Friday, 23 November 2018

Path traversal in mozilla pdf.js

Hi Internet,

Summary: A path traversal issue was observed in Mozilla PDF.js which is a PDF reader in JavaScript. (This issue is unpatched)

This issue was observed while code review of PDF.js (gulpfile.js)

PDF.js is built into version 19+ of firefox and a chrome extension is also available on chrome web store. To install and get a local copy of PDF.js here are the below steps :

Then navigate to

I've used the attribute --path-as-is from cURL to verify this issue.

This was reported to mozilla via bugzilla but team says "The server with pdf.js is intended to be a development server and should not be exposed to public networks. I suppose we could update the docs to state that." and a upstream issue was filed against this[1].

Thank you

Sunday, 11 November 2018

null-pointer dereference in poppler library - CVE-2018-19149

Hi Internet,

Summary: While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04 LTS), a null-pointer dereference was observed, initially this was reported to evince but the evince team advised that the issue is in poppler, the library used by evince to render PDF, poppler version: 0.62.0-2ubuntu2.2 is vulnerable to null-pointer dereference, however the issue is already fixed in poppler 0.70, but this will still crash your evince v3.28.4 if poppler is not updated to v.0.70. Fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version.

Initially, I started fuzzing with evince which is a document reader which comes by default with most of the linux distribution. Also created a malformed PDF files to provide input to AFL, after a successfully compile of evince with afl-gcc, the final command was,

It took three days to get 21 crashes in which 6 unique crashes where observed, while analyzing the crash with triage_crashes which is one of the component which comes with AFL for analyzing crashes, I observed a null-PTR.

So basically a null-PTR is a type of error which causes a SIGSEGV, segmentation fault to the program, and this usually happens when a program or binary try to read or write to the memory with null-PTR.

I went ahead and reported this to GNOME, because evince is one of there asset, the team says "The issue is in Poppler, the library used by Evince to render PDF" arggh!, so stupid am I, I taught `` is one of the shared object in evince but didn't know that poppler is a PDF rendering library which comes by default in most of the PDF reader in linux distribution, and there is a standalone repo out there for poppler.

Also, GNOME evince team says "it seems it has already been addressed. See, Nevertheless, if the issue is still present, please file a bug in"

Okay no worries, I still went ahead and file a bug in poppler, but the team over there asked me what poppler version am i using, and it was version 0.62.0-2ubuntu2.2 and they said the issue is already fixed in poppler version 0.70 After I read this, I was like....
Img Src:

Pheww!, does that mean, my three days of fuzzing just went = to 0 OR am I actually missing something over here ?

I went back to the stack-trace read it again and also check whether am I fuzzing all the latest build of the binary for sure I was fuzzing the latest build of evince but not poppler. Hmmmmmm! I knew my fuzzing system was fully updated but still just to cross check, I did full apt-get update and upgrade but my poppler version remains the same all the time which is 0.62.0-2ubuntu2.2 strange.

I need a guidance over here, and didn't knew what to do ahead, so I contacted MITRE for this and went for a nap, they suggested - "That a fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version. For example, an out-of-bounds write finding is still very useful in that case, but not out-of-bounds read, NULL pointer dereference,divide-by-zero, etc."

Ohhh, I see so the latest version of poppler is still not shipped for most of the linux distribution out there, now i understood the entire concept, later MITRE also helped me by assigning a CVE to this issue which is CVE-2018-19149 - Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.

An upstream bug is filed in Ubuntu launchpad to track this issue. 

PS: Its not about collecting CVE's, CVE's are just a reference number to an issue you can point for a vulnerability when you show case it somewhere, rather than pointing it to various post. (Personal opinion).

Lessons learned from this:
1. I didn't know poppler is a library which is used by evince and other PDF reader to render PDF's.
2. I understood how to create a malformed PDF to provide input to AFL while fuzzing.
3. The reply from MITRE helped me to resolve my query.
4. During all this, I also got my hands on hongfuzz

Hope you like the read, view this on oss-security mailing list.

Thank you

Tuesday, 6 November 2018

Fuzzing IEC 61850 protocol - CVE-2018-18957

Hi Internet,

Summary: While fuzzing(I've used AFL for this), a stack based buffer overflow was found in libIEC61850 (the open-source library for the IEC 61850 protocols) in prepareGooseBuffer in goose/goose_publisher.c and /linux/ethernet_linux.c

Steps to reproduce:
$ ./goose_publisher_example crash_goosecr_stack_smash_overflow_aaaaaaaaa
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***:  terminated
File: crash_goosecr_stack_smash_overflow_aaaaaaaaa
[This file will be expired after 30 days.]

(gdb) run crash_goosecr_stack_smash_overflow_aaaaaaaaa
Starting program:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***:  terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@...ry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51    ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@...ry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7805801 in __GI_abort () at abort.c:79
#2  0x00007ffff784e897 in __libc_message (action=action@...ry=do_abort,
fmt=fmt@...ry=0x7ffff797b988 "*** %s ***: %s terminated\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff78f9cd1 in __GI___fortify_fail_abort
    msg=msg@...ry=0x7ffff797b966 "stack smashing detected") at
#4  0x00007ffff78f9c92 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x000055555555a211 in Ethernet_getInterfaceMACAddress
(interfaceId=0x7fffffffdeee "crash_goosecr_stack_smash_overflow_aaaaaaaaa",
    addr=0x7fffffffd91c "k_smas\377\377") at
#6  0x00005555555594ee in prepareGooseBuffer (self=0x5555557637d0,
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
#7  0x0000555555559293 in GoosePublisher_create (parameters=0x7fffffffd9ac,
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
#8  0x0000555555555387 in main (argc=2, argv=0x7fffffffdaa8) at
(gdb) i r
rax            0x0    0
rbx            0x7fffffffd6b0    140737488344752
rcx            0x7ffff7803e97    140737345765015
rdx            0x0    0
rsi            0x7fffffffd410    140737488344080
rdi            0x2    2
rbp            0x7fffffffd840    0x7fffffffd840
rsp            0x7fffffffd410    0x7fffffffd410
r8             0x0    0
r9             0x7fffffffd410    140737488344080
r10            0x8    8
r11            0x246    582
r12            0x7fffffffd6b0    140737488344752
r13            0x1000    4096
r14            0x0    0
r15            0x30    48
rip            0x7ffff7803e97    0x7ffff7803e97 <__gi_raise>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
Snip : src/goose/goose_publisher.c
    GoosePublisher self = (GoosePublisher) GLOBAL_CALLOC(1, sizeof(struct sGoosePublisher));
    prepareGooseBuffer(self, parameters, interfaceID);
    self->timestamp = MmsValue_newUtcTimeByMsTime(Hal_getTimeInMs());
    return self;
Snip: src/goose/goose_publisher.c
    if (interfaceID != NULL)
        Ethernet_getInterfaceMACAddress(interfaceID, srcAddr);
Ethernet_getInterfaceMACAddress(CONFIG_ETHERNET_INTERFACE_ID, srcAddr);
Snip: /linux/ethernet_linux.c
strcpy(buffer.ifr_name, interfaceId);
Later CVE-2018-18957 was assigned to this issue, Read this on oss-security.

Thank you

Thursday, 18 October 2018

Porting CVE-2018-8120 to an MSF module

Hi Internet,

I have added the support of CVE-2018-8120 to MSF module, before porting this to MSF I read through the analysis of the issue.

After reading the blog post of xiaodaozhi I understood CVE-2018-8120 happens because of a null pointer dereference in the win32k kernel module at start this would lead to BSOD in vulnerable systems, however the exploit code was written in such a fashion that would override the function pointer which is present in kernel mode that achieves escalation of privilege to the remote or your local system.

It took me a while to port this to an MSF module also I would like to thank MSF team for there review's done during that time, at last this was successfully ported and landed!

