Vulnerabilities tagged "background"

Rather subtle bug in the ASN.1 parsing state machine that comes down to one area of code being unaware of an edge case in another.

Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.

The vulnerability here is a fairly straightforward overflow in the esp6 crypto module.When receiving messages, an 8-page buffer is allocated for the incoming data, but it's possible for messages to be sent that exceed 8 pages in size...

We have [previously](https://dayzerosec.com/vulns/2022/03/02/linux-kernel-heap-out-of-bounds-write-in-nfdupnetdevc-since-54.html) covered this bug, its an out-of-bounds access due to a broken assumption in every `dup` command having an associated immediate. When that assumption is broken by manually crafting netfilter rules `nft_fwd_dup_netdev_offload` function will perform an out of bounds access as it increments too far.

We have [previously discussed](https://dayzerosec.com/vulns/2021/09/29/iouring-vulnerability-resulting-in-freeing-wrong-kernel-buffer.html) this vulnerability, which provides a primitive to free adjacent memory.

**Escaping to the Node Virtual Machine**

Three vulnerabilities found in MediaTek's audio Digital Signal Processor (DSP) firmware.They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the `/dev/audio_ipi` driver)...

Exploitation of the TIPC heap overflow bug based on a keylength being used in a `memcpy()` call before it was validated.Two objects are used in combination with the overflow to achieve code execution...

Heap based overflow in the Windows Kernel (ntfs.sys). This was originally found in the wild by Kaspersky, though Alex Plaskett here digs much more into the vulnerability and exploitation, and takes it in bit of a new direction removing the need for a separate info-leak.

Three vulnerabilities in Qualcomm's Neural Processing Unit (NPU) driver. Specifically the article focuses on Samsung devices, as, for whatever reason, the NPU device is accessible to untrusted users where it isn't on most other devices.