exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 133 RSS Feed

Files from Ivan Fratric

Email addressifratric at google.com
First Active2007-03-08
Last Active2024-12-02
AppleAVD AV1_Syntax::Parse_Header Out-Of-Bounds Reads
Posted Dec 2, 2024
Authored by Ivan Fratric, Google Security Research

AppleAVD has an issue where a large OBU size in AV1_Syntax::Parse_Header reading can lead to out-of-bounds reads.

tags | exploit
SHA-256 | f5d5e8258c287b17deb1dcd5e1d0cebc5da361b98ef166bcd58023bc62a1af2c
AppleAVD AV1_Syntax::f Out-Of-Bounds Reads
Posted Dec 2, 2024
Authored by Ivan Fratric, Google Security Research

AppleAVD has an issue in AV1_Syntax::f leading to out-of-bounds reads.

tags | exploit
SHA-256 | 8793fd0b760f2a8c6b210ae7701eec4e5ab9281a045322d56d92d2c1672e4bd1
AppleAVD AV1_Syntax::Parse_Header Integer Underflow / Out-Of-Bounds Reads
Posted Dec 2, 2024
Authored by Ivan Fratric, Google Security Research

AppleAVD has an integer underflow in AV1_Syntax::Parse_Header that can lead to out-of-bounds reads.

tags | exploit
SHA-256 | c6dddb5cbf681203616f22b9385ebd751596c9da4d40dbd84bfdb8a9de7f9473
dav1d Integer Overflow / Out-Of-Bounds Write
Posted Mar 18, 2024
Authored by Ivan Fratric, Google Security Research, Nick Galloway

There is an integer overflow in dav1d when decoding an AV1 video with large width/height. The integer overflow may result in an out-of-bounds write.

tags | exploit, overflow
advisories | CVE-2024-1580
SHA-256 | 258b775b05e2d4378551ee4e66e5c90a5df4e7d9ef5dc5c37abec0ba66db8a8e
macOS AppleVADriver Out-Of-Bounds Write
Posted Jan 12, 2024
Authored by Ivan Fratric, Google Security Research

macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.

tags | exploit
advisories | CVE-2023-42882
SHA-256 | a755a34876f36a8a24fb4024eeda524426d61439be93ad37d2aa3f187ed43ce5
macOS AppleGVA Memory Handling
Posted Jan 12, 2024
Authored by Ivan Fratric, Google Security Research

On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).

tags | exploit
advisories | CVE-2023-42926
SHA-256 | ed851479d112d861e65e1f2c3cbdcfb9751f8aafbae00aece5139de5128c88b0
iOS / macOS libIPTelephony.dylib Use-After-Free
Posted Jun 19, 2023
Authored by Ivan Fratric, Google Security Research

There is a use-after-free vulnerability in libIPTelephony.dylib inside the SIP message decoder (SipMessageDecoder::decode() function). The vulnerable library is present on both iOS and macOS and was confirmed on macOS Ventura 13.2.1.

tags | exploit
systems | ios
advisories | CVE-2023-32412
SHA-256 | 6d3cab99ce231d2cf5def080ffac1a0b2fd80f0e9852f330e033cb0e5ceb0b2d
Shannon Baseband SIP Retry-After Header Heap Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon Baseband when processing the Retry-After header in the SIP protocol decoder (IMSPL_SipRetryAfter.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29087
SHA-256 | dd3027619afa3f34e33a8c7c8fa273a3caead4344694e68e00f0bf7658948980
Shannon Baseband SIP Min-SE Header Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Min-SE header in the SIP protocol decoder (IMSPL_SipMinSE.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29086
SHA-256 | e0cd48f57c8b65b8d3f033aad592c288cb156a5fc17e43743d268337dab80c20
Shannon Baseband Negative-Size Memcpy / Out-Of-Bounds Read
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a negative-size memcpy (heap overflow) when decoding the body of SIP multipart messages. According to debug strings in the modem image, this functionality is implemented in IMSPL_SipFragDecode.

tags | exploit, overflow
advisories | CVE-2023-29089
SHA-256 | 008713e1403417d96115cab8cea235d3b9c02eefab2c7765ee120627abe0c5b3
Shannon Baseband SIP Session-Expires Header Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Session-Expires header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29088
SHA-256 | e11bd9abdf4b3c1c338a567873ee29ab281b3106b929fa8c9cb91119afcbc1f7
Shannon Baseband SIP Status Line Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the status line of a SIP message (this happens in IMSPL_SipStatusLine.c according to the debug strings in the firmware image).

tags | exploit, overflow
advisories | CVE-2023-29085
SHA-256 | 775cec97675cbb8c305fcd017b6eeee470cd0ac86f5bca8f85e29ef9c9c3e283
Shannon Baseband Via Header Decoder Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Via header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29090
SHA-256 | 0afa5f6ef5d703a73b0521ecca5d80bc302663f045296001e5c9f592b245d7f9
Shannon Baseband SIP URI Decoder Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband in the SIP URI decoder. According to the debug strings present in the firmware image, this decoder corresponds to IMSPL_SipUri.c.

tags | exploit, overflow
advisories | CVE-2023-29091
SHA-256 | cef6065d95093542cb22a1a75544960827efff742ba806ef8e0db27ff1a75588
Shannon Baseband Integer Overflow
Posted May 5, 2023
Authored by Ivan Fratric, Google Security Research

There is an integer overflow in Shannon Baseband leading to a heap buffer overflow when reassembling IPv4 fragments. According to the debug strings, this corresponding functionality is implemented in SmdtIp4Rx::ProcessFragments function and its callees.

tags | exploit, overflow
advisories | CVE-2023-28613
SHA-256 | 85296d153a53a5ed603bc0ad519a9d3336041170d6909013ceb81a85f4d1624b
Shannon Baseband NrSmPcoCodec Intra-Object Overflow
Posted Mar 20, 2023
Authored by Ivan Fratric, Google Security Research

There is an intra-object overflow in Shannon Baseband, inside the 5G SM protocol implementation (NrSmMsgCodec as it is called in Shannon according to debug strings), when decoding the Extended protocol configuration options message (IEI = 0x7B).

tags | exploit, overflow, protocol
advisories | CVE-2023-26076
SHA-256 | fbcb90e472d2e3ece0a5999daefccbac91cb16b93b5bdde7163bb7f5b46c8021
Shannon Baseband NrmmMsgCodec Intra-Object Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is an intra-object overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Service Area List message (IEI = 0x27).

tags | exploit, overflow, protocol
advisories | CVE-2023-26075
SHA-256 | ca27ff3f40a5cef1422ff326c82c6ac37d4d2a24ac33342144bc8a5c84aa2848
Shannon Baseband NrmmMsgCodec Access Category Definitions Heap Buffer Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Operator-defined access category definitions message (IEI = 0x76).

tags | exploit, overflow, protocol
advisories | CVE-2023-26074
SHA-256 | 0d9b32ed9b931576486f7e7630f9b8e393f008ff2bccc77a8e30f84a45f1e0f0
Shannon Baseband NrmmMsgCodec Extended Emergency Number List Heap Buffer Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Extended emergency number list" message (IEI = 0x7A).

tags | exploit, overflow, protocol
advisories | CVE-2023-26073
SHA-256 | ba04bb179ad4db118c637bfe6c329d2d3ebef7e310034bd5a8af11fa0123adc3
Shannon Baseband NrmmMsgCodec Emergency Number List Heap Buffer Overflow
Posted Mar 17, 2023
Authored by Ivan Fratric, Google Security Research

There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Emergency number list" message (IEI = 0x34).

tags | exploit, overflow, protocol
advisories | CVE-2023-26072
SHA-256 | ff7c534a4bbc11dc3cd3ac7fb2571e8b2fc9cddf789fa05fff2fc30be17f2aca
libCoreEntitlements CEContextQuery Arbitrary Entitlement Returns
Posted Jan 13, 2023
Authored by Ivan Fratric, Google Security Research

On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.

tags | exploit, kernel
systems | apple, ios
advisories | CVE-2022-42855
SHA-256 | 9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8
Cisco Jabber XMPP Stanza Smuggling
Posted Oct 20, 2022
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.

tags | exploit, arbitrary
systems | cisco
advisories | CVE-2022-20917
SHA-256 | ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914c
macOS RawCamera Out-Of-Bounds Write
Posted Aug 22, 2022
Authored by Ivan Fratric, Google Security Research

There is an out-of-bounds write vulnerability when decoding a certain flavor of RAW image files on macOS. The vulnerability has been confirmed on macOS 12.3.1. Although the advisory notes an attached poc, Google did not have one attached.

tags | advisory
advisories | CVE-2022-32802
SHA-256 | b0cdd2ef0c901dd72ddd0b3fa6f8cc6fcb53635705915e5ec0c9100853c07cb3
Kik Messenger XMPP Stanza Smuggling
Posted Jun 10, 2022
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in Kik Messenger for Android that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Kik client, including XMPP stanzas that are normally sent only by the Kik server. Included is a proof of concept that demonstrates sending of the stc stanza which triggers a captcha dialog and opens an arbitrary attacker-control webpage on the victim client. However, the full impact is likely larger than this, and includes any application features accessible over XMPP.

tags | exploit, arbitrary, proof of concept
SHA-256 | 3f66b31a34e395df392668d6453b6eee4bbfd623765c95d99108116f95c8a143
Tigase XMPP Server Stanza Smuggling
Posted May 26, 2022
Authored by Ivan Fratric, Google Security Research

Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).

tags | exploit, arbitrary
SHA-256 | 80c339179764f04e39876070e482957638cbcf822ccdb04b5cc72ea035585e1e
Page 1 of 6
Back12345Next

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close