what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 23 of 23 RSS Feed

Files from Roee Hay

Email addressprivate
First Active2008-10-09
Last Active2017-09-04
View User Profile
Motorola Bootloader Kernel Cmdline Injection / Bypass
Posted Sep 4, 2017
Authored by Roee Hay

Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. Additionally it suffers from a bypass vulnerability.

tags | exploit, kernel, bypass
advisories | CVE-2016-10277
SHA-256 | f8f8777805bf6e98e486f708a506572461b27529339eefe20434106273e475dc
Google Nexus 9 SensorHub Firmware Downgrade
Posted May 9, 2017
Authored by Roee Hay

Google Nexus 9 SensorHub firmware suffers from a downgrade vulnerability.

tags | advisory
advisories | CVE-2017-0582
SHA-256 | 2e333ae95fe2406ff357ae559841fa415ab16be941f0e11c2c726abab2919d30
Google Nexus 9 Build N4F27B Cypress SAR Firmware Injection
Posted May 5, 2017
Authored by Roee Hay | Site alephsecurity.com

Nexus 9 Android Builds before N4F27B contains a firmware injection vulnerability via I2C bus through a SAR sensor driver flashing flaw. This vulnerability requires access to the I2C bus, which is available via the USB fastboot interface and HBOOT interface, which is exposed via the headphone jack.

tags | advisory
advisories | CVE-2017-0563
SHA-256 | 09cb9ce7a0b1f5b948804b87b863cd8f524662124754065615cd2d56ab103125
Attacking Nexus 9 With Malicious Headphones
Posted Mar 13, 2017
Authored by Roee Hay, Sagi Kedmi

Nexus 9 running Android version 7.1.1 build N4F26Q and below allows unauthorized access to the FIQ debugger via its headphones jack, which allows for information theft, weakening of ASLR, leaking of stack canaries, and more.

tags | advisory
advisories | CVE-2017-0510
SHA-256 | d9c74cae1b9537b3016fd597e2a6df39187b9c1c8e8133af3e28c32dcef00b7e
Android 6.0.0 MDA89E / 6.0.1 MMB29V OEM Panic
Posted Sep 5, 2016
Authored by Roee Hay

Android versions 6.0.0 MDA89E through 6.0.1 MMB29V suffers from a fastboot oem panic that causes the bootloader to expose a serial-over-USB connection, which would allow an attacker to obtain a full memory dump of the device using tools such as QPST Configuration.

tags | exploit
SHA-256 | 1cad3a5d68ceaa11e08febbaecc70daa9705af6a701e1fe02a66f3fe18978e34
Apache Cordova Android 3.6.4 BridgeSecret Weak Randomization
Posted Nov 21, 2015
Authored by Roee Hay, David Kaplan

Apache Cordova Android versions 3.6.4 and below use a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios.

tags | advisory, javascript
advisories | CVE-2015-5257
SHA-256 | c28802b86c45a140f404d504fd86bad54b63bcda4837aba120ab9c1831ac675a
Dropbox SDK For Android Remote Exploitation
Posted Mar 11, 2015
Authored by Roee Hay, Or Peles

A vulnerability in the Dropbox SDK for Android may enable theft of sensitive information from apps that use the vulnerable Dropbox SDK both locally by malware and also remotely by using drive-by exploitation techniques.

tags | exploit, paper
advisories | CVE-2014-8889
SHA-256 | a7cb57797a2240ddf7249a1c2eaae396a47c7ed63e6fdc3c40f4ef850798d906
SpoofedMe - Intruding Accounts Using Social Login Providers
Posted Dec 4, 2014
Authored by Roee Hay, Or Peles

In this paper, they authors present an implementation vulnerability found in some popular social login identity providers (including LinkedIn, Amazon and Mydigipass.com) and show how this vulnerability allowed them to impersonate users of third-party websites.

tags | paper
SHA-256 | acd7f10d948ec0bd229808e6ce9cbdcb95ea98fae082067f187f1c0429619fbd
Apache Cordova 3.5.0 Data Leak
Posted Aug 12, 2014
Authored by Roee Hay, David Kaplan

Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker who can manipulate the HTML content of a Cordova application can create links which open other applications and send arbitrary data to those applications. An attacker who can run arbitrary JavaScript code within the context of the Cordova application can also set the document location to such a URL. By using this in concert with a second, vulnerable application, an attacker might be able to use this method to send data from the Cordova application to the network. This release is an update to a prior advisory.

tags | advisory, arbitrary, javascript
advisories | CVE-2014-3502
SHA-256 | 4e0dda886cea833a687c664d12a4435708cfcce65b89f11c91f68124746cc7f1
Apache Cordova Bypass / Information Disclosure / Insertion
Posted Aug 5, 2014
Authored by Roee Hay, David Kaplan

Apache Cordova versions up to 3.5.0 suffer from information disclosure, whitelist bypass, and cross application issues.

tags | advisory, bypass, info disclosure
advisories | CVE-2014-3500, CVE-2014-3501, CVE-2014-3502
SHA-256 | b40574101ee277ded07c47ea5ed1519dd4879415cb724ee5af90126d1af3c686
Android KeyStore Stack Buffer Overflow
Posted Jun 23, 2014
Authored by Roee Hay, Avi Dayan

This whitepaper discusses a stack-based buffer overflow vulnerability in the Android KeyStore service which affects Android 4.3 and below.

tags | exploit, overflow
advisories | CVE-2014-3100
SHA-256 | f7115facb01ba5509340d2f23ccfd38240c5a8ae2b85f19bd810f467d71ca0f8
Firefox For Android Information Leak
Posted Mar 26, 2014
Authored by Roee Hay