The path for this module will be `exploit/windows/local/ms18_8120_win32k_privsec.rb` view this in action. (Sweeeeeeet!)
This module was tested against windows 7 x64 and x86 based systems and windows server 2008 R2 x64. However this vulnerability impacts following software versions or editions which are affected.

Thank you

Saturday, 29 September 2018

Telegram anonymity fails in desktop - CVE-2018-17780

Hi Internet,

Summary: Strangely tdesktop 1.3.14 and Telegram for windows ( WP8.1) leaks end user private and public IP address while making calls. This bug was awarded €2000 by Telegram security team. (Sweeet..)
Img Src:
Telegram is supposedly a secure messaging application, but it forces clients to only use P2P connection while initiating a call, however this setting can also be changed from "Settings > Privacy and security > Calls > peer-to-peer" to other available options. The tdesktop and telegram for windows breaks this trust by leaking public/private IP address of end user and there was no such option available yet for setting "P2P > nobody" in tdesktop and telegram for windows.

PS: Even telegram for android will also leak your IP address if you have not set "Settings > Privacy and security > Calls > peer-to-peer > nobody" (But Peer-to-Peer settings for call option already exists in telegram for android).

To view this in action in tdesktop:
1. Open tdesktop,
2. Initiate a call to anyone,
3. You will notice the end user IP address is leaking.

Other scenario:
1. Open tdesktop in Ubuntu and login with user A
2. Open telegram in windows phone login with user B
3. Let user B initiate the call to user A
4. While user A access log will have public/private IP address of user B.
Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT. This issue was fixed in 1.3.17 beta and v1.4.0 which have an option of setting your "P2P to Nobody/My contacts", Later CVE-2018-17780 was assign to this vulnerability.


Thursday, 27 September 2018

Telegram uses SOCKS5 to share user/creds

Hi Internet,

Summary: Telegram is supposedly is a secure messaging application but it uses SOCKS5 to transmit user credential's, neither traffic nor credentials are encrypted in the SOCKS5 protocol, but this is how the SOCKS protocol works (see, SOCKS5 carries passwords in cleartext. Telegram team is aware with this and says its working has intended.
Img Src:

Product affected: tdesktop 1.3.16 alpha, Browser Info: Firefox 62.0 (64 bit), Tested on: Ubuntu 18.04 LTS x64

Steps to reproduce the issue:
1. Open tdesktop
2. Go to Settings > Advanced Settings > Connection type
3. Open "Proxy Settings" check "Use proxy"
4. Put some random Hostname, Port, Username and Password
5. tdesktop tries to connect it, while it connects click on that line which is made of 3 small spots (On right hand side)
6. Click share, the link gets copied.

Example Link: 

The link which gets generated have the password in plaintext, SOCKS5 is a transport protocol and by itself it is not encrypted. Requests transmitting such  credentials in plain text are considered as a bad security practice.

However, the URL which gets generated via telegram is in HTTPS but, URI producers should not provide a URI that contains a username or password that is intended to be secret.  URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies).

Read this on oss sec-lists. Later CVE-2018-17613 was assigned to this issue.


Sunday, 16 September 2018

The Secrets of Tez

Hi Internet,

Summary: The Google Pay (Tez) apps leaks end users email address, this issue was marked as WONTFIX by google.
Img Src:

You might be aware of different technique for extracting email from LinkedIn similarly Tez app allow you to do so.

Steps to reproduce:
1. Open Tez,
2. Click on New,
3. You will see "Google Pay Connections",
4. Click on any one contact.
5. Their respective email address will be displayed.

In this case, I have never had email of "Ajay" I just had his contact saved. However in the similar fashion, I can view email address of  all the people in my contacts if they are on Tez. However it is not necessary to initiate the payment to get his/her email you can simply view it. (If user is already added in contact).

This issue was submitted to google but was marked WONTFIX, google says "Thanks for report! We think the issue might not be severe enough for us to track it as a security bug."

This is not such great bug but, such data can be use in OSINT to perform targeted attack on victim, hope you like the read.


Monday, 3 September 2018

An untold story of skype by microsoft

Hi Internet,

Summary: It was observed that the skype has a malloc(): memory corruption bug while you share some media/file with someone during a call.

Tested on: Linux zero 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux (Ubuntu 18.04 LTS)
Product affected: Skype for linux (skypeforlinux_8.27.0.85_amd64.deb)

Steps to reproduce this issue:
1. Open Skype
2. Call anyone
3. During the call try sharing the media or files to the same person
4. The Skype  gets crash.

