Lmst

PHP 8 Sandbox Escape via TimeAfterFree UAF

A PoC demonstrates a PHP 8 use-after-free bug enabling bypass of disable_functions and execution of system commands on Unix-like servers.

https://github.com/m0x41nos/TimeAfterFree

#PHP #MemoryCorruption

SAP NetWeaver Memory Corruption Flaw Lets Attackers Send Corrupted Logon Tickets
https://gbhackers.com/sap-netweaver-memory-corruption-flaw/

#Infosec #Security #Cybersecurity #CeptBiro #SAP #NetWeaver #MemoryCorruption #CorruptedLogonTickets

Oh joy, another thrilling #update in the world of ASN.1 #APIs for #Python. 🙄 Because nothing screams excitement like deep dives into #cryptography protocols and the potential for catastrophic memory corruption, right? 🎉
https://blog.trailofbits.com/2025/04/18/sneak-peek-a-new-asn.1-api-for-python/ #ASN1 #MemoryCorruption #HackerNews #ngated

🧠 Why exploits prefer memory corruption | PACIBSP security

｢ I believe that memory corruption techniques will dominate real-world exploitation that targets end-user platforms and products even after the shift to memory-safe languages makes memory unsafety bugs rarer than logic bugs. And I do not expect MTE to change this: it will just make good memory corruption bugs even rarer and harder to exploit ｣

https://pacibsp.github.io/2024/why-exploits-prefer-memory-corruption.html

#exploits #memorycorruption #memorysafety #cybersecurity

NSPasteboard crashes due to unsafe, internal concurrent memory mutation when handling file promises

This is a public reposting of FB14885505, in case it's helpful to anyone else or especially in case someone else has seen this too and knows how to work around it.

NSPasteboard mutates itself simultaneously from the main thread and the global concurrent Dispatch pool, w.r.t. to its internal type cache. This is surprisingly trivial to reproduce (sample code below) by just dropping, e.g. a file promise (such as by opening a PNG in Preview, revealing the thumbnails sidebar, and then dragging [...]

https://wadetregaskis.com/nspasteboard-crashes-due-to-unsafe-internal-concurrent-memory-mutation-when-handling-file-promises/

High-Impact Security Vulnerabilities in Firefox 128

Date: July 9, 2024
CVE: CVE-2024-6605 CVE-2024-6606 CVE-2024-6607 CVE-2024-6608 CVE-2024-6609 CVE-2024-6610 CVE-2024-6600 CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6611 CVE-2024-6612 CVE-2024-6613 CVE-2024-6614 CVE-2024-6604 CVE-2024-6615
Vulnerability Type: Tapjacking
CWE: [[CWE-451]], [[CWE-922]]
Sources: Mozilla Security Advisory

Synopsis

Multiple security vulnerabilities were addressed in the latest Firefox 128 release, impacting both the desktop and Android versions. These vulnerabilities, if exploited, could lead to severe security breaches including tapjacking, out-of-bounds read, and memory corruption.

A list of all the CVEs mentioned in the Mozilla Foundation Security Advisory 2024-29:

CVE-2024-6605: Firefox Android missed activation delay to prevent tapjacking (High)
CVE-2024-6606: Out-of-bounds read in clipboard component (High)
CVE-2024-6607: Leaving pointerlock by pressing the escape key could be prevented (Moderate)
CVE-2024-6608: Cursor could be moved out of the viewport using pointerlock (Moderate)
CVE-2024-6609: Memory corruption in NSS (Moderate)
CVE-2024-6610: Form validation popups could block exiting full-screen mode (Moderate)
CVE-2024-6600: Memory corruption in WebGL API (Moderate)
CVE-2024-6601: Race condition in permission assignment (Moderate)
CVE-2024-6602: Memory corruption in NSS (Moderate)
CVE-2024-6603: Memory corruption in thread creation (Moderate)
CVE-2024-6611: Incorrect handling of SameSite cookies (Low)
CVE-2024-6612: CSP violation leakage when using devtools (Low)
CVE-2024-6613: Incorrect listing of stack frames (Low)
CVE-2024-6614: Incorrect listing of stack frames (Low)
CVE-2024-6604: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13 (High)
CVE-2024-6615: Memory safety bugs fixed in Firefox 128 (High)

Issue Summary

Mozilla announced fixes for several high-impact vulnerabilities in Firefox 128. Notably, CVE-2024-6606 which involves out-of-bounds read issues in the clipboard component, and CVE-2024-6609 related to memory corruption in the NSS library.

Technical Key Findings

CVE-2024-6605 allows attackers to overlay malicious prompts over legitimate permission dialogs, potentially tricking users into granting unwanted permissions. This vulnerability exploits the lack of a delay in activating permission prompts on Firefox Android, enabling immediate interactions which can be hijacked by malicious actors.

Vulnerable Products

Firefox versions prior to 128
Firefox ESR versions prior to 115.13
Firefox Android versions prior to 128

Impact Assessment

If these vulnerabilities are exploited, attackers can perform actions such as reading out-of-bounds data, preventing users from exiting fullscreen mode, or executing arbitrary code. These can lead to unauthorized access to sensitive data, manipulation of browser behavior, and potential system compromises.

Patches or Workaround

Mozilla has released patches in Firefox 128, Firefox ESR 115.13, and Thunderbird 115.13 to address these vulnerabilities. Users are advised to update to the latest versions to mitigate the risks associated with these security flaws.

Tags

#Firefox #CVE2024-6605 #Tapjacking #SecurityUpdate #Mozilla #Vulnerability #MemoryCorruption #OutOfBoundsRead

Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws
https://memorycorruption.net/posts/rce-lua-factorio/
#ycombinator #blog #memorycorruption #security #research #Research #Pwn #Lua

I wrote some [intentionally vulnerable] C code. Looking for recommendations on how to make it easier for students to exploit this simple Stack Overflow.
https://github.com/ronin-rb/vuln-apps/blob/stack_overflow/stack_overflow/c/greeter.c
#memorycorruption #stackoverflow #pwnme

Critical Vulnerability in Fluent Bit: CVE-2024-4323

Date: May 20, 2024
CVE: CVE-2024-4323
Vulnerability Type: Memory Corruption
CWE: [[CWE-787]], [[CWE-119]]
Sources: Tenable

Issue Summary

Tenable Research has identified a critical memory corruption vulnerability in Fluent Bit, designated CVE-2024-4323, within its built-in HTTP server. This vulnerability, termed "Linguistic Lumberjack," affects versions 2.0.7 through 3.0.3 and allows potential denial of service, information disclosure, or remote code execution. The issue has been fixed in the main branch and will be included in the upcoming 3.0.4 release.

Technical Key Findings

The vulnerability is rooted in improper handling of data types in the "inputs" array of the /api/v1/traces endpoint. When non-string values, such as integers or negative integers, are passed, it can lead to memory corruption. Exploits could include crashes from wild copies, heap overwrites, and disclosure of adjacent memory, potentially leading to remote code execution under specific conditions.

Vulnerable Products

Fluent Bit versions 2.0.7 to 3.0.3

Impact Assessment

Exploitation of CVE-2024-4323 can result in significant disruptions such as service crashes, leakage of sensitive information, and in severe cases, remote code execution, which can compromise entire systems relying on Fluent Bit for logging and monitoring.

Patches or Workarounds

Users should upgrade to Fluent Bit version 3.0.4 or later. If upgrading is not immediately feasible, restricting access to the vulnerable endpoints is recommended to mitigate potential exploitation.

Tags

#CVE-2024-4323 #FluentBit #MemoryCorruption #CloudSecurity #RemoteCodeExecution #VulnerabilityManagement

What are your thoughts on this?

Unpopular opinion: I'm for memory-safe langs, but there needs to be some realism. Even with Rust/C#/Python, a lot of orgs still use C/C++ and colleges still teach C/C++.

It's great some level of reduction occurred, but this is ultimately something that will take time. It's not something I think anyone expects to see poof into non-existence in one year.

Mem issues were the 2nd leading cause of vulns?

Yea, that's not surprising, despite this myth mem corruption is just gone with the wind. It isn't.

"...75% of analyzed mem vulnerabilities have been exploited as 0-days by threat actors..."

Real talk: This is because of their ability to RCE. NO CAP.

Also, the list implies # of vulns is relative to impact: It isn't

NOTE: I do like cpp, so I'm not like trying to harp on it or anything. There have been so many improvements to it, that I feel this should be noted.

https://www.horizon3.ai/analysis-of-2023s-known-exploited-vulnerabilities/

#memorycorruption #hacking #infosec #programming #programmers

p2k23 Hackathon Report: Landry Breuil (landry@) on chasing memory corruptions https://undeadly.org/cgi?action=article;sid=20230912094727 #openbsd #hackathon #packages #mozilla #memorycorruption

DeepSec 2023 Talk: Nostalgic Memory – Remembering All the Wins and Losses for Protecting Memory Corruption – Shubham Dubey
Memory corruption, a vulnerability that emerged in the 1980s and gained prominence with the discovery of the first buffer overflow in the fingerd U
https://blog.deepsec.net/deepsec-2023-talk-nostalgic-memory-remembering-all-the-wins-and-losses-for-protecting-memory-corruption-shubham-dubey/
#Conference #DeepSec2023 #MemoryCorruption #Talk #VulnerabilityMitigation

Sometimes, #bugs lead to pretty funny results. In this case, I was processing this #calibration data for our #multispectral #camera again and apparently, I effed up my memory management, which lead to memory corruption and ultimately this funny picture of me. Unfortunately, I was unable to reproduce the bug, so, I guess it'll live on as a funny edge case in my program :)

#science #multispectralimaging #multispectralcamera #freiburg #programming #memorymanagement #memorycorruption