Vulnerabilities

Uniview PreAuth RCE

The inital vulnerability here is an unbounded sscanf into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world…

 

Exploiting URL Parsing Confusion Vulnerabilities

Different URL parser may treat mistakes in the URL differently, leading to behaviour differences that can be used. This research paper focused on five potential areas where parses disagreed on how to understand the URL

 

Insufficent Locking in XNU leading to Use-After-Free

This is one of those issues that is an obvious code-smell once you’re aware of it, inp_join_group will release a lock, so that is can call another function that requires the same lock, and then take the lock back after the function has executed creating a window where another function can obtain the lock and free the pointer from under it.

 
1
2
3
4
5
6
7