tag: CVE

Rooting Xiaomi WiFi Routers

25 Sep, 2023 by Julien R. (SoEasY), Marin Duroyon
#Xiaomi
#Routers
#CVE
#Vulnerability Research
In this article, we discuss our research approach for investigating Xiaomi routers. We discovered multiple vulnerabilities allowing Remote Code Execution (RCE) on several models, through both LAN and WAN interfaces. This work led to the publication of four CVEs specifically targeting Xiaomi routers.
Read more

Leveraging Android Permissions: A Solver Approach

20 Jun, 2023 by Jérémy Breton
#Android
#Permissions
#CVE
#Vulnerability Research

The Android permission management system has already suffered from several vulnerabilities in the past. Such weaknesses can grant dangerous permissions to a malevolent application, an example being CALL_LOG, which gives access to all incoming and outgoing calls.

This post dives into the Android permission system and how a solver was leveraged to find new vulnerabilities. With this approach, a privilege escalation was identified, which was fixed and assigned CVE-2023-20947 by Google.

Read more

The Fuzzing Guide to the Galaxy: An Attempt with Android System Services

20 Apr, 2023 by Anthony REMY
#Android
#CVE
#Fuzzing
#Vulnerability Research
Although the Android base is open source, many different constructors customize it with their own UIs and APIs. All these additions represent an extra attack surface that can change from one phone model to another. We tried to automatically fuzz the closed-source system services powering these modifications, discovering CVE-2022-39907 and CVE-2022-39908 along the way.
Read more

Fuzzing RDPEGFX with "what the fuzz"

14 Oct, 2022 by Colas Le Guernic, Jérémy Rubert, and Anonymous from Thalium team
#RDP
#Fuzzing
#CVE
#Vulnerability Research
Microsoft’s Remote Desktop Protocol (RDP) client was fuzzed by various teams in the past few years, it thus seemed like a good target to try a recent snapshot fuzzer: what the fuzz (wtf) (of which we are only users). In this companion post to our Hexacon 2022 talk (slides, video) we’ll show how we took advantage of wtf flexibility in order to efficiently fuzz the RDPEGFX channel of Microsoft RDP client and uncover CVE-2022-30221.
Read more

Remote Deserialization Bug in Microsoft's RDP Client through Smart Card Extension (CVE-2021-38666)

10 Dec, 2021 by Valentino Ricotta
#RDP
#Exploit
#CVE
#Vulnerability Research
#RCE

This is the third installment in my three-part series of articles on fuzzing Microsoft’s RDP client, where I explain a bug I found by fuzzing the smart card extension.

Read more

Remote ASLR Leak in Microsoft's RDP Client through Printer Cache Registry (CVE-2021-38665)

10 Dec, 2021 by Valentino Ricotta
#RDP
#Exploit
#CVE
#Vulnerability Research
#ASLR

This is the second installment in my three-part series of articles on fuzzing Microsoft’s RDP client. I will explain a bug I found by fuzzing the printer sub-protocol, and how I exploited it.

Read more

Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology

10 Nov, 2021 by Valentino Ricotta
#RDP
#Fuzzing
#WinAFL
#Vulnerability Research
#CVE

This article begins my three-part series on fuzzing Microsoft’s RDP client. In this first installment, I set up a methodology for fuzzing Virtual Channels using WinAFL and share some of my findings.

Read more