(CVE-2021-2321) Oracle VirtualBox E1000 BSS Out-Of-Bounds Read

CVE: CVE-2021-2321 Tested Versions: Oracle VirtualBox 6.1.18 revision r142142 Product URL(s): https://www.virtualbox.org/ Description of the vulnerability When the e1000 driver is sending data to e1000 device, it will send frame by frame, there are context frame and data frame, usually one context frame followed by one or multiple data frames. We can prepare by setting TDH (Transfer Head), TDBAL (first 32 bit physical address of frames), TDBAH (last 32 bit physical address of frame) register, We can make device doing transfer by writing TDT (Transfer Tail) register and then will call e1kXmitPending to do the transfer....

April 6, 2021 · 8 min · Muhammad Alifa Ramdhan (@n0psledbyte)

(CVE-2021-3409) QEMU Heap Overflow in SDHCI Component

CVE: CVE-2021-3409 Tested Versions: QEMU version under 5.2.50 Product URL(s): https://www.qemu.org/ Description of the vulnerability QEMU version 5.2.50 is susceptible to vulnerabilities which, when successfully exploited, could lead to the disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). SDHCI is Secure Digital Host Controller Interface. Secure Digital is a proprietary non-volatile memory card format developed by the SD Association (SDA) for portable devices....

March 23, 2021 · 20 min · Muhammad Alifa Ramdhan (@n0psledbyte)

(CVE-2021-0950) Android NFC [email protected] Writer mode Out-Of-Bounds Write leading to Information Disclosure

CVE: CVE-2021-0950 Tested Versions: RQ1A.210205.004 Product URL(s): https://www.android.com/ Description of the vulnerability An Out-Of-Bounds Write bug was found in nfc_nci_nxp.so. Specifically, in file "hardware/nxp/nfc/halimpl/hal/phNxpNciHal_ext.cc", function phNxpNciHal_write_ext, due to lack of proper validation of the length of supplied command prior to increasing length of it, leading to 3 bytes overflow problem. This vulnerability can be turned into a read past the end of a global buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of NFC HIDL service....

March 5, 2021 · 7 min · Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss)

(CVE-2021-33760) Windows Media Foundation Integer Overflow Vulnerability

CVE: CVE-2021-33760 Tested Versions: mfsrcsnk.dll 10.0.18362.836 Product URL(s): https://www.microsoft.com/ Description of the vulnerability An integer overflow leads to OOB read when parsing MP3 header. The crash can be trigger by navigating into the folder containing the POC file. The crash happens inside mfsrcsnk.dll when parsing MP3 header. Stack trace. (582c.420c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled....

February 27, 2021 · 3 min · Phan Thanh Duy (@PTDuy), Brandon Chong, Cao Yi Tian

(CVE-2021-34503) Windows Media Foundation Type Confusion Vulnerability

CVE: CVE-2021-34503 Tested Versions: mfsrcsnk.dll 10.0.18362.836 Product URL(s): https://www.microsoft.com/ Description of the vulnerability There is a type confusion when parsing Quick Time video file format’s metadata that leads to OOB access on heap memory. The vulnerability can be triggered by navigating into folder contains POC file, inside Internet Explorer and Microsoft Edge. The crashes happens inside mfmp4srcsnk.dll when parsing CQTSampleDescriptionAtom. Stack trace. (2154.3bf0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling....

February 27, 2021 · 4 min · Phan Thanh Duy (@PTDuy)

(CVE-2021-1758) macOS/iOS CoreText Out-Of-Bounds Read

CVE: CVE-2021-1758 Tested Versions: macOS Catalina 10.15.4 (19E287) Product URL(s): https://apple.com Description of the vulnerability This vulnerability exists in libFontParser.dylib, a part of CoreText library is widely used in macOS, iOS, iPadOS to parse, and draw text. This vulnerability allows attacker to read memory of application which uses API from CoreText. macOS/iOS creates a font format structure that is a wrapper of Type 1 Postscript Font and TrueType Font is Mac Resource Fork Font....

February 10, 2021 · 6 min · Peter Nguyễn Vũ Hoàng

(CVE-2021-1790) macOS/iOS CoreText libhvf Out-Of-Bounds Read

CVE: CVE-2021-1790 Tested Versions: macOS Catalina 10.15.4 (19E287) Product URL(s): https://apple.com Description of the vulnerability This vulnerability exists in libhvf.dylib, a part of CoreText library is widely used in macOS, iOS, iPadOS to parse font. An attacker can craft an evil PDF contains the malicious font that could lead to remote code execution. libhvf.dylib is used to parse HierVariation table in Truetype Font. libhvf.dylib is a feature of libFontParser....

February 10, 2021 · 7 min · Peter Nguyễn Vũ Hoàng