SVE-2016-7930: Multiple buffer overflows in Samsung Galaxy bootloader

Posted on Sun 23 July 2017 in Advisory • Tagged with vulnerability, advisory, samsung, cellebrite, bootloader, exploit, firmware, security, usb, arm, odin

Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with …


Continue reading

Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM

Posted on Wed 05 October 2016 in Article • Tagged with vulnerability, amlogic, arm, security, firmware, trustzone, bootrom, bug

The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features :

S905 block diagram
Amlogic S905 System Block Diagram

The SoC contains a Secure …


Continue reading

[QPSIIR-80] Qualcomm TrustZone Integer Signedness bug

Posted on Thu 18 December 2014 in Advisory • Tagged with vulnerability, advisory, arm, security, qualcomm, android, trustzone

Summary

Qualcomm TrustZone is prone to an integer signedness bug that may allow to write NULL words to barely controllable locations in memory.

The vulnerability can be triggered from Non-Secure World through the TrustZone call "tzbsp_smmu_fault_regs_dump".

This issue has been discovered in Samsung Galaxy S5 firmware, but other devices can …

Continue reading

[CVE-2014-2978] DirectFB remote out-of-bounds write vulnerability

Posted on Thu 15 May 2014 in Advisory • Tagged with vulnerability, advisory

Summary

DirectFB is prone to an out-of-bound write vulnerability since version 1.4.4.

The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).

Details

An attacker can choose to overflow in the heap or the stack.

CVSS Version 2 Metrics

  • Access Vector: Network exploitable …

Continue reading

[CVE-2014-2977] DirectFB integer signedness vulnerability

Posted on Thu 15 May 2014 in Advisory • Tagged with vulnerability, advisory

Summary

DirectFB is prone to an integer signedness vulnerability since version 1.4.13.

The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).

Details

This integer coercion error may lead to a stack overflow.

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity …

Continue reading

Axis Camera M1011 Remote Code Execution Exploit

Posted on Wed 31 July 2013 in Advisory • Tagged with vulnerability, advisory

In January 2013, Rapid7 published a great paper describing several vulnerabilities in the most common UPnP libraries. Six months later, many devices based on these libraries have not been updated and are still exposed.

For example, the Axis M1011 camera contains a vulnerable version of libupnp, which can lead to …


Continue reading

Huawei Mobile Hostpot remote root code execution by SMS (user-triggered)

Posted on Mon 15 July 2013 in Advisory • Tagged with vulnerability, advisory, xss, CVE-2013-2612, huawei

Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to two vulnerabilities in WebUI; an XSS and a command injection.
The combination of both allows an attacker (with a little help from the victim) to remotely execute code on the device with root privileges, by sending a specifically …


Continue reading

[CVE-2013-2612] Huawei E587 3G Mobile Hotspot Command Injection

Posted on Mon 15 July 2013 in Advisory • Tagged with vulnerability, advisory, CVE-2013-2612, huawei

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[CVE-2013-2612] Huawei E587 3G Mobile Hotspot Command Injection
________________________________________________________________________
Summary:
Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to a command
injection vulnerability in the Web UI.

Successful exploitation allows unauthenticated attackers to execute
arbitrary commands with root privileges.
________________________________________________________________________
Details …

Continue reading

[CVE-2013-2560] Foscam <= 11.37.2.48 path traversal vulnerability

Posted on Sun 17 March 2013 in Advisory • Tagged with vulnerability, advisory, foscam

Summary

Foscam firmware <= 11.37.2.48 is prone to a path traversal vulnerability in the embedded web interface.

The unauthenticated attacker can access to the entire filesystem and steal web & wifi credentials.

Details

GET //../proc/kcore HTTP/1.0

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity …

Continue reading

[CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping

Posted on Sun 17 March 2013 in Advisory • Tagged with vulnerability, advisory, lemonldap

Summary

LemonLDAP-NG <=1.2.2 is prone to a security vulnerability involving XML signature wrapping in authentication process.

Successful exploits may allow unauthenticated attackers to construct specially crafted messages that can be successfully verified and contain arbitrary content.

This may lead to authentication bypass.

Details

Due to a bad use …


Continue reading