vulnerabilities

From a comment to a CVE: Content filter strikes again!

In the past few years XNU had few vulns in a newly added/changed code areas and in the content filter area so it is no surprise that the combination of the newly added code and complex areas (content-filter) alongside with a funny comment caught our attention.

SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE

Introduction Previous SMBleedingGhost write-ups:  Part I Part II Part III (this) In the previous part of the series, SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE, we described two techniques that allow us to read uninitialized memory from the pool buffers allocated by the SrvNetAllocateBuffer function of the srvnet.sys …

SMBleedingGhost Writeup Part III: From Remote Read (SMBleed) to RCE Read More »

SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE

Introduction In our previous blog post, we demonstrated how the SMBGhost bug (CVE-2020-0796) can be exploited for local privilege escalation. A brief reminder: CVE-2020-0796, also known as “SMBGhost”, is a bug in the compression mechanism of SMBv3.1.1. The bug affects Windows 10 versions 1903 and 1909, and it was announced and patched by Microsoft about …

SMBleedingGhost Writeup Part II: Unauthenticated Memory Read – Preparing the Ground for an RCE Read More »

smbleed

SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost

TL;DR While looking at the vulnerable function of SMBGhost, we discovered another vulnerability: SMBleed (CVE-2020-1206). SMBleed allows to leak kernel memory remotely. Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve pre-auth Remote Code Execution (RCE). POC #1: SMBleed remote kernel memory read: POC #1 Link POC #2: Pre-Auth RCE Combining …

SMBleedingGhost Writeup: Chaining SMBleed (CVE-2020-1206) with SMBGhost Read More »