Just a somewhat common and vulnerable use a cryptography.The `signature` of a firmware was not truly a signature but a hash of the content + a secret key, as the binary code that verifies the firmware is present on the device the "secret" key used is not kept secret and one could create their own firmware that would pass the signature check but contain arbitrary content...
An object type confusion was discovered in the Microsoft Kernel Streaming Server (`mskssrv.sys`), which is used for virtualizing camera devices and allowing multiple applications to access camera streams.The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a `context` and a `stream`...
Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine.IN this case though the impact was easier to spot because the program processing the output logs was part of the same application...
A rather complex-bug to trigger that was found being exploited in the wild against libwebp's VP8L compression and was reachable through an iMessage.
A bit of an unexpected fault in GCC's `-fstack-protector` implementation that meant that the saved return address wasn't actually protected by the stack-protector on AArch64 in some cases.
A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer.As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (`0x01`) and then again with an XOR'd version of the character to be escaped...
A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used...
A fun bug, likely stemming from misunderstanding the return value from an `snprintf` call. Unfortunately (for us, good for security) only seems to be useful for a denial of service attack.
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.
A high performance, but apparently low security library for some industrial software, root cause is the use of a signed comparison of a value that is then used as an unsigned size value in a memcpy. End result being a much too large copy, overflowing the destination buffer.