While on a call with one of my colleague, I tried sharing a file which froze my skype and then it gets crash. However moving further I tried to debug it with `gdb` and this is what i got.
$ *** Error in `/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896': malloc(): memory corruption: 0x000000000641ff80 ***
======= Backtrace: =========
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(malloc+0x1c)[0x47cc34c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x4e3b90b]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN11file_dialog14ShowOpenDialogERKNS_14DialogSettingsERKN4base8CallbackIFvbRKSt6vectorINS3_8FilePathESaIS6_EEELNS3_8internal8CopyModeE1ELNSC_10RepeatModeE1EEE+0x2d)[0x4e3be3d]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN4atom15WebDialogHelper14RunFileChooserEPN7content15RenderFrameHostERKNS1_17FileChooserParamsE+0x33c)[0x4e4d90c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c9b4]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c858]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d86c2f]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x2347525]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x48001eb]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ed9db]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47edcf8]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ee0d1]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47c4159]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47affc0]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfef9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfed9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d65ead]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1e67b93]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1a4c63c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x19e6d0d]
======= Memory map: ========
000dc000-00200000 rw-p 00000000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
00200000-01802000 r--p 00124000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
01802000-04f35000 r-xp 01726000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f35000-04f4b000 rw-p 04e59000 07:15 15088                              /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f4b000-05818000 rw-p 00000000 00:00 0 
06322000-0749a000 rw-p 00000000 00:00 0                                  [heap]
af8f00000-af8f80000 rw-p 00000000 00:00 0 
2a231d00000-2a231d80000 rw-p 00000000 00:00 0 
4342f600000-4342f6ab000 rw-p 00000000 00:00 0 
4dab7f00000-4dab800a000 rw-p 00000000 00:00 0 
5e2b1980000-5e2b1a00000 rw-p 00000000 00:00 0 
683f0500000-683f0580000 rw-p 00000000 00:00 0 
74c45800000-74c45880000 rw-p 00000000 00:00 0 
7f95e280000-7f95e300000 rw-p 00000000 00:00 0 
8590f380000-8590f400000 rw-p 00000000 00:00 0 
a95ac180000-a95ac200000 rw-p 00000000 00:00 0 
b464c9b8000-b464c9c0000 rw-p 00000000 00:00 0 
b464c9c0000-b464c9c4000 ---p 00000000 00:00 0 
bf52cd00000-bf52cd80000 rw-p 00000000 00:00 0 
c191e080000-c191e100000 rw-p 00000000 00:00 0 
fe78f400000-fe78f480000 rw-p 00000000 00:00 0 
14c588080000-14c588100000 rw-p 00000000 00:00 0 
16dfa8300000-16dfa8380000 rw-p 00000000 00:00 0 
1b328cb00000-1b328cb80000 rw-p 00000000 00:00 0 
1de101180000-1de101200000 rw-p 00000000 00:00 0 
1e993f000000-1e993f080000 rw-p 00000000 00:00 0 
20c071f00000-20c071f80000 rw-p 00000000 00:00 0 
20c61d680000-20c61d700000 rw-p 00000000 00:00 0 
2240c1900000-2240c19ab000 rw-p 00000000 00:00 0 
22628d700000-22628d780000 rw-p 00000000 00:00 0 
25bf77500000-25bf77580000 rw-p 00000000 00:00 0 
26ce1a280000-26ce1a300000 rw-p 00000000 00:00 0 
26daf9ead000-26daf9f00000 ---p 00000000 00:00 0 
26daf9f00000-26daf9f03000 rw-p 00000000 00:00 0 
26daf9f03000-26daf9f04000 ---p 00000000 00:00 0 
26daf9f04000-26daf9f2d000 rwxp 00000000 00:00 0 
26daf9f2d000-26daf9f80000 ---p 00000000 00:00 0 
26daf9f80000-26daf9f83000 rw-p 00000000 00:00 0 
26daf9f83000-26daf9f84000 ---p 00000000 00:00 0 
26daf9f84000-26daf9fad000 rwxp 00000000 00:00 0 
26daf9fad000-26dafa000000 ---p 00000000 00:00 0 
26dafa000000-26dafa003000 rw-p 00000000 00:00 0 
26dafa003000-26dafa004000 ---p 00000000 00:00 0 
26dafa004000-26dafa02d000 rwxp 00000000 00:00 0 
26dafa02d000-26dafa080000 ---p 00000000 00:00 0 
26dafa080000-26dafa083000 rw-p 00000000 00:00 0 
26dafa083000-26dafa084000 ---p 00000000 00:00 0 
26dafa084000-26dafa0ff000 rwxp 00000000 00:00 0 
26dafa0ff000-26dafa100000 ---p 00000000 00:00 0 
26dafa100000-26dafa103000 rw-p 00000000 00:00 0 
26dafa103000-26dafa104000 ---p 00000000 00:00 0 
26dafa104000-26dafa17f000 rwxp 00000000 00:00 0 
26dafa17f000-26dafa180000 ---p 00000000 00:00 0 
26dafa180000-26dafa183000 rw-p 00000000 00:00 0 
26dafa183000-26dafa184000 ---p 00000000 00:00 0 
26dafa184000-26dafa1ff000 rwxp 00000000 00:00 0 
26dafa1ff000-26dafa200000 ---p 00000000 00:00 0 
26dafa200000-26dafa203000 rw-p 00000000 00:00 0 
26dafa203000-26dafa204000 ---p 00000000 00:00 0 
26dafa204000-26dafa27f000 rwxp 00000000 00:00 0 
26dafa27f000-26db19ead000 ---p 00000000 00:00 0 
2adf28e80000-2adf28f00000 rw-p 00000000 00:00 0 
2b4467900000-2b4467980000 rw-p 00000000 00:00 0 
2bb8adb80000-2bb8adc00000 rw-p 00000000 00:00 0 
2dadb8480000-2dadb8500000 rw-p 00000000 00:00 0 
2fa869080000-2fa869100000 rw-p 00000000 00:00 0 
325d21200000-325d21280000 rw-p 00000000 00:00 0 
3462c4b00000-3462c4b80000 rw-p 00000000 00:00 0 
34a98af80000-34a98b000000 rw-p 00000000 00:00 0 
34efe4300000-34efe4380000 rw-p 00000000 00:00 0 
355999380000-355999400000 rw-p 00000000 00:00 0 
35c8d9680000-35c8d9685000 rw-p 00000000 00:00 0 
36fd03c00000-36fd03c80000 rw-p 00000000 00:00 0 
371ab4200000-371ab4280000 rw-p 00000000 00:00 0 
37e430000000-37e430080000 rw-p 00000000 00:00 0 
37f3b2f00000-37f3b2f80000 rw-p 00000000 00:00 0 
389966a80000-389966b8a000 rw-p 00000000 00:00 0 
3ad500400000-3ad500480000 rw-p 00000000 00:00 0 
3aff91d80000-3aff91de2000 rw-p 00000000 00:00 0 
3b2f0d680000-3b2f0d700000 rw-p 00000000 00:00 0 
3fba22080000-3fba22100000 rw-p 00000000 00:00 0 
7fb4bfffc000-7fb4c3ffd000 rw-s 00000000 00:1a 116                        /dev/shm/pulse-shm-3506809168
7fb4c3ffd000-7fb4c7ffe000 rw-s 00000000 00:1a 115                        /dev/shm/pulse-shm-136900218
7fb4c7ffe000-7fb4cbfff000 rw-s 00000000 00:1a 95                         /dev/shm/pulse-shm-1835135660
7fb4cbfff000-7fb4d0000000 rw-s 00000000 00:1a 93                         /dev/shm/pulse-shm-465478744
7fb4d0000000-7fb4d0029000 rw-p 00000000 00:00 0 
7fb4d0029000-7fb4d4000000 ---p 00000000 00:00 0 
7fb4d615e000-7fb4d615f000 ---p 00000000 00:00 0 
7fb4d615f000-7fb4d695f000 rw-p 00000000 00:00 0 
7fb4d695f000-7fb4d6960000 ---p 00000000 00:00 0 
7fb4d6960000-7fb4d7160000 rw-p 00000000 00:00 0 
7fb4d7160000-7fb4d7180000 rw-s 00000000 00:1a 195                        /dev/shm/.org.chromium.Chromium.5U4VoF (deleted)
