h0wl.pl
h0wl's blog: [CVE-2015-3679] Apple OS X morx nSubtables Memory Corruption Remote Code Execution and [CVE-2015-3680] DFont FOND Memory Corruption Remote Code Execution
http://www.h0wl.pl/2015/07/cve-2015-3679-apple-os-x-morx.html
Pentester and vuln researcher writing about stuff. Wednesday, 1 July 2015. CVE-2015-3679] Apple OS X morx nSubtables Memory Corruption Remote Code Execution and [CVE-2015-3680] DFont FOND Memory Corruption Remote Code Execution. Yesterday Apple has released a security update 2015-005. Which included fixes for two vulnerabilities related to font parsing in OS X that i have reported to the ZDI. See original advisories for CVE-2015-3679. Posted by Paweł Wyleciał. 5 September 2016 at 20:02.
h0wl.pl
h0wl's blog: February 2015
http://www.h0wl.pl/2015_02_01_archive.html
Pentester and vuln researcher writing about stuff. Tuesday, 10 February 2015. Microsoft Internet Explorer CShadow Direction Integer Overflow Remote Code Execution CVE-2015-0036 (MS15-009). In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory here.
h0wl.pl
h0wl's blog: SyScan360 2014 - Mobile Browsers Security: iOS
http://www.h0wl.pl/2014/07/syscan360-2014-mobile-browsers-security.html
Pentester and vuln researcher writing about stuff. Tuesday, 22 July 2014. SyScan360 2014 - Mobile Browsers Security: iOS. Last week together with Lukasz Pilorz I was speaking about mobile browsers security on iOS @ SyScan360 in Beijing. Visiting China for the first time was a great experience, and the conference itself was just awesome. Cool people, very technical talks and good organization is what it makes this event exceptional. Posted by Paweł Wyleciał. Subscribe to: Post Comments (Atom).
h0wl.pl
h0wl's blog: March 2014
http://www.h0wl.pl/2014_03_01_archive.html
Pentester and vuln researcher writing about stuff. Monday, 10 March 2014. Blog for a project that i'm a part of has been finally published - http:/ browser-shredders.blogspot.com. The research has started some time ago, and we already had some nice findings, currently there is not so much content, but this will change after the Hack in The Box talk which will be presented by my two colleges: http:/ haxpo.nl/hitb2014ams-pilorz-zmyslowski/. Posted by Paweł Wyleciał. Subscribe to: Posts (Atom).
h0wl.pl
h0wl's blog: June 2015
http://www.h0wl.pl/2015_06_01_archive.html
Pentester and vuln researcher writing about stuff. Monday, 22 June 2015. Browsing stackoverflow for interesting crashes - Microsoft Internet Explorer 11. Here is a nice example why it is worth to browse stackoverflow.com. For crash reports. Recently i stumbled upon this post:. I checked it out and as for today (22 Jun 2015) it crashes the latest Internet Explorer 11. The crash log looks interesting:. The proof of concept from the post is huge so i decided to downsize it a bit and here it is:.
h0wl.pl
h0wl's blog: Hopper Disassembler 2.8.7 / 3.6.2 Mach-O Handling Buffer Overflow
http://www.h0wl.pl/2014/11/hopper-287-362-mach-o-handling-buffer.html
Pentester and vuln researcher writing about stuff. Monday, 24 November 2014. Hopper Disassembler 2.8.7 / 3.6.2 Mach-O Handling Buffer Overflow. SECURE 2014 i decided to do a quick check of Hopper Disassembler. Which is a great tool btw, I highly recommend it). As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:. And file diff showed something like that:. Its pretty straightforward right?
h0wl.pl
h0wl's blog: April 2015
http://www.h0wl.pl/2015_04_01_archive.html
Pentester and vuln researcher writing about stuff. Friday, 3 April 2015. A quick post about two crashes i found in tcsh (default FreeBSD shell, however the BSD version does not segfault) and mksh (default shell on Android). As i'm not planning to research it further, i will just leave it here. Maybe someone will figure out if any of this can be exploited somehow. Tcsh 6.18.01 and maybe older. FreeBSD version handled it just fine. Perl -e 'print " $? Program received signal SIGSEGV, Segmentation fault.
h0wl.pl
h0wl's blog: Microsoft Internet Explorer CShadow Direction Integer Overflow Remote Code Execution CVE-2015-0036 (MS15-009)
http://www.h0wl.pl/2015/02/microsoft-internet-explorer-cshadow.html
Pentester and vuln researcher writing about stuff. Tuesday, 10 February 2015. Microsoft Internet Explorer CShadow Direction Integer Overflow Remote Code Execution CVE-2015-0036 (MS15-009). In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory here. 2 May 2016 at 09:27.
h0wl.pl
h0wl's blog: May 2014
http://www.h0wl.pl/2014_05_01_archive.html
Pentester and vuln researcher writing about stuff. Thursday, 29 May 2014. Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero. Recently i was playing wit the WeakMap implementation in IE11. The following code caused the browser crash:. Eax=00aee241 ebx=059f8cc0 ecx=059f8cc8 edx=00000000 esi=059f8cc8 edi=05171aa0. Eip=668756f0 esp=06a6bcbc ebp=06a6bccc iopl=0 nv up ei pl nz na pe nc. Cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206. 1 : TryGetValueAndRemove 0x1f:. Of two denial of ...