what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 193 RSS Feed

Files from natashenka

Email addressnatashenka at google.com
First Active2015-08-19
Last Active2024-04-03
Google Pixel MFC H264 Processing Memory Corruption
Posted Apr 3, 2024
Authored by Google Security Research, natashenka

There is a memory corruption issue in the MFC media processing core on the Pixel 7. It occurs when decoding a malformed H264 stream in Chrome, likely to due to an out of bounds quantization parameter. A write to plane 0 that occurs during macroblock decoding extends past the allocated bounds of the plane, and can overwrite the motion vector (MV) buffer or cause a crash if the adjacent address is unmapped. Both of these allocations are DMA buffers and it is unclear whether this condition is exploitable.

tags | exploit
advisories | CVE-2024-27228
SHA-256 | 03533e71b8963179a0ae3ad68550b9e5e705a79dd75292d232b287f1c47b89f6
Shannon Baseband fmtp SDP Attribute Memory Corruption
Posted May 4, 2023
Authored by Google Security Research, natashenka

Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. When an fmtp attribute is parsed, the integer that represents the payload type is copied into an 8-byte buffer using memcpy with the length of payload type as the length parameter. There are no checks that the payload type is less than 8-bytes long or actually an integer.

tags | exploit
advisories | CVE-2022-26496
SHA-256 | 51aa5a7a2ca1d9308cad99d6da19581180aa08b8653f1c44406c7c5c7dc253b9
Shannon Baseband acfg / pcfg SDP Attribute Memory Corruption
Posted May 4, 2023
Authored by Google Security Research, natashenka

Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports attributes acfg and pcfg that allow configuration information to be specified as integers. The baseband software allocates a fixed-size buffer for this information, but does not check that the number of integers specified by the SDP is within this bound. This can lead to memory corruption when processing an acfg or pcfg attribute that contains more than 14 format types.

tags | exploit
advisories | CVE-2022-26497
SHA-256 | f7237e53d6febca38b353f2be59e9064bb4853fb37c38f9779aa9f273abc1ff6
Shannon Baseband chatroom SDP Attribute Memory Corruption
Posted May 4, 2023
Authored by Google Security Research, natashenka

Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute chatroom that allows multiple chat properties to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of properties specified by the SDP is within this bound. This can lead to memory corruption when processing a chatroom attribute that contains more than 12 format types.

tags | exploit
advisories | CVE-2022-26498
SHA-256 | 8cb6ebadee250d2e79ec5b2160d5e18c8dae53fae64e54aa90dddc180b42ce0d
Shannon Baseband accept-type SDP Attribute Memory Corruption
Posted May 4, 2023
Authored by Google Security Research, natashenka

Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute accept-type that allows multiple format types to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of format types specified by the SDP is within this bound. This can lead to memory corruption when processing an accept-type attribute that contains more than 12 format types.

tags | exploit
advisories | CVE-2023-24033
SHA-256 | 3e5dd3b9a11c7e00afc44d10af02f39c84d18710dc6778f472e078fbfd7d018b
AppleAVD AppleAVDUserClient::decodeFrameFig Memory Corruption
Posted Nov 18, 2022
Authored by Google Security Research, natashenka

In the function AppleAVDUserClient::decodeFrameFig, a location in the decoder's IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface's allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.

tags | exploit, kernel, local
advisories | CVE-2022-32907
SHA-256 | a9f971c8dcec3381b92b6bafb61fc99c1b1da326eec460ede2682c51580f3f3e
AppleAVD deallocateKernelMemoryInternal Missing Surface Lock
Posted Nov 18, 2022
Authored by Google Security Research, natashenka

In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.

tags | exploit, kernel, local
advisories | CVE-2022-32827
SHA-256 | fa06dd34c9fcfaf9f03c6a70c7fd7fc078ff6872d40e76e3295731e58256ce8a
AppleAVD AVC_RBSP::parseSliceHeader ref_pic_list_modification Overflow
Posted Aug 22, 2022
Authored by Google Security Research, natashenka

There is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.

tags | exploit, overflow
advisories | CVE-2022-32788
SHA-256 | f0e86dbff30f8c2f08674e561b12277b9f50b736d022814b1917489c1e9f1d2c
AppleVideoDecoder CreateHeaderBuffer Out-Of-Bounds Free
Posted May 12, 2022
Authored by Google Security Research, natashenka

AppleVideoDecoder suffers from an out-of-bounds free vulnerability. The attached video file contains a malformed HEVC Decoder Configuration Record that leads to an out-of-bounds free in CreateHeaderBuffer. When copying the VPS, PPS and SPS, the destination pointer is incremented, and if the copied data is larger than the length specified in the input file, it breaks and falls through to a condition that frees the destination pointer, even though it has been incremented. This could free the chunk allocated next to the destination memory.

tags | exploit
advisories | CVE-2022-22666
SHA-256 | a49f6411c8b8733ea1c031b562f4509169b737f83ae46d802b8cf4aed5bd1cb1
Zoom MMR Server Information Leak
Posted Jan 3, 2022
Authored by Google Security Research, natashenka

Zoom suffers from an information leak vulnerability in the MMR server.

tags | exploit
advisories | CVE-2021-34424
SHA-256 | ceaa806e1faea132492fe57be7bbd693988b712326fabb4aec96193d0e3374d0
Zoom Chat Message Processing Buffer Overflow
Posted Jan 3, 2022
Authored by Google Security Research, natashenka

Zoom suffers from a buffer overflow vulnerability related to the processing of chat message.

tags | exploit, overflow
advisories | CVE-2021-34423
SHA-256 | a6e816c46fce3985cc7b2b11b9e6f3edebe9b65dcbbbf65037027c3d32e954f0
QT TIFF Processing Heap Overflow
Posted Jun 4, 2021
Authored by Google Security Research, natashenka