7fb4d7180000-7fb4d71c0000 rw-s 00000000 00:1a 194                        /dev/shm/.org.chromium.Chromium.RLeLh9 (deleted)
7fb4d71c0000-7fb4d71e0000 rw-s 00000000 00:1a 185                        /dev/shm/.org.chromium.Chromium.vuEDaD (deleted)
7fb4d71e0000-7fb4d7220000 rw-s 00000000 00:1a 124                        /dev/shm/.org.chromium.Chromium.QXky36 (deleted)
7fb4d7260000-7fb4d72a0000 rw-s 00000000 00:1a 190                        /dev/shm/.org.chromium.Chromium.iNwIs3 (deleted)
7fb4d72a0000-7fb4d72e0000 rw-s 00000000 00:1a 189                        /dev/shm/.org.chromium.Chromium.TCc7Dx (deleted)
7fb4d7320000-7fb4d7340000 rw-s 00000000 00:1a 153                        /dev/shm/.org.chromium.Chromium.niC6By (deleted)
7fb4d7340000-7fb4d7380000 rw-s 00000000 00:1a 184                        /dev/shm/.org.chromium.Chromium.Bckk6z (deleted)
7fb4d7380000-7fb4d73c0000 rw-s 00000000 00:1a 183                        /dev/shm/.org.chromium.Chromium.cjU5H8 (deleted)
7fb4d73c0000-7fb4d7400000 rw-s 00000000 00:1a 182                        /dev/shm/.org.chromium.Chromium.T0uSjH (deleted)
7fb4d7400000-7fb4d7440000 rw-s 00000000 00:1a 181                        /dev/shm/.org.chromium.Chromium.QW3FVf (deleted)
7fb4d7440000-7fb4d7480000 rw-s 00000000 00:1a 180                        /dev/shm/.org.chromium.Chromium.VUxuxO (deleted)
7fb4d74c0000-7fb4d7500000 rw-s 00000000 00:1a 178                        /dev/shm/.org.chromium.Chromium.HikaLV (deleted)
7fb4d7640000-7fb4d7680000 rw-s 00000000 00:1a 171                        /dev/shm/.org.chromium.Chromium.4UVv2P (deleted)
7fb4d7680000-7fb4d76c0000 rw-s 00000000 00:1a 170                        /dev/shm/.org.chromium.Chromium.BpeuEo (deleted)
7fb4d7700000-7fb4d7740000 rw-s 00000000 00:1a 168                        /dev/shm/.org.chromium.Chromium.vB2tSv (deleted)
7fb4d7780000-7fb4d77c0000 rw-s 00000000 00:1a 166                        /dev/shm/.org.chromium.Chromium.8lIy6C (deleted)
7fb4d7840000-7fb4d7880000 rw-s 00000000 00:1a 162                        /dev/shm/.org.chromium.Chromium.aN74AR (deleted)
7fb4d7880000-7fb4d78c0000 rw-s 00000000 00:1a 161                        /dev/shm/.org.chromium.Chromium.ExRifq (deleted)
7fb4d78c0000-7fb4d7900000 rw-s 00000000 00:1a 160                        /dev/shm/.org.chromium.Chromium.O1MxTY (deleted)
7fb4d7940000-7fb4d7980000 rw-s 00000000 00:1a 158                        /dev/shm/.org.chromium.Chromium.mxd5b6 (deleted)
7fb4d79c0000-7fb4d7a00000 rw-s 00000000 00:1a 156                        /dev/shm/.org.chromium.Chromium.byaHud (deleted)
7fb4d7a40000-7fb4d7a80000 rw-s 00000000 00:1a 132                        /dev/shm/.org.chromium.Chromium.2FEnNk (deleted)
7fb4d7ac0000-7fb4d7b00000 rw-s 00000000 00:1a 130                        /dev/shm/.org.chromium.Chromium.HFba6r (deleted)
7fb4d7b00000-7fb4d7b40000 rw-s 00000000 00:1a 129                        /dev/shm/.org.chromium.Chromium.tFrAK0 (deleted)
7fb4d7b40000-7fb4d7b80000 rw-s 00000000 00:1a 152                        /dev/shm/.org.chromium.Chromium.4rXuc5 (deleted)
7fb4d7b80000-7fb4d7bc0000 rw-s 00000000 00:1a 151                        /dev/shm/.org.chromium.Chromium.ei9cxE (deleted)
7fb4d7f40000-7fb4d7f80000 rw-s 00000000 00:1a 146                        /dev/shm/.org.chromium.Chromium.hbGEFc (deleted)
7fb4d7fc0000-7fb4d8000000 rw-s 00000000 00:1a 144                        /dev/shm/.org.chromium.Chromium.TaWipl (deleted)
7fb4d8000000-7fb4d803c000 rw-p 00000000 00:00 0 
7fb4d803c000-7fb4dc000000 ---p 00000000 00:00 0 
7fb4dc000000-7fb4dc021000 rw-p 00000000 00:00 0 
7fb4dc021000-7fb4e0000000 ---p 00000000 00:00 0 
7fb4e0000000-7fb4e0022000 rw-p 00000000 00:00 0 
7fb4e0022000-7fb4e4000000 ---p 00000000 00:00 0 
7fb4e4030000-7fb4e4094000 rw-s 00000000 00:1a 111                        /dev/shm/.org.chromium.Chromium.7I5ZtW (deleted)
7fb4e4094000-7fb4e40f4000 rw-s 00000000 00:1a 100                        /dev/shm/.org.chromium.Chromium.L6QAhS (deleted)
7fb4e40f4000-7fb4e4154000 rw-s 00000000 00:1a 91                         /dev/shm/.org.chromium.Chromium.Sf8WzY (deleted)
7fb4e4154000-7fb4e4155000 ---p 00000000 00:00 0 
7fb4e4155000-7fb4e4955000 rw-p 00000000 00:00 0 
7fb4e4995000-7fb4e49d5000 rw-s 00000000 00:1a 137                        /dev/shm/.org.chromium.Chromium.Hx0IZk (deleted)
7fb4e49d5000-7fb4e637d000 r-xp 00000000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/
7fb4e637d000-7fb4e657c000 ---p 019a8000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/
7fb4e657c000-7fb4e657d000 r--p 019a7000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/
7fb4e657d000-7fb4e657e000 rw-p 019a8000 08:01 26878205                   /usr/lib/x86_64-linux-gnu/
7fb4e657e000-7fb4e6721000 r-xp 00000000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/
7fb4e6721000-7fb4e6920000 ---p 001a3000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/
7fb4e6920000-7fb4e6933000 r--p 001a2000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/
7fb4e6933000-7fb4e6934000 rw-p 001b5000 08:01 26878215                   /usr/lib/x86_64-linux-gnu/
7fb4e6934000-7fb4e6935000 rw-p 00000000 00:00 0 
7fb4e6935000-7fb4e6bc7000 r-xp 00000000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/
7fb4e6bc7000-7fb4e6dc6000 ---p 00292000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/
7fb4e6dc6000-7fb4e6dd5000 r--p 00291000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/
7fb4e6dd5000-7fb4e6dd6000 rw-p 002a0000 08:01 26878207                   /usr/lib/x86_64-linux-gnu/
7fb4e6dd6000-7fb4e6e1b000 r-xp 00000000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/
7fb4e6e1b000-7fb4e701a000 ---p 00045000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/
7fb4e701a000-7fb4e701d000 r--p 00044000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/
7fb4e701d000-7fb4e701e000 rw-p 00047000 08:01 27136130                   /usr/lib/x86_64-linux-gnu/libunity/
7fb4e701e000-7fb4e7057000 r-xp 00000000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/
7fb4e7057000-7fb4e7257000 ---p 00039000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/
7fb4e7257000-7fb4e7258000 r--p 00039000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/
7fb4e7258000-7fb4e7259000 rw-p 0003a000 08:01 26877853                   /usr/lib/x86_64-linux-gnu/
7fb4e7259000-7fb4e72f6000 r-xp 00000000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/
7fb4e72f6000-7fb4e74f6000 ---p 0009d000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/
7fb4e74f6000-7fb4e74fa000 r--p 0009d000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/
7fb4e74fa000-7fb4e74fc000 rw-p 000a1000 08:01 26878675                   /usr/lib/x86_64-linux-gnu/
7fb4e74fc000-7fb4e74fd000 rw-p 00000000 00:00 0 
7fb4e74fd000-7fb4e74fe000 ---p 00000000 00:00 0 
7fb4e74fe000-7fb4e7cfe000 rw-p 00000000 00:00 0 
