A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer.As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (`0x01`) and then again with an XOR'd version of the character to be escaped...
A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used...
A fun bug, likely stemming from misunderstanding the return value from an `snprintf` call. Unfortunately (for us, good for security) only seems to be useful for a denial of service attack.
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
A high performance, but apparently low security library for some industrial software, root cause is the use of a signed comparison of a value that is then used as an unsigned size value in a memcpy. End result being a much too large copy, overflowing the destination buffer.
An exploit chain that targets Samsung's TEEgris OS running in the ARM TrustZone secure world.TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs)...
This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...
Effectively, a double-fetch vulnerability in Intel SMM's SMI handler that could allow a local attacker to escelate into System manage Mode.It recieves a `CommBuffer` that contains a `Data` pointer and a size value...
Yet another case of bad syncronization or just performing operations in the wrong order.IIn this case `ene_remove` called when removing the device, will remove its internal allocations and everything before it actually unregisters the device...
A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0.The root cause of this bug is in the incorrect assumption made by `sock_init_data() `regarding the `struct socket` input...
World's worst fuzzer, leading to a traditional stack overflow in the kernel.Really not much to say about the vulnerability, `copy_from_user` with no bounds check into a fixed sized buffer on the stack...
A bug was found sort of accidentally in Adreno/KGSL GPU for Android devices.The post covers a lot of background, but what's important is that userspace can map shared memory from the CPU into the GPU, and use it to pass buffers such as command buffers...
A 19-year-old bug in XNUs Data Link Interface Layer or DLIL that lead to an out-of-bounds write on the heap.The root cause is that `ifnet_attach()` will get the next interface `index` as a 32-bit integer and downcast it to a `uint16_t` when saving the index...