelo

Email addresssaelo at google.com
First Active2013-05-23
Last Active2020-11-09
Chrome V8 Turbofan Type Confusion
Posted Nov 9, 2020
Authored by saelo, Google Security Research

Turbofan fails to deoptimize code after map deprecation, leading to a type confusion vulnerability.

tags | exploit
advisories | CVE-2020-16009
SHA-256 | 4675105280cdacd6d7b10a3432235de93f0ad03438e55b1af205dc5e314ff026
PAC Bypass Due To Unprotected Function Pointer Imports
Posted Aug 19, 2020
Authored by saelo, Google Security Research

PAC aims to prevent an attacker with the ability to read and write memory from executing arbitrary code. It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC.

tags | advisory, arbitrary
advisories | CVE-2020-9870
SHA-256 | 5678bd6488f4650c38c54830ecab44a07b651b61fd1c0a35953bf286d640cfe7
WebKit On iOS PAC / JIT Hardening Bypass
Posted Aug 14, 2020
Authored by saelo, Google Security Research

A PAC and JIT hardening bypass exists in WebKit on iOS.

tags | advisory
systems | ios
advisories | CVE-2020-9910
SHA-256 | 7e43df27a79d01df906491c3fa75f5b9b076ed4934270a40b2e9bf12e7d1271c
JSC JIT Out-Of-Bounds Access
Posted Jun 3, 2020
Authored by saelo, Google Security Research

The DFG and FTL JIT compilers incorrectly replace Checked with Unchecked ArithNegate operations (and vice versa) during Common Subexpression Elimination. This can then be exploited to cause out-of-bounds accesses and potentially other memory safety violations.

tags | exploit
advisories | CVE-2020-9802
SHA-256 | c63474f7958ed7b94d4d7df571792f778fb9ea8a94dac6a55e849f3c5a09d7e2
Google Chrome 67 / 68 / 69 Object.create Type Confusion
Posted Mar 5, 2020
Authored by saelo, timwr | Site metasploit.com

This Metasploit modules exploits a type confusion in Google Chrome's JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.

tags | exploit
advisories | CVE-2018-17463
SHA-256 | 5a38c9abffbaf08c049cb1b58519cd4edf1737251883302e32656d4b4f6eadc6
macOS / iOS ImageIO OpenEXR Image Processing Memory Issues
Posted Mar 2, 2020
Authored by saelo, Google Security Research

macOS and iOS have a vulnerability with ImageIO where memory safety issues occur when processing OpenEXR images.

tags | exploit
systems | ios
SHA-256 | 23ef758e43b0bb631041d08cd27de77d60045e1369c4166c69601d12ea248b03
JSC DFG ObjectAllocationSinkingPhase Crash
Posted Mar 2, 2020
Authored by saelo, Google Security Research

An issue in JSC leaves the data flow graph inconsistent. While fuzzing JavaScriptCore with fuzzilli, the researcher found a crash condition in JSC.

tags | exploit
SHA-256 | f2e43004dcfceafecefbc6c781e8b7b7c0553fe8bd4f4bb81b7c35e3f2629141
OpenEXR Memory Safety Issues
Posted Feb 20, 2020
Authored by saelo, Google Security Research

OpenEXR suffers from multiple memory safety issues including out-of-bounds access.

tags | exploit
SHA-256 | d7f7bcfc376186e510d108af1edd8e502ddcaa95444256cedbc8fa3a1e31276e
macOS/iOS ImageIO PVR Processing Out-Of-Bounds Read
Posted Feb 7, 2020
Authored by saelo, Google Security Research

macOS and iOS suffer from an ImageIO out-of-bounds read when processing PVR images.

tags | exploit
systems | ios
advisories | CVE-2020-3878
SHA-256 | f6b6615ff3c10615db4544403efd534d79c5bca32c67cc20611c861580487992
macOS/iOS ImageIO PVR Image Processing Heap Corruption
Posted Feb 7, 2020
Authored by saelo, Google Security Research

macOS and iOS have an ImageIO heap corruption issue when processing malformed PVR images.

tags | exploit
systems | ios
advisories | CVE-2020-3878
SHA-256 | 546388d4bf46530e3c77204e301afd8ecd6eddfbb73e6073087f364fa8d6d25b
macOS ImageIO JPEG Out-Of-Bounds Write
Posted Feb 7, 2020
Authored by saelo, Google Security Research

ImageIO on macOS suffers from an issue where a heap out-of-bounds write occurs when processing JPEG images.

tags | exploit
advisories | CVE-2020-3827, CVE-2020-3870
SHA-256 | 0fded68d208fd526884efcafbf5ad255a269c1c26776d09f5cb316dd3ee8dc96
macOS/iOS ImageIO DDS Image Out-Of-Bounds Read
Posted Feb 7, 2020
Authored by saelo, Google Security Research

macOS and iOS suffer from an out-of-bounds read when processing DDS images with ImageIO.

tags | exploit
systems | ios
advisories | CVE-2020-3826
SHA-256 | 2a3ee9088ec7bc67462b2f166cd760628181995daea86c0601cdd51c7b7d773f
macOS / iOS ImageIO Heap Corruption
Posted Jan 27, 2020
Authored by saelo, Google Security Research

macOS and iOS suffers from an ImageIO heap corruption vulnerability when processing malformed TIFF images.

tags | exploit
systems | ios
SHA-256 | 13426064f89c728f71398758157ce3dd58664468ab3aed036f25619661b4c556
iMessage NSSharedKeyDictionary Decode Out-Of-Bounds Read
Posted Nov 11, 2019
Authored by saelo, Google Security Research

iMessage suffers from an issue where decoding NSSharedKeyDictionary can lead to out-of-bounds reads.

tags | advisory
advisories | CVE-2019-8746
SHA-256 | a772ba6d56eb9f4385d289203202f34b3b8949163d27b60eb66aefa0e64c8f4d
iMessage NSSharedKeyDictionary Decode Incorrect Address Read
Posted Nov 11, 2019
Authored by saelo, Google Security Research

iMessage suffers from an issue where decoding NSSharedKeyDictionary can read an ObjC object at attacker controlled address.

tags | exploit
advisories | CVE-2019-8641, CVE-2019-8662
SHA-256 | b18e9e6778ffc1757603d2aa43c54b09f80d4266e6e7a9dbcec8b1612156526a
JSC Argument Object Reconstruction Type Confusion
Posted Nov 5, 2019
Authored by saelo, Google Security Research

JSC suffers from a type confusion vulnerability during bailout when reconstructing arguments objects.

tags | exploit
advisories | CVE-2019-8820
SHA-256 | 762e61444c8ff7e2cb5b183d57fbdd52d862a600247e6dd7cb87b54328d97054
JavaScriptCore GetterSetter Type Confusion
Posted Oct 30, 2019
Authored by saelo, Google Security Research

JavaScriptCore (JSC) GetterSetter suffers from a type confusion vulnerability during DFG compilation.

tags | exploit
advisories | CVE-2019-8765
SHA-256 | f8e60930397de757314b85c289c63228a5b19761b6793d77e58b54ffc9aab262
V8 Map Migration Type Confusion
Posted Sep 17, 2019
Authored by saelo, Google Security Research

V8 map migration does not respect element kind, leading to a type confusion vulnerability.

tags | exploit
SHA-256 | 66abbd66703464406f6bb552f67f0494667856838fdad4d68539221d8a3797c1
iOS Messaging Tools
Posted Aug 7, 2019
Authored by saelo, Google Security Research, natashenka

This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.

tags | tool, telephony, imap, fuzzer
systems | apple, iphone
SHA-256 | fa8f560293640c4759f220069490d2498cf18f75ce1183b3ab8f77dd819585e5
NSKeyedUnarchiver ObjC Object Use-After-Free
Posted Jul 29, 2019
Authored by saelo, Google Security Research

NSKeyedUnarchiver suffers from a use-after-free vulnerability with ObjC objects when unarchiving OITSUIntDictionary instances even if secureCoding is required.

tags | exploit
advisories | CVE-2019-8662
SHA-256 | 63703796ab8c03a5e2f4d71cdf0827418691b14bf48da00e28c71cabc8224370
JSC ValueProfiles JSValue Use-After-Free
Posted Jul 29, 2019
Authored by saelo, Google Security Research

JavaScriptCore suffers from an issue where there's a JSValue use-after-free vulnerability in ValueProfiles.

tags | advisory
advisories | CVE-2019-8672
SHA-256 | a9501df8f786600223589a22ac96f06da65cf505b543b54f2ef6219f16639ac6
JSC DFG LICM Object Property Access Unguarded
Posted Jul 29, 2019
Authored by saelo, Google Security Research

JavaScriptCore DFG loop-invariant code motion (LICM) has an issue where it leaves object property access unguarded.

tags | advisory
advisories | CVE-2019-8671
SHA-256 | 8fd7bdc27408729bccdf334f804fe0fb27728920396e0444c1671aec6b62ab56
Spidermonkey Uninitialized Memory Access
Posted Jul 9, 2019
Authored by saelo, Google Security Research

In Spidermonkey, definite properties are incorrectly computed in some cases, leading to uninitialized memory access when unboxed objects are enabled.

tags | advisory
SHA-256 | d5e57b45335987c57a60c695f2a40c77e9067f21be0de63eebb043e2659b8b6c
Spidermonkey IonMonkey Incorrect Prediction
Posted Jun 25, 2019
Authored by saelo, Google Security Research

Spidermonkey IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusion vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2019-11707
SHA-256 | 9e304ae2a07d3108f6f5ef85d1c28d031eea4e4fd06da0f3643edab9e09c52ee
Safari Webkit Proxy Object Type Confusion
Posted Jun 2, 2019
Authored by saelo, Ian Beer, Siguza, niklasb | Site metasploit.com

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

tags | exploit, arbitrary, kernel, javascript, shellcode
advisories | CVE-2017-13861, CVE-2018-4233
SHA-256 | ac8550e0b0dd814a249c313353fcb65341e18bb2e59885151b0cffac8172e060
Page 1 of 2
Back12Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close