7fb4e7cfe000-7fb4e7dc3000 r-xp 00000000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7dc3000-7fb4e7fc2000 ---p 000c5000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fc2000-7fb4e7fcb000 rw-p 000c4000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fcb000-7fb4e7fdf000 rw-p 00000000 00:00 0 
7fb4e7fdf000-7fb4e7fff000 rw-p 00101000 07:15 15069                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fff000-7fb4ec000000 rw-s 00000000 00:1a 12                         /dev/shm/pulse-shm-2958556533
7fb4ec000000-7fb4ec021000 rw-p 00000000 00:00 0 
7fb4ec021000-7fb4f0000000 ---p 00000000 00:00 0 
7fb4f002d000-7fb4f0091000 rw-s 00000000 00:1a 90                         /dev/shm/.org.chromium.Chromium.JPBrMl (deleted)
7fb4f0091000-7fb4f00d1000 rw-s 00000000 00:1a 134                        /dev/shm/.org.chromium.Chromium.ctJK62 (deleted)
7fb4f00f1000-7fb4f0151000 rw-s 00000000 00:1a 89                         /dev/shm/.org.chromium.Chromium.kfsXYI (deleted)
7fb4f0151000-7fb4f01d2000 rw-s 00000000 08:01 1838001                    /home/input0/snap/skype/common/.config/skypeforlinux/Cache/index
7fb4f01d2000-7fb4f01d3000 ---p 00000000 00:00 0 
7fb4f01d3000-7fb4f09d3000 rw-p 00000000 00:00 0 
7fb4f09d3000-7fb4f0a1f000 r-xp 00000000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0a1f000-7fb4f0c1e000 ---p 0004c000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c1e000-7fb4f0c21000 r--p 0004b000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c21000-7fb4f0c22000 rw-p 0004e000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c22000-7fb4f0c26000 rw-p 00050000 07:15 484                        /snap/skype/51/usr/lib/x86_64-linux-gnu/
7fb4f0c26000-7fb4f0cba000 r-xp 00000000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0cba000-7fb4f0eb9000 ---p 00094000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eb9000-7fb4f0ec0000 rw-p 00093000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0ec0000-7fb4f0ed3000 rw-p 00000000 00:00 0 
7fb4f0ed3000-7fb4f0eea000 rw-p 000c1000 07:15 15077                      /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eea000-7fb4f12eb000 rw-s 00000000 00:1a 112                        /dev/shm/.org.chromium.Chromium.8b0GDI (deleted)
7fb4f12eb000-7fb4f132b000 rw-s 00000000 00:1a 110                        /dev/shm/.org.chromium.Chromium.wo010t (deleted)
7fb4f136b000-7fb4f13ab000 rw-s 00000000 00:1a 108                        /dev/shm/.org.chromium.Chromium.4MWzbK (deleted)
7fb4f13ab000-7fb4f13eb000 rw-s 00000000 00:1a 107                        /dev/shm/.org.chromium.Chromium.PCNSgn (deleted)
7fb4f13eb000-7fb4f142b000 rw-s 00000000 00:1a 106                        /dev/shm/.org.chromium.Chromium.UUZcm0 (deleted)
7fb4f146b000-7fb4f14ab000 rw-s 00000000 00:1a 104                        /dev/shm/.org.chromium.Chromium.MzjVwg (deleted)
7fb4f14bb000-7fb4f14cb000 rw-s 00000000 00:1a 118                        /dev/shm/.org.chromium.Chromium.GgMWqU (deleted)
7fb4f14cb000-7fb4f14eb000 rw-s 00000000 00:1a 109                        /dev/shm/.org.chromium.Chromium.CbpRGw (deleted)
7fb4f14eb000-7fb4f152b000 rw-s 00000000 00:1a 38                         /dev/shm/.org.chromium.Chromium.keWIHw (deleted)
7fb4f152b000-7fb4f156b000 rw-s 00000000 00:1a 102                        /dev/shm/.org.chromium.Chromium.9HJ9M9 (deleted)
7fb4f1577000-7fb4f1587000 rw-s 00000000 00:1a 113                        /dev/shm/.org.chromium.Chromium.UPK1Ee (deleted)
7fb4f1587000-7fb4f15eb000 rw-s 00000000 00:1a 34                         /dev/shm/.org.chromium.Chromium.leYub6 (deleted)
7fb4f15eb000-7fb4f162b000 rw-s 00000000 00:1a 97                         /dev/shm/.org.chromium.Chromium.6IeB32 (deleted)
7fb4f162b000-7fb4f1a2c000 rw-s 00000000 00:1a 85                         /dev/shm/.org.chromium.Chromium.6d3WFD (deleted)
7fb4f1a2c000-7fb4f1a6c000 rw-s 00000000 00:1a 83                         /dev/shm/.org.chromium.Chromium.IjR5gj (deleted)
7fb4f1a6c000-7fb4f1aac000 rw-s 00000000 00:1a 88                         /dev/shm/.org.chromium.Chromium.cG4AwK (deleted)
7fb4f1aac000-7fb4f1aec000 rw-s 00000000 00:1a 77                         /dev/shm/.org.chromium.Chromium.StnttE (deleted)
7fb4f1aec000-7fb4f1b2c000 rw-s 00000000 00:1a 71                         /dev/shm/.org.chromium.Chromium.xRFG4j (deleted)
7fb4f1b2c000-7fb4f1b2d000 ---p 00000000 00:00 0 
7fb4f1b2d000-7fb4f25f5000 rw-p 00000000 00:00 0 
7fb4f25f5000-7fb4f25f6000 ---p 00000000 00:00 0 
7fb4f25f6000-7fb4f2df6000 rw-p 00000000 00:00 0 
7fb4f2df6000-7fb4f2dfb000 r-xp 00000000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2dfb000-7fb4f2ffb000 ---p 00005000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2ffb000-7fb4f2ffc000 r--p 00005000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2ffc000-7fb4f2ffd000 rw-p 00006000 07:0b 2287                       /snap/core/5328/lib/x86_64-linux-gnu/
7fb4f2ffd000-7fb4f2ffe000 ---p 00000000 00:00 0 
7fb4f2ffe000-7fb4f37fe000 rw-p 00000000 00:00 0 
7fb4f37fe000-7fb4f37ff000 ---p 00000000 00:00 0 
7fb4f37ff000-7fb4f3fff000 rw-p 00000000 00:00 0 
7fb4f3fff000-7fb4f8000000 rw-s 00000000 00:1a 7                          /dev/shm/pulse-shm-796608596
7fb4f8000000-7fb4f8083000 rw-p 00000000 00:00 0 
7fb4f8083000-7fb4fc000000 ---p 00000000 00:00 0 
7fb4fc000000-7fb4fc021000 rw-p 00000000 00:00 0 
7fb4fc021000-7fb500000000 ---p 00000000 00:00 0 
7fb500000000-7fb500021000 rw-p 00000000 00:00 0 
7fb500021000-7fb504000000 ---p 00000000 00:00 0 
7fb504000000-7fb504021000 rw-p 00000000 00:00 0 
7fb504021000-7fb508000000 ---p 00000000 00:00 0 
7fb508000000-7fb508021000 rw-p 00000000 00:00 0 
7fb508021000-7fb50c000000 ---p 00000000 00:00 0 
7fb50c000000-7fb50c30a000 rw-p 00000000 00:00 0 
7fb50c30a000-7fb510000000 ---p 00000000 00:00 0 
7fb510000000-7fb510028000 rw-p 00000000 00:00 0 
7fb510028000-7fb514000000 ---p 00000000 00:00 0 
7fb514000000-7fb514008000 rw-s 00000000 00:1a 187                        /dev/shm/.org.chromium.Chromium.wp000v (deleted)
7fb514008000-7fb514048000 rw-s 00000000 00:1a 68                         /dev/shm/.org.chromium.Chromium.kV2UFZ (deleted)
7fb514048000-7fb514088000 rw-s 00000000 00:1a 87                         /dev/shm/.org.chromium.Chromium.JUxFl8 (deleted)
7fb514088000-7fb5140c8000 rw-s 00000000 00:1a 65                         /dev/shm/.org.chromium.Chromium.476qSk (deleted)
7fb5140c8000-7fb514108000 rw-s 00000000 00:1a 96                         /dev/shm/.org.chromium.Chromium.1d878F (deleted)
7fb514108000-7fb514148000 rw-s 00000000 00:1a 86                         /dev/shm/.org.chromium.Chromium.IHmLaw (deleted)
7fb514148000-7fb51414a000 r-xp 00000000 08:01 8917743                    /lib/x86_64-linux-gnu/
7fb51414a000-7fb514349000 ---p 00002000 08:01 8917743                    /lib/x86_64-linux-gnu/libnss_mdns4_mini

Cool, so when i read the backtrace, I understood that, this might be a memory corruption in `malloc()`.

So basically, the memory allocator allocates pages of memory at once for use of programs, and it gives you a pointer within them. Since this files which i am trying to share may be larger for skype to handle during the call (PS: I was just sharing an jpg file in this case which was of 800kB). But for skype if a larger program is allocating larger amounts of memory and writing further past the end of your allocated space, then you'll end up attempting to write into unallocated memory and may cause a memory corruption.

Being a fan of responsible disclosure, I submitted this to Microsoft on 8 August 2018, but  MS says "Upon investigation, we have determined that this submission does not meet the bar for security servicing"  🤦

Okay, but I passed on this message to skype team on twitter, and they looked into this!
At last, this was patched on Skype version on Linux.


Thursday, 9 August 2018

A bug that affects million users - Kaspersky VPN

Hi Internet,

The issue exists in Kaspersky VPN <=v1.4.0.216  which leaks your DNS Address even after you're connected to any virtual server. (Tested on Android 8.1.0)

What is a DNS leaks ?
In this context, with "DNS leak" it means an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in android market, however it was observed that when it connects to any random virtual server still leaks your actual DNS address, this issue was reported too Kaspersky via Hackerone.

Steps to reproduce:
1. Visit IPleak (Note your actual DNS address).
2. Now, connect to any random virtual server using Kaspersky VPN.
3. Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.

I believe this leaks the trace's of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.

“Kaspersky Lab would like to thank Dhiraj Mishra for discovering a vulnerability in the Android-based Kaspersky Secure Connection app, which allowed a DNS service to log the domain names of the sites visited by users. This vulnerability was responsibly reported by the researcher, and was fixed in June.

The Kaspersky Secure Connection app is currently out of the scope of the company’s Bug Bounty Program, so we could not reward Dhiraj under the current rules. We highly appreciate his work, and in the future the program may include new products. As stated in Kaspersky Lab’s Bug Bounty Program rules, bounties are currently paid for two major products: Kaspersky Internet Security and Kaspersky Endpoint Security. The company is ready to pay up to $20,000 for the discovery of some bugs in these products, and up to $100,000 for the most severe."

However, this was featured on TheRegister and BleepingComputer.


Friday, 1 June 2018

WebKit crashes when pageURL is unset - CVE-2018-11646

Hi Internet,

webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/AP/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in Safari Technology Preview Release 57, mishandles an unset pageURL, leading to an application crash.

win ="sleep_one_second.php", "WIN");"", "WIN");  
win.document.write("Spoofed URL");   
After the patch of CVE-2018-11396 in Epiphany web browser with PoC still browser was getting crash using above JS. Unfortunately the gdb crash makes it impossible to get a full trace, so it was  hard to know for sure if this is an Epiphany bug or a WebKit bug and epiphany team started investigating the same.

Below is the backtrace using Fedora 27.
#0 WTF::StringImpl::rawHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
#1 WTF::StringImpl::hasHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
#2 WTF::StringImpl::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
#3 WTF::StringHash::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
#9 WTF::HashMap, WTF::HashTraits >::get
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406
#10 webkitFaviconDatabaseSetIconURLForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193
#11 webkitFaviconDatabaseSetIconForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318
#12 webkitWebViewSetIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964
#13 WTF::Function::performCallbackWithReturnValue
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108
#15 WebKit::WebPageProxy::dataCallback
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083
#16 WebKit::WebPageProxy::finishedLoadingIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848
#17 IPC::callMemberFunctionImpl::operator()
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68
#29 WTF::RunLoop::::_FUN(gpointer)
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70
#30 g_main_dispatch
at gmain.c line 3148
#31 g_main_context_dispatch
at gmain.c line 3813
#32 g_main_context_iterate
at gmain.c line 3886
#33 g_main_context_iteration
at gmain.c line 3947
#34 g_application_run
at gapplication.c line 2401
#35 main
at ../src/ephy-main.c line 432 
Two similar reproducers triggered two different crashes. We concluded that this crash is from WebKit (Crash in WebKitFaviconDatabase when pageURL is unset) and bug was file for same and CVE-2018-11646 was assigned to this issue.

A shoutout to Zubin and Hardik (Teamw00t) we work together to find security bugs, Hope you like the read.

Dhiraj (Teamw00t)

Monday, 28 May 2018

Abusing IVR Systems - Legacy Telecom [CVE-2018-11518]

Hi Internet,

CVE-2018-11518, (Everything old, is new again.)
A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them to activate services or to get sensitive information.

PS: This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece).

Video PoC: Phreak Attack


Saturday, 28 April 2018

Facebook, Friend or Evil ?

Hi Internet,

During checkout from faasos, I observed that their are several request going to facebook, which carries your faasos detail's without user's consent, Facebook closed my report saying "Unfortunately what you have described is not currently covered by this program, We will follow up with you regarding any questions we may have." (Data Abuse BBP).
Img Src:
So, lets get started,
You will be aware with the "Cambridge Analytica" case of Facebook,  and after that Facebook launched "Data Abuse Bounty Program" - 9th April 2018.

Well, we all are aware that we have been tracked from years! Whatever we search on the Internet no matter what object it is, in a day or hours it will be on your suggestion or any advertisement banner.

This is the most recent example : Google is always listening: Live Test

I really love eating veg warps from faasos and it was normal day when I did checkout and ordered few of them, however I have a very bad habit of capturing packets.

What I observed was, there were few `GET` & `POST` request of facebook as well in between checkout of faasos at that time I didn't pay much attention on it. On same day, I created a test account on faasos to dig more and clicked on some random wraps, went till checkout and guess what I was still able to see those Facebook request.

I cleared all my history, cookies etc. for the entire day, and thought of doing again, All the request start from login to faasos, and browsing your items in it.

Goes only to `*` based asset but as soon as you press checkout a `GET` request goes to Facebook which carries my juicy information of faasos which also include my ordering details.(Strange) Apart from that, I start getting suggestion on my facebook wall regarding faasos.

Okay, then I thought of reporting it to Facebook under Data Abuse Bounty Program and we had a long discussion about this, they(Facebook Security Team) also told me to connect with Faasos Security team and I did the same.

However Faasos security team are not much active but they finally replied me after 4-5 days saying
"Hey Dhiraj, This tool helps us understand customer better and show them more appropriate adverts."

I asked them specifically about tool and where it is been deployed and what all it collects - No reply yet, that's bad I "personally"  feel Faasos been a data-broker over here. While collecting such info Faasos don't even take user's consent. I have seen many application's which take users consent for such things.
The image might not be clear please visit :
And they also offer you to Opt-out from not been track. Pheewww! Now, I understand how all these things work!
That gives lot more understanding of my bug as well, or specifically look the above video from 3.47.25 to 3.51.40 Mins.

On safer side, I would suggest you to enable "Do Not Track Me" on your browser.
Video PoC of my Bug: Facebook Tracking PoC via Faasos.  I hope you like the read. Tweet me your views @mishradhiraj_


Wednesday, 14 March 2018

Information Leakage Through Child Tab - Mozilla

Hi Internet,

This bug was marked as RESOLVED and WONTFIX by Mozilla team but it was a good finding and learning for me hope you enjoy the read.
PS: The below issue also work when you are in "Incognito Mode/Private Browsing"
You just need to press SHIFT+CTRL+N to restore your session even if you have closed your child tab in Mozilla browser, I may not be able to explain well but here is what i got.

The application which have some services which opens in child tab (Using Auth) and once the user perform his/her activity, and logout from the session or close the child tab, still by pressing SHIFT+CTRL+N open's up the same child tab with information which was feed by the above user, without providing any user creds.

Example 1:
1. Login to
2. Navigate to Layout
3. Edit any gadgets from it (Its opens up a child tab)
4. Close the child tab, Logout from Gmail
5. Press SHIFT+CTRL+N you will be able to see the above child tab

Impact and Assumption:
Information leakage, lets suppose a scenario where user feed his/her credit card details or such in child tab. I am not sure, by pressing SHIFT+CTRL+N something like this should happen or not or its working as intended.

Mozilla says:
We allow you to undo close tab in private browsing, so undo'ing closing a window seems straightforward as something we will want to continue doing. Certainly I don't think this is a security issue that needs to stay hidden. The website could defend against this type of thing by checking login state when a page loads.

But, I browsed to many famous services offered over the Internet and this perfectly works over there and application directly allows you to restore back with your session from where you left, Obviously we can't perform any dynamic activity but can view data.

Example 2:
This is one of the well know bank in India which allows users to do netbanking but opens the login portal in child tab,
I logged in as genuine user performed my activity and closed my child tab, hence forth just press SHIFT+CTRL+N and your session will be restored back.

Now, this bank uses only POST method so when I clicked SHIFT+CTRL+N it gave me error of HTTP Method, well I just went to network tab and send the response again in POST method and guess what it gave me 200 OK and response was perfectly shown from where I left.

Here is an example javascript which open Facebook in child tab.


Monday, 5 March 2018

Thankyou McDonald for free cookies

Hi Internet,

Pwing McDonald's  in 3 step and getting access to 5000+ usernames and passwords of McDonald's users. Hope you like the read..
Img Src:


Well, finding this bug was not a pain it was simple, and if you are not aware is under bug bounty program.

Lets Get Started :
As usual i started with sub-domain enumeration where I got a  subdomain ( which was not hosting any services for customers. Moving further I ran dirsearch on same, and  got 200 OK @ ( (Looks like some kind of backup for McDelivery).

Okay so, extracting the tar file made me concluded it's actual a backup of McDelivery which consists of many things such as their DB, Website Backup's and many other juicy information. (Still I feel there must me something more...)

Lets Do Some Old School Tricks :
Why not simply do keyword search in entire dump file using grep
Then come's the results, their were multiple files having match of keyword "password" but then there was an excel sheet as well which I couldn't find during my manual search (GUI based).
The excel file had ~ (tilde) symbol after extension, obviously askubuntu have an answer for this. Anyways, guess what the excel sheet had username, email ID and password's !!!
and the count goes on .....

Big deal huhh !

Quick Flash :
25th February 2018: Informed McDonald's
26th February 2018: McDonald's Acknowledged 
28th February 2018: Reminder sent to McDonald's
28th February 2018: McDonald's Escalated Internally
28th February 2018: Issue Resolved


Wednesday, 7 February 2018

SOP Bypass using rel="noreferrer"

Hi Internet,

A bug that affects "Million people" this bug was marked as DUPLICATE and RESOLVED by Mozilla team but it was a good finding and learning for us (Robin Divino and Me) hope you enjoy the read.


By default, any websites is passing the whole URL to any external domain (un-trusted third party domains) when the request was crossing between 2 domains, means if the user clicks an external link to a specific website, the whole URL will pass to the request header as part of a what we called Referer header.

But many of the websites URL parameters value contains sensitive user information/data such as Password reset token, OAuth token, Email address and many more, therefor website owners use a what we called rel attribute on the html code with the value of noreferrer to avoid leaking sensitive data to external domains.

However, we have found that the Firefox quantum seems ignoring the rel="noreferrer" attribute of an <a> tag which will put quantum users in risk.

For example:

HackerOne application ( is strict when it comes to information sharing , because they do not allow anyone from third party domains to have access to hackerone users informations, because of that hackerone footer twitter external link contains the following code:

<a class="footer-nav-item-link icon-share-twitter" href="" target="_blank" rel="noreferrer noopener"></a>

When we click on the external twitter link and capture the request, the request header still contains referrer header that contains the full URL.

Steps To Reproduce:

1. Find any website page that contains external link (e.g twitter, facebook, etc.) most of the external link will be found on the footer as part  of their social link ads.

2. Make sure that the external link you found have a rel="noreferrer" attribute on its <a> tag or similar to what i have mentioned above in case of hackerone footer.

3. Click the external link and capture the request using burpsuite.

4. Observed the request header still have referer header despite the website owner put a rel="noreferrer" on their <a> tag that contains hyper-link to external domains.


Massive information leakage of FF users without their knowledge :(



Monday, 5 February 2018

Integer Underflow to RCE in Firefox

Hi Internet,

A 750$ bug :P Lets get started.

If the integer value used is less than the minimum signed or unsigned int. This is called an underflow and will also trigger a segmentation fault.

Summary of this issue:
Before this change, if the metadata for a dbm-format certificate (or presumably key) database were corrupted, ugly_split could do an unchecked subtraction resulting in unsigned integer underflow, and would attempt to operate on something it thought was very big, resulting in (at least) an out-of-bounds.

How I started :
I was using nginx server with HTTPS which host's nothing, however adding a certificate exception every time crashes my FF in Linux, but does not crashes in windows. Then i taught of running FF in debug mode to see where the crash happens

