site: www.zerodayinitiative.com
CVE-2022-23088: Exploiting A Heap Overflow In The Freebsd Wi-Fi Stack
https://www.zerodayinitiative.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack [www.zerodayinitiative.com]
2022-06-16 18:38
tags:
exploit
freebsd
programming
security
wifi
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. This bug was originally reported to the ZDI program by a researcher known as m00nbsd and patched in April 2022 as FreeBSD-SA-22:07.wifi_meshid. The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug.
source: L
Floating-Poison Math in Chakra
https://www.zerodayinitiative.com/blog/2018/8/22/floating-poison-math-in-chakra [www.zerodayinitiative.com]
2018-09-03 01:34
tags:
exploit
javascript
jit
security
In some circumstances, Chakra can do better than to make an optimistic assumption. When Chakra can actually prove that a variable will be of the expected type, then it can omit the type check and bailout path. For example, consider a sequence of JavaScript statements all accessing the same array. Within the JIT compiled code, Chakra will need to insert a type check before the first array access. Once that check has passed, and execution proceeds past that point in the JIT code, there might not be any need to check the array again. If the Chakra JIT compiler can prove that none of the intervening operations could possibly alter the array’s type, then the compiler will not place array type checks in front of any of the remaining array accesses.
Unless you only think you’ve proved it and then the array changes unexpectedly...
“Is it ever possible that (a== 1 && a ==2 && a==3) could evaluate to true in JavaScript?”
https://www.zerodayinitiative.com/blog/2018/4/12/inverting-your-assumptions-a-guide-to-jit-comparisons [www.zerodayinitiative.com]
2018-05-03 16:54
tags:
exploit
javascript
jit
programming
security
One of the morbidly beautiful things about JavaScript is that it can give rise to unsafe patterns from otherwise perfectly cromulent C++ and similarly, one of the morbidly beautiful things about JIT is that it can give rise to unsafe patterns from otherwise perfectly safe JavaScript.
source: grugq
Apache Groovy Deserialization: A Cunning Exploit Chain to Bypass a Patch
https://www.zerodayinitiative.com/blog/2017/12/19/apache-groovy-deserialization-a-cunning-exploit-chain-to-bypass-a-patch [www.zerodayinitiative.com]
2017-12-22 03:02
tags:
bugfix
exploit
format
java
programming
security
In January 2017, the Zero Day Initiative (ZDI) published an advisory for Apache Groovy, ZDI-17-044/CVE-2016-6814. This vulnerability, reported to us in late 2016 by Sam Thomas of Pentest Limited, is a rather deft patch bypass for an earlier vulnerability that was also submitted via the ZDI program.
The technique the researcher used for this patch bypass highlights the treacherous nature of deserialization vulnerabilities.
source: grugq
The Results – Mobile Pwn2Own Day One
https://www.zerodayinitiative.com/blog/2017/11/1/the-results-mobile-pwn2own-day-one [www.zerodayinitiative.com]
2017-11-11 21:45
tags:
android
browser
exploit
iphone
security
wifi
The first day of Mobile Pwn2Own 2017 has come to a close, and we’ve awarded a total of $350,000 and 55 Master of Pwn points. Today saw five successful attempts and two failed attempts as the ZDI program acquired 11 bugs for the Samsung Galaxy S8, Apple iPhone 7, and the Huawei Mate9 Pro.
And day two: https://www.zerodayinitiative.com/blog/2017/11/2/the-results-mobile-pwn2own-2017-day-two
The second day of our largest Mobile Pwn2Own ever closed out with contest another six attempts, bringing the total entries to a lucky 13. Today saw additional browser attacks, a bug collisions, and another baseband attack.
Check it Out: Enforcement of Bounds Checks in Native JIT Code
https://www.zerodayinitiative.com/blog/2017/10/5/check-it-out-enforcement-of-bounds-checks-in-native-jit-code [www.zerodayinitiative.com]
2017-11-11 21:43
tags:
browser
compiler
exploit
javascript
jit
perf
security
In this post, I will present details of a prime example of a vulnerability within the execution engine of Chakra, the JavaScript engine present in Microsoft Edge. This will be a deep dive, so grab a beverage!
They gained remote code execution through a bug in Chakra, CVE-2017-0234. The proof-of-concept trigger for this bug is a tiny and innocent-looking snippet of JavaScript: