ZecOps Blog
Hear the news first

SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE
Introduction In our previous blog post, we demonstrated how the SMBGhost bug (CVE-2020-0796) can be exploited for local privilege escalation. A brief reminder: CVE-2020-0796, also known as “SMBGhost”, is a bug in the compression mechanism of SMBv3.1.1....

SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost
TL;DR While looking at the vulnerable function of SMBGhost, we discovered another vulnerability: SMBleed (CVE-2020-1206). SMBleed allows to leak kernel memory remotely. Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve...

Hidden demons? MailDemon Patch Analysis: iOS 13.4.5 Beta vs. iOS 13.5
Summary and TL;DR Further to Apple’s patch of the MailDemon vulnerability (see our blog here), ZecOps Research Team has analyzed and compared the MailDemon patches of iOS 13.4.5 beta and iOS 13.5. Our analysis concluded that the patches are...

Seeing (Mail)Demons? Technique, Triggers, and a Bounty
Impact & Key Details (TL;DR) Demonstrate a way to do a basic heap spray We were able to use this technique to verify that this vulnerability is exploitable. We are still working on improving the success rate. Present two new examples of in-the-wild...

You’ve Got (0-click) Mail!
Updates We published another writeup: https://blog.zecops.com/vulnerabilities/seeing-maildemons-technique-triggers-and-a-bounty/ The vulnerability affected even the first iPhone (aka iPhone 1 / iPhone 2G) on iOS 3.1.3. First in-the-wild trigger to this...

Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC
Introduction CVE-2020-0796 is a bug in the compression mechanism of SMBv3.1.1, also known as “SMBGhost”. The bug affects Windows 10 versions 1903 and 1909, and it was announced and patched by Microsoft about three weeks ago. Once we heard about it, we...