exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 129 RSS Feed

Files from Ivan Fratric

Email addressifratric at google.com
First Active2007-03-08
Last Active2024-01-12
macOS AppleVADriver Out-Of-Bounds Write
Posted Jan 12, 2024
Authored by Ivan Fratric, Google Security Research

macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.

tags | exploit
advisories | CVE-2023-42882
SHA-256 | a755a34876f36a8a24fb4024eeda524426d61439be93ad37d2aa3f187ed43ce5
macOS AppleGVA Memory Handling
Posted Jan 12, 2024
Authored by Ivan Fratric, Google Security Research

On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).

tags | exploit
advisories | CVE-2023-42926
SHA-256 | ed851479d112d861e65e1f2c3cbdcfb9751f8aafbae00aece5139de5128c88b0
iOS / macOS libIPTelephony.dylib Use-After-Free
Posted Jun 19, 2023
Authored by Ivan Fratric, Google Security Research

There is a use-after-free vulnerability in libIPTelephony.dylib inside the SIP message decoder (SipMessageDecoder::decode() function). The vulnerable library is present on both iOS and macOS and was confirmed on macOS Ventura 13.2.1.

tags | exploit
systems | ios
advisories | CVE-2023-32412
SHA-256 | 6d3cab99ce231d2cf5def080ffac1a0b2fd80f0e9852f330e033cb0e5ceb0b2d
Shannon Baseband SIP Retry-After Header Heap Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon Baseband when processing the Retry-After header in the SIP protocol decoder (IMSPL_SipRetryAfter.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29087
SHA-256 | dd3027619afa3f34e33a8c7c8fa273a3caead4344694e68e00f0bf7658948980
Shannon Baseband SIP Min-SE Header Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Min-SE header in the SIP protocol decoder (IMSPL_SipMinSE.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29086
SHA-256 | e0cd48f57c8b65b8d3f033aad592c288cb156a5fc17e43743d268337dab80c20
Shannon Baseband Negative-Size Memcpy / Out-Of-Bounds Read
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a negative-size memcpy (heap overflow) when decoding the body of SIP multipart messages. According to debug strings in the modem image, this functionality is implemented in IMSPL_SipFragDecode.

tags | exploit, overflow
advisories | CVE-2023-29089
SHA-256 | 008713e1403417d96115cab8cea235d3b9c02eefab2c7765ee120627abe0c5b3
Shannon Baseband SIP Session-Expires Header Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Session-Expires header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29088
SHA-256 | e11bd9abdf4b3c1c338a567873ee29ab281b3106b929fa8c9cb91119afcbc1f7
Shannon Baseband SIP Status Line Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the status line of a SIP message (this happens in IMSPL_SipStatusLine.c according to the debug strings in the firmware image).

tags | exploit, overflow
advisories | CVE-2023-29085
SHA-256 | 775cec97675cbb8c305fcd017b6eeee470cd0ac86f5bca8f85e29ef9c9c3e283
Shannon Baseband Via Header Decoder Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Via header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29090
SHA-256 | 0afa5f6ef5d703a73b0521ecca5d80bc302663f045296001e5c9f592b245d7f9
Shannon Baseband SIP URI Decoder Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband in the SIP URI decoder. According to the debug strings present in the firmware image, this decoder corresponds to IMSPL_SipUri.c.

tags | exploit, overflow
advisories | CVE-2023-29091
SHA-256 | cef6065d95093542cb22a1a75544960827efff742ba806ef8e0db27ff1a75588
Shannon Baseband Integer Overflow
Posted May 5, 2023
Authored by Ivan Fratric, Google Security Research

There is an integer overflow in Shannon Baseband leading to a heap buffer overflow when reassembling IPv4 fragments. According to the debug strings, this corresponding functionality is implemented in SmdtIp4Rx::ProcessFragments function and its callees.

tags | exploit, overflow
advisories | CVE-2023-28613
SHA-256 | 85296d153a53a5ed603bc0ad519a9d3336041170d6909013ceb81a85f4d1624b
Shannon Baseband NrSmPcoCodec Intra-Object Overflow
Posted Mar 20, 2023
Authored by Ivan Fratric, Google Security Research

There is an intra-object overflow in Shannon Baseband, inside the 5G SM protocol implementation (NrSmMsgCodec as it is called in Shannon according to debug strings), when decoding the Extended protocol configuration options message (IEI = 0x7B).

tags | exploit, overflow, protocol
advisories | CVE-2023-26076
SHA-256 | fbcb90e472d2e3ece0a5999daefccbac91cb16b93b5bdde7163bb7f5b46c8021
Shannon Baseband NrmmMsgCodec Intra-Object Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is an intra-object overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Service Area List message (IEI = 0x27).

