FaceTime suffers from an out-of-bounds read vulnerability in _RSU_DecodeByteBuffer.
fa09fd95c1d80107456b04a936a43a4bc80318ba53f17a4669d03b5c70a1f8d0There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up.
3b9a4c627b9644243c268bf86ee703b8a5487f12549034ded884f920a1b96ec3An issues exists in iMessage where decoding NSSharedKeyDictionary can read objects out of bounds.
ec6fed9513fd047a8b8dda36d5bd4db2dcf6f3e0aa1d06d56adc0e4f1bd3e3eaNSKeyedUnarchiver suffers from an information leak when decoding the SGBigUTF8String class using [SGBigUTF8String initWithCoder:]. This class initializes the string using [SGBigUTF8String initWithUTF8DataNullTerminated:] even though there is no guarantee the bytes provided to the decoder are null terminated. It should use [SGBigUTF8String initWithUTF8Data:] instead.
350595d4b62128692b25160fd0dc54b6e14a6ff528c3e77b5bce0cd7797ace73This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.
fa8f560293640c4759f220069490d2498cf18f75ce1183b3ab8f77dd819585e5iMessage suffers from a heap overflow vulnerability when deserializing a URL. This affects Macs only.
2f5c0ce4f32d1e01da4624b1c0fc401f0c5871abc917b01bf2bfc9d63f3d6a34iMessage suffers from a memory corruption vulnerability when decoding NSKnownKeysDictionary1.
f3f3a02ba980c223208ec503d2c4f3f27010697688b8d75d71b43f8085694f67iMessage suffers from a vulnerability where NSArray deserialization can invoke a subclass that does not retain references.
06b590135e589bcd01f211a6bf1d481e9256276cf36f296ebd6050a735c1853aiMessage suffers from a vulnerability where NSKeyedUnarchiver deserialization allows file backed NSData objects.
6c7c840d2fc2b11f68245ed1c1330a7246311f86308b102d287fb1ef3322a711iMessage suffers from an out-of-bounds read vulnerability in DigitalTouch tap message processing.
43c0de1b0e61b238665de50f7e836ad89cf87bcb0d36b06a11a92a974125f5c3An issue exists where a malformed iMessage can brick an iPhone. A method in IMCore can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString.
386b80597a37e396ddf40dd708c4b4c2f1bb231ffc13b70144ae69977d215d60Visual Voicemail for iPhone suffers from a use-after-free vulnerability in IMAP NAMESPACE processing.
9c8b27fd5dc694419a2e1fe2acaec09a3a3748cecd6c755d74306abf2fa147f4FaceTime suffers from a memory corruption vulnerability in texture processing.
456e0d893dd3df1abb1fe038f7897df89ba3cdd6079859c0904cf3a92f19a6eaThere is a memory corruption issue when processing a malformed RTP video stream in FaceTime that leads to a kernel panic due to a corrupted heap cookie or data abort. This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS, it does not crash on a Mac.
b654a42ccec58f4aa8867fe675b6574d58dc4650d28d211847ba1d2a5837e8e6There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
1bd312f7b4a101fec53ac225a7f3d6e0201421a8aa365cfae0b3c2da6c90a236FaceTime suffers from a stack corruption vulnerability in readSPSandGetDecoderParams.
928e14bf951e6370a242b3da65a0b6ef51852753ddfde59fb41281e9301ce912WhatsApp suffers from a heap corruption vulnerability in RTP processing.
e053dae6b5c926d9d1c66aa29e059009fecb9861a5a9937ccd1fa50f7ffcea53There is a use-after-free vulnerability in VP9 processing in WebRTC.
3de9dfbe45b600a81bef11b3e0c8dba9d10f8c1083af8613355a70d4f24ad53fThere is an out-of-bounds read in FEC processing in WebRTC. If a very short RTP packet is received, FEC will assume the packet is longer and process data outside of the allocated buffer.
39793d38c3a29b7600f62812e46288144c0f4fffd5e5f5bc792d95d84c28a362Adobe Flash suffers from an out-of-bounds read vulnerability during AVC processing.
531f10bd21568c96270daeecaec7bda04a914e92764157798912ea0b8f4e9cd6There is a use-after-free in VP8 block decoding in WebRTC. The contents of the freed block is then treated a pointer, leading to a crash in WebRTC.
21d523fd5549d9556e9ef3c105036bc75e80a29b5eeba23b027e4818267b1b23There are several calls to memcpy that can overflow the destination buffer in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket. The method takes a parameter incoming_rtp_packet, which is an RTP packet with a mac length that is defined by the transport (2048 bytes for DTLS in Chrome). This packet is then copied to the received_packet in several locations in the method, depending on packet properties, using the lenth of the incoming_rtp_packet as the copy length. The received_packet is a ForwardErrorCorrection::ReceivedPacket, which has a max size of 1500. Therefore, the memcpy calls in this method can overflow this buffer.
d1a68d115602943c75ef4224cd1f0eadd4d0f1d0737c781bbf560884db40f90eWebRTC suffers from a type confusion vulnerability when processing an H264 NAL packet.
7a98aa48ebd3fd8ee3a76a39cc9359ca7355ec5c84d89ba4f028ce76ad7080caGoogle Chrome suffers from an integer overflow vulnerability when processing WebAssembly Locals.
9cdb315bf27a24d104e7f75c381349c321c0a4d9c89647c314f0fe32a7d8d627WebKit suffers from an information leak vulnerability in WebAssembly Compilation.
9ff8d6e66bbcdfda552522b598b13d043b8118bae2e6ac620ec1f9e61f1f8e95
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed