ZecOps Research Team

SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE

Introduction Previous SMBleedingGhost write-ups:  Part I Part II Part III (this) In the previous part of the series, SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE, we described two techniques that allow us to read uninitialized memory from the pool buffers allocated by the SrvNetAllocateBuffer function of the srvnet.sys …

SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE Read More »

SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE

Introduction In our previous blog post, we demonstrated how the SMBGhost bug (CVE-2020-0796) can be exploited for local privilege escalation. A brief reminder: CVE-2020-0796, also known as “SMBGhost”, is a bug in the compression mechanism of SMBv3.1.1. The bug affects Windows 10 versions 1903 and 1909, and it was announced and patched by Microsoft about …

SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE Read More »

smbleed

SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost

TL;DR While looking at the vulnerable function of SMBGhost, we discovered another vulnerability: SMBleed (CVE-2020-1206). SMBleed allows to leak kernel memory remotely. Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve pre-auth Remote Code Execution (RCE). POC #1: SMBleed remote kernel memory read: POC #1 Link POC #2: Pre-Auth RCE Combining …

SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost Read More »

Hidden demons? MailDemon Patch Analysis: iOS 13.4.5 Beta vs. iOS 13.5

Summary and TL;DR Further to Apple’s patch of the MailDemon vulnerability (see our blog here), ZecOps Research Team has analyzed and compared the MailDemon patches of iOS 13.4.5 beta and iOS 13.5.  Our analysis concluded  that the patches are different, and that iOS 13.4.5 beta patch was incomplete and could be still vulnerable under certain …

Hidden demons? MailDemon Patch Analysis: iOS 13.4.5 Beta vs. iOS 13.5 Read More »

Detect iOS Attacks with ZecOps Gluon