A series of vulnerabilities have been discovered in Firefox for Android that allows a malicious application to successfully derandomize the Firefox profile directory name in a practical amount of time and then leak sensitive data (such as cookies and cached information) which reside in that directory, breaking Android's sandbox.

tags | advisory, vulnerability
advisories | CVE-2014-1484, CVE-2014-1506, CVE-2014-1515, CVE-2014-1516
SHA-256 | 688b048fb5365a45f0a237ef602cef2bde7a27679794b9c23fb305a9ed177a61
Android Collapses Into Fragments
Posted Dec 11, 2013
Authored by Roee Hay

This paper presents a newly discovered vulnerability in the Android Framework which breaks its sandbox environment. This vulnerability affects many Android applications including ones which are bundled with every Android device. The vulnerability has been patched in Android KitKat.

tags | advisory, paper
SHA-256 | 8f72a7311a831bdaa7811567902e82d2dd42a9aadddb39fc579d481b96535d75
Subverting BIND's SRTT Algorithm: Derandomizing NS Selection
Posted Aug 14, 2013
Authored by Roee Hay, Jonathan Kalechstein, Gabi Nakibly

BIND is exposed to a new vulnerability which can be exploited remotely in order to derandomize the name server selection algorithm. Exploitation of this vulnerability can be used in conjunction with other off-path DNS cache poisoning exploits in order to make them more efficient. ISC has acknowledged the vulnerability and plans to address this deficiency by re-implementing the SRTT algorithm in future maintenance releases of the BIND 9 code. This whitepaper goes into great detail regarding this issue.

tags | advisory
SHA-256 | 84356c82ef3047b3388b1711d4f92e2ade893d39556c93520d7e0953f3faf27f
Android 4.0.4 DNS Poisoning
Posted Jul 24, 2012
Authored by Roee Hay

Android versions 4.0.4 and below suffer from a DNS poisoning vulnerability.

tags | advisory
advisories | CVE-2012-2808
SHA-256 | fd3f3144ec6c56c88de3c9a3bdf13990e20e919c7d341537d7185155ece92b22
Android 2.3.7 SQLite Disclosure
Posted May 3, 2012
Authored by Roee Hay

SQLite databases stored on Android suffer from an insecure permission vulnerability. Version 2.3.7 is affected.

tags | advisory, info disclosure
SHA-256 | 84d02b3ee9f88069270f1d55a7a0419db6f4ee552b8001ed7d46641a2a66e816
DNS Poisoning Via Port Exhaustion
Posted Oct 19, 2011
Authored by Yair Amit, Roee Hay

Whitepaper called DNS Poisoning Via Port Exhaustion. It covers everything from how DNS poisoning works to various methods of performing attacks. It discloses two vulnerabilities. One is in Java which enables remote DNS poisoning using Java applets. The other is in multiuser Windows environments that allows for a local DNS cache poisoning of arbitrary domains.

tags | advisory, paper, java, remote, arbitrary, local, vulnerability
systems | windows
advisories | CVE-2011-3552, CVE-2010-4448
SHA-256 | 59aae9b502f6267802e5e03c5acbbc8cc5b2055211508a758f0223c1089883be
Dolphin Browser HD Cross Application Scripting
Posted Sep 21, 2011
Authored by Yair Amit, Roee Hay

Dolphin Browser HD versions prior to 6.1.0 suffer from a cross applications scripting vulnerability.

tags | exploit
advisories | CVE-2011-2357
SHA-256 | fec0542347d11dcaba40a36e576a9a2728f140dc57e324d0e46a4289ce1ef603
Opera Mobile 11.1 Cross Application Scripting
Posted Sep 21, 2011
Authored by Roee Hay

Opera Mobile version 11.1 suffers from a cross application scripting vulnerability.

tags | exploit, bypass
SHA-256 | 8c0764be4a5484299a931f64c47e78d1ff2967b7b3f25d3b026a0791a079f276
Android Browser Cross Application Scripting
Posted Aug 2, 2011
Authored by Yair Amit, Roee Hay

A 3rd party application may exploit Android's Browser URL loading process in order to inject JavaScript code into an arbitrary domain thus break Android's sandboxing. Versions 2.3.4 and 3.1 have been found vulnerable.

tags | exploit, arbitrary, javascript
advisories | CVE-2011-2357
SHA-256 | e69e53a920a455ea417e80477c2fab5c49deede7cf7c53b2cbeaf6c9493d8670
Babylon Cross-Application Scripting Code Execution
Posted Nov 11, 2010
Authored by Yair Amit, Roee Hay

The Babylon online dictionary and translation software fails to sanitize user input before rendering it on the Trident control, effectively leading to a cross-application scripting vulnerability. The Trident control runs in Local Machine Zone (LMZ) which is not Locked down and due to this the vulnerability can allow for code execution.

tags | advisory, local, code execution
SHA-256 | 521bd04a9d93d3243cb54ea1da35796ea3e0170a38c45bee3986db191b659c09
AVM2 abcFile Parser Code Integer Overflow
Posted Aug 5, 2009
Authored by Roee Hay

Adobe Flash Player has an integer overflow that exists in the AVM2 abcFile parser code which handles the intrf_count value of the instance_info structure.

tags | advisory, overflow
advisories | CVE-2009-1869
SHA-256 | aea6ae7ce5a8ae2ed2d979b62a2ec1ef65d2d9cc8ba7c1d8089d924a1c480ee5
graphviz-overflow.txt
Posted Oct 9, 2008
Authored by Roee Hay

A vulnerability exists in Graphviz's parsing engine which makes it possible to overflow a globally allocated array and corrupt memory by doing so. Version 2.20.2 is affected.

tags | advisory, overflow
SHA-256 | 74aec18b63e6c203563c8dffc4f13d382b97e59657719590779916c19ea1a725
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close