ZecOps Blog

Introduction Previous SMBleedingGhost write-ups:  Part I Part II Part III (this) In the previous part of the series, SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE, we described two techniques that...

Introduction In our previous blog post, we demonstrated how the SMBGhost bug (CVE-2020-0796) can be exploited for local privilege escalation. A brief reminder: CVE-2020-0796, also known as “SMBGhost”, is a bug in the compression mechanism of SMBv3.1.1....

TL;DR While looking at the vulnerable function of SMBGhost, we discovered another vulnerability: SMBleed (CVE-2020-1206). SMBleed allows to leak kernel memory remotely. Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve...

Summary and TL;DR Further to Apple’s patch of the MailDemon vulnerability (see our blog here), ZecOps Research Team has analyzed and compared the MailDemon patches of iOS 13.4.5 beta and iOS 13.5.  Our analysis concluded  that the patches are...

Impact & Key Details (TL;DR) Demonstrate a way to do a basic heap spray We were able to use this technique to verify that this vulnerability is exploitable. We are still working on improving the success rate. Present two new examples of in-the-wild...

Updates We published another writeup: https://blog.zecops.com/vulnerabilities/seeing-maildemons-technique-triggers-and-a-bounty/ The vulnerability affected even the first iPhone (aka iPhone 1 / iPhone 2G) on iOS 3.1.3. First in-the-wild trigger to this...