tags | exploit, overflow, protocol
advisories | CVE-2023-26075
SHA-256 | ca27ff3f40a5cef1422ff326c82c6ac37d4d2a24ac33342144bc8a5c84aa2848
Shannon Baseband NrmmMsgCodec Access Category Definitions Heap Buffer Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Operator-defined access category definitions message (IEI = 0x76).

tags | exploit, overflow, protocol
advisories | CVE-2023-26074
SHA-256 | 0d9b32ed9b931576486f7e7630f9b8e393f008ff2bccc77a8e30f84a45f1e0f0
Shannon Baseband NrmmMsgCodec Extended Emergency Number List Heap Buffer Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Extended emergency number list" message (IEI = 0x7A).

tags | exploit, overflow, protocol
advisories | CVE-2023-26073
SHA-256 | ba04bb179ad4db118c637bfe6c329d2d3ebef7e310034bd5a8af11fa0123adc3
Shannon Baseband NrmmMsgCodec Emergency Number List Heap Buffer Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Emergency number list" message (IEI = 0x34).

tags | exploit, overflow, protocol
advisories | CVE-2023-26072
SHA-256 | ff7c534a4bbc11dc3cd3ac7fb2571e8b2fc9cddf789fa05fff2fc30be17f2aca
libCoreEntitlements CEContextQuery Arbitrary Entitlement Returns
Posted Jan 13, 2023
Authored by Ivan Fratric, Google Security Research

On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.

tags | exploit, kernel
systems | apple, ios
advisories | CVE-2022-42855
SHA-256 | 9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8
Cisco Jabber XMPP Stanza Smuggling
Posted Oct 20, 2022
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.

tags | exploit, arbitrary
systems | cisco
advisories | CVE-2022-20917
SHA-256 | ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914c
macOS RawCamera Out-Of-Bounds Write
Posted Aug 22, 2022
Authored by Ivan Fratric, Google Security Research

There is an out-of-bounds write vulnerability when decoding a certain flavor of RAW image files on macOS. The vulnerability has been confirmed on macOS 12.3.1. Although the advisory notes an attached poc, Google did not have one attached.

tags | advisory
advisories | CVE-2022-32802
SHA-256 | b0cdd2ef0c901dd72ddd0b3fa6f8cc6fcb53635705915e5ec0c9100853c07cb3
Kik Messenger XMPP Stanza Smuggling
Posted Jun 10, 2022
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in Kik Messenger for Android that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Kik client, including XMPP stanzas that are normally sent only by the Kik server. Included is a proof of concept that demonstrates sending of the stc stanza which triggers a captcha dialog and opens an arbitrary attacker-control webpage on the victim client. However, the full impact is likely larger than this, and includes any application features accessible over XMPP.

tags | exploit, arbitrary, proof of concept
SHA-256 | 3f66b31a34e395df392668d6453b6eee4bbfd623765c95d99108116f95c8a143
Tigase XMPP Server Stanza Smuggling
Posted May 26, 2022
Authored by Ivan Fratric, Google Security Research

Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).

tags | exploit, arbitrary
SHA-256 | 80c339179764f04e39876070e482957638cbcf822ccdb04b5cc72ea035585e1e
Zoom XMPP Stanza Smuggling Remote Code Execution
Posted May 24, 2022
Authored by Ivan Fratric, Google Security Research

This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.

tags | exploit, arbitrary, code execution, protocol
systems | windows
advisories | CVE-2022-22787, CVE-2022-25236
SHA-256 | c5835f3651ef4f351fdd27038787c6bd633712398f3562132cf3224e2a0a5e16
Internet Explorer JIT Optimization Memory Corruption
Posted Sep 10, 2021
Authored by Ivan Fratric, Google Security Research

Internet Explorer suffers from an issue where incorrect JIT optimization in jscript9.dll leads to memory corruption.

tags | exploit
advisories | CVE-2021-34480
SHA-256 | cb83b562636ea76e2bb8cf3458b612c7c7976ae831087491f462b16ec9a8758e
JavaScriptCore Crash Proof Of Concept
Posted Aug 19, 2021
Authored by Ivan Fratric, Google Security Research

JavaScriptCore suffers from a crash condition due to an uninitialized register in slow_path_profile_catch. Proof of concept that affects Safari is included.

tags | exploit, proof of concept
advisories | CVE-2021-30797
SHA-256 | 8dd2cde7c2edb66fc6061ca48debe795fc639981944e4354c301b47af6a7c4b1
Internet Explorer jscript9.dll Memory Corruption
Posted Jun 9, 2021
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in jscript9 that could potentially be exploited to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2020-1380, CVE-2021-31959
SHA-256 | 606c70d052dc8c1d7e1341312dd04cc58864a77781e24662e763b3034ce543ce
Page 1 of 6
Back12345Next

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close