There is a heap corruption bug that can occur when QT processes a malformed TIFF image. It happens because the size of the QImageData backing the image is calculated is calculated using the format of the image, meanwhile TIFFReadScanline calculates the length to be read based on TIFFScanlineSize, which determines the size base on three tags in the TIFF file, width, samples per pixel and bits per sample.

tags | exploit
SHA-256 | 765990ea3bd9f2c14232bcfa3535efba165c1990d1e7949df33a649783e33d0b
Gstreamer Matroska Demuxing Use-After-Free
Posted Jun 3, 2021
Authored by Google Security Research, natashenka

Gstreamer suffers from a use-after-free vulnerability in Matroska demuxing.

tags | exploit
advisories | CVE-2021-3498
SHA-256 | c5185c2d6107c05661116151a51a24e93e1142b438889272be0f92a6c3fe8e61
QT PNG ICC Processing Out-Of-Bounds Read
Posted May 27, 2021
Authored by Google Security Research, natashenka

The QImage class can read out-of-bounds when reading a specially-crafted PNG file, where a tag byte offset goes out of bounds. This could potentially allow an attacker to determine values in memory based on the QImage pixels, if QT is used to process untrusted images.

tags | exploit
SHA-256 | f89e3b09d6fb627d5b5269e3b5d3b0c770cd2aefc3bbd97c7b659ae459e07be2
QT TIFF Processing Out-Of-Bounds Read
Posted May 25, 2021
Authored by Google Security Research, natashenka

The QImageReader class can read out-of-bounds when converting a specially-crafted TIFF file into a QImage, where the TIFF tile length is inconsistent with the tile size. This could potentially allow an attacker to determine values in memory based of the QImage pixels, if QT is used to process untrusted images.

tags | exploit
SHA-256 | 766b77fab4c5903f5bd4ca7cb9d967ba5f26ec50db568fd2f7147cf8314ad4bc
Facebook Messenger For Android Forced Answer
Posted Dec 7, 2020
Authored by Google Security Research, natashenka

Facebook Messenger for Android has an issue where an SdpUpdate message can cause an audio call to connect before the callee has answered the call.

tags | exploit
SHA-256 | 04464f2fe392295e7708a1e61a2b9787bbae3f555ff1d70e748d2bc354c01184
Google Duo Race Condition
Posted Dec 7, 2020
Authored by Google Security Research, natashenka

A race condition in Google Duo can cause callee to leak video packets from an unanswered call.

tags | exploit
SHA-256 | 75c4a6bf7b5879fefad93fa040fba864edc81a79c13824706bd13a0117456a85
Mocha For Android Audio Interception
Posted Oct 19, 2020
Authored by Google Security Research, natashenka

Mocha for Android suffers from an issue where a call can cause the callee device to send audio without user interaction.

tags | exploit
SHA-256 | 078a2b1dbfd8b4b095b8a8f5aa7337b720212abfd0a23556c214315335c030be
JioChat For Android Audio Sniffing
Posted Oct 12, 2020
Authored by Google Security Research, natashenka

JioChat for Android has an issue where a caller can cause the callee device to send audio without user interaction.

tags | exploit
SHA-256 | edecbfc8b4a9983d43bc2e09c3718b3a564b9282a9cb1a917263dc101dee08da
usrsctp Stack Buffer Overflow
Posted Jul 20, 2020
Authored by Google Security Research, natashenka

There is a stack buffer overflow in usrsctp when a server processes a skipped auth block from an incoming connection. Proof of concept exploit included.

tags | exploit, overflow, proof of concept
advisories | CVE-2020-6831
SHA-256 | b4818f86982c067d7cd9afcbfcee314e412f968d7d9b859927f8e3573839fad7
WebRTC Layer Info Out-Of-Bounds Write
Posted Apr 23, 2020
Authored by Google Security Research, natashenka

WebRTC suffers from an out-of-bounds memory write in the method RtpFrameReferenceFinder::UpdateLayerInfoH264. This occurs when updating the layer info with the frame marking extension.

tags | exploit
SHA-256 | 06971daf4e8e1b40696e457b7e355f90460b37a0e0308f2559ba4a2fa0af726f
WebRTC FEC Extension Processing Out-Of-Bounds Write
Posted Apr 23, 2020
Authored by Google Security Research, natashenka

When WebRTC processes a packet using FEC, it does not adequately check bounds when zeroing the video timing extension.

tags | exploit
SHA-256 | 157cd64dc55515807088f940f00ae62c6d3ee089d4b0fc465f7fca79aaf47e9a
usersctp sctp_load_addresses_from_init Out-Of-Bounds Read
Posted Feb 7, 2020
Authored by Google Security Research, natashenka

usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.

tags | exploit
SHA-256 | 97c80f0acd4440a67c9cef234fa02985f9feafd4eb0418feb0ed3a434ae21930
libx264 H264 Conversion Out-Of-Bounds Write
Posted Feb 7, 2020
Authored by Google Security Research, natashenka

libx264 suffers from an out-of-bounds write when converting to H264.

tags | exploit
SHA-256 | 111be6fbb98fc110e6e2b2c9221c300e8a2b5fde3c040bd6803fb5b1d6f39185
WeChat CAudioJBM::InputAudioFrameToJBM Memory Corruption
Posted Jan 10, 2020
Authored by Google Security Research, natashenka

There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.

tags | exploit
SHA-256 | a0b85c6f0d5c0b58add65cb309bf9193d2b63ceb17c68e1f5561d25888f0f991
Page 1 of 8
Back12345Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close