GDB Log :
(gdb) bt
#0  0x00007fffcf4a4c56 in ?? () from /usr/lib/firefox/
#1  0x00007fffcf4a7a60 in ?? () from /usr/lib/firefox/
#2  0x00007fffcf4a63fe in ?? () from /usr/lib/firefox/
#3  0x00007fffcf4a7d1f in ?? () from /usr/lib/firefox/
#4  0x00007fffcf4a7e32 in ?? () from /usr/lib/firefox/
#5  0x00007fffcf4a9046 in ?? () from /usr/lib/firefox/
#6  0x00007fffcf4b599a in ?? () from /usr/lib/firefox/
#7  0x00007fffcf4b602a in ?? () from /usr/lib/firefox/
#8  0x00007fffcf4b87c6 in ?? () from /usr/lib/firefox/
#9  0x00007fffcf4b8d94 in ?? () from /usr/lib/firefox/
#10 0x00007fffcf4b8e40 in ?? () from /usr/lib/firefox/
#11 0x00007fffcf4b08ee in ?? () from /usr/lib/firefox/
#12 0x00007fffcf6eb12f in ?? () from /usr/lib/firefox/
#13 0x00007fffcf6eb6f5 in ?? () from /usr/lib/firefox/
#14 0x00007fffcf6d4321 in ?? () from /usr/lib/firefox/
#15 0x00007fffcf6d746f in ?? () from /usr/lib/firefox/
#16 0x00007ffff597120d in ?? () from /usr/lib/firefox/
#17 0x00007ffff5972261 in ?? () from /usr/lib/firefox/
#18 0x00007ffff598206e in PK11_ImportCert () from /usr/lib/firefox/
#19 0x00007fffe949d431 in ?? () from /usr/lib/firefox/
#20 0x00007fffe67bc232 in ?? () from /usr/lib/firefox/
#21 0x00007fffe6f1eeac in ?? () from /usr/lib/firefox/
#22 0x00007fffe6f23c76 in ?? () from /usr/lib/firefox/
#23 0x00007fffe9835da8 in ?? () from /usr/lib/firefox/
#24 0x00007fffe9828cbe in ?? () from /usr/lib/firefox/
#25 0x00007fffe9835af4 in ?? () from /usr/lib/firefox/
#26 0x00007fffe9835ee9 in ?? () from /usr/lib/firefox/
#27 0x00007fffe98365f2 in ?? () from /usr/lib/firefox/
#28 0x00007fffe9b1a311 in ?? () from /usr/lib/firefox/
#29 0x00007fffe7b12cf5 in ?? () from /usr/lib/firefox/
#30 0x00007fffe7dba6b6 in ?? () from /usr/lib/firefox/
#31 0x00007fffe7dc0498 in ?? () from /usr/lib/firefox/
#32 0x00007fffe7dc0cda in ?? () from /usr/lib/firefox/
#33 0x00007fffe7d9ff82 in ?? () from /usr/lib/firefox/
#34 0x00007fffe7da3bae in ?? () from /usr/lib/firefox/
#35 0x00007fffe7da3eae in ?? () from /usr/lib/firefox/
#36 0x00007fffe8799edc in ?? () from /usr/lib/firefox/
#37 0x00007fffe73c0177 in ?? () from /usr/lib/firefox/
#38 0x00007fffe899c084 in ?? () from /usr/lib/firefox/
#39 0x00007fffe899c3cb in ?? () from /usr/lib/firefox/
#40 0x00007fffe7da0330 in ?? () from /usr/lib/firefox/
---Type <return> to continue, or q <return> to quit---
#41 0x00007fffe7da3bae in ?? () from /usr/lib/firefox/
#42 0x00007fffe878f8f2 in ?? () from /usr/lib/firefox/
#43 0x00007fffe87b3545 in ?? () from /usr/lib/firefox/
#44 0x00007fffe87b6554 in ?? () from /usr/lib/firefox/
#45 0x00007fffe7d85a3f in ?? () from /usr/lib/firefox/
#46 0x00007fffe7d85c94 in ?? () from /usr/lib/firefox/
#47 0x00007fffe7d8a1c8 in ?? () from /usr/lib/firefox/
#48 0x00007fffe87b3591 in ?? () from /usr/lib/firefox/
#49 0x00007fffe87b3f70 in ?? () from /usr/lib/firefox/
#50 0x00007fffe87b6291 in ?? () from /usr/lib/firefox/
#51 0x00007fffe853096f in ?? () from /usr/lib/firefox/
#52 0x00007fffe853259a in ?? () from /usr/lib/firefox/
#53 0x00007fffe856e496 in ?? () from /usr/lib/firefox/
#54 0x00007fffe85392dd in ?? () from /usr/lib/firefox/
#55 0x00007fffe8575a72 in ?? () from /usr/lib/firefox/
#56 0x00007fffe8575b47 in ?? () from /usr/lib/firefox/
#57 0x00007ffff48d8fac in ?? () from /usr/lib/x86_64-linux-gnu/
#58 0x00007ffff1d91fa5 in g_closure_invoke () from /usr/lib/x86_64-linux-gnu/
#59 0x00007ffff1da3fc1 in ?? () from /usr/lib/x86_64-linux-gnu/
#60 0x00007ffff1dac7f9 in g_signal_emit_valist () from /usr/lib/x86_64-linux-gnu/
#61 0x00007ffff1dad08f in g_signal_emit () from /usr/lib/x86_64-linux-gnu/
#62 0x00007ffff4a16c3c in ?? () from /usr/lib/x86_64-linux-gnu/
#63 0x00007ffff4a36dd3 in ?? () from /usr/lib/x86_64-linux-gnu/
#64 0x00007ffff48d81e8 in gtk_main_do_event () from /usr/lib/x86_64-linux-gnu/
#65 0x00007ffff4445d92 in ?? () from /usr/lib/x86_64-linux-gnu/
#66 0x00007ffff1abb197 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/
#67 0x00007ffff1abb3f0 in ?? () from /lib/x86_64-linux-gnu/
#68 0x00007ffff1abb49c in g_main_context_iteration () from /lib/x86_64-linux-gnu/
#69 0x00007fffe8590d6f in ?? () from /usr/lib/firefox/
#70 0x00007fffe855a852 in ?? () from /usr/lib/firefox/
#71 0x00007fffe855aa12 in ?? () from /usr/lib/firefox/
#72 0x00007fffe67b54e5 in ?? () from /usr/lib/firefox/
#73 0x00007fffe67b0498 in ?? () from /usr/lib/firefox/
#74 0x00007fffe9385cd5 in ?? () from /usr/lib/firefox/
#75 0x00007fffe965e09e in ?? () from /usr/lib/firefox/
#76 0x00007fffe965eb20 in ?? () from /usr/lib/firefox/
#77 0x00007fffe73ff615 in ?? () from /usr/lib/firefox/
#78 0x00007fffe73ffc2f in ?? () from /usr/lib/firefox/
#79 0x00007fffe73ffd9f in ?? () from /usr/lib/firefox/
#80 0x00007fffe7a3f343 in ?? () from /usr/lib/firefox/
#81 0x00007fffe7997068 in ?? () from /usr/lib/firefox/
---Type <return> to continue, or q <return> to quit---
#82 0x00007fffe9835da8 in ?? () from /usr/lib/firefox/
#83 0x00007fffe9828cbe in ?? () from /usr/lib/firefox/
#84 0x00007fffe9835af4 in ?? () from /usr/lib/firefox/
#85 0x00007fffe9835ee9 in ?? () from /usr/lib/firefox/
#86 0x00007fffe9828cbe in ?? () from /usr/lib/firefox/
#87 0x00007fffe9835af4 in ?? () from /usr/lib/firefox/
#88 0x00007fffe9835ee9 in ?? () from /usr/lib/firefox/
#89 0x00007fffe98365f2 in ?? () from /usr/lib/firefox/
#90 0x00007fffe9b1a613 in ?? () from /usr/lib/firefox/
#91 0x00007fffe73e7902 in ?? () from /usr/lib/firefox/
#92 0x00007fffe73e6b33 in ?? () from /usr/lib/firefox/
#93 0x00007fffe73e6b33 in ?? () from /usr/lib/firefox/
#94 0x00007fffe73e7eb4 in ?? () from /usr/lib/firefox/
#95 0x00007fffe8337b24 in ?? () from /usr/lib/firefox/
#96 0x00007fffe83382d1 in ?? () from /usr/lib/firefox/
#97 0x00007fffe6dc2004 in ?? () from /usr/lib/firefox/
#98 0x00007fffe6e43ca6 in ?? () from /usr/lib/firefox/
#99 0x00007fffe6bb9d7f in ?? () from /usr/lib/firefox/
#100 0x00007fffe6bc1b6b in ?? () from /usr/lib/firefox/
#101 0x00007fffe6bc345d in ?? () from /usr/lib/firefox/
#102 0x00007fffe67b5625 in ?? () from /usr/lib/firefox/
#103 0x00007fffe67b0498 in ?? () from /usr/lib/firefox/
#104 0x00007fffe6bb2b91 in ?? () from /usr/lib/firefox/
#105 0x00007fffe6b88c7d in ?? () from /usr/lib/firefox/
#106 0x00007fffe8555de8 in ?? () from /usr/lib/firefox/
#107 0x00007fffe95f84de in ?? () from /usr/lib/firefox/
#108 0x00007fffe968a13f in ?? () from /usr/lib/firefox/
#109 0x00007fffe968b17a in ?? () from /usr/lib/firefox/
#110 0x00007fffe968b5f6 in ?? () from /usr/lib/firefox/
#111 0x000055555555a745 in ?? ()
#112 0x0000555555559d5c in ?? ()
#113 0x00007ffff6d64830 in __libc_start_main (main=0x555555559cf0, argc=2, argv=0x7fffffffddf8,init=<optimized out>,
fini=<optimized out>,rtld_fini=<optimized out>, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:291
#114 0x000055555555a079 in _start ()

Okay, it was causing a crash while adding certificate which gave me an hint that this bug will come under  crypto-core-security in Firefox. Moving forward i report this to Mozilla. However i noticed that if i create a new profile in FirefoxESR (i.e. go to "about:profiles", "create new profile"/"launch profile in new browser") and add the same certificate it didn't cause a crash.

So it seems like there's something specific to my profile that's causing this underflow, Moving further David Keeler and me analyze cert8.db file to check for the root cause of this bug.

Where cert8.db file consists of security certificates stored separately from the Operating System. sometimes the certificate store can become corrupted.
After taking a look on cert8.db looks like something caused my certificate database to be corrupted :(

Because the legacy certificate database implementation was written before the dawn of time, there are places where it's not very careful about its inputs. In particular, it looks like if some database metadata gets corrupted, ugly_split will do an unchecked subtraction and try to operate on data it thinks is very large:


        off = hashp->BSIZE;
        for (n = 1; (n < ino[0]) && (ino[n + 1] >= REAL_KEY); n += 2) {
            cino = (char *)ino;
   = (uint8 *)cino + ino[n];
A           key.size = off - ino[n];
   = (uint8 *)cino + ino[n + 1];
            val.size = ino[n] - ino[n + 1];
            off = ino[n + 1];

B           if (__call_hash(hashp, (char *), key.size) == obucket) {

At A, we have no guarantee that off >= ino[n], so at B we pass in a very large value for the size of the key.

Mozilla Security Team change risk from None to Moderate (sec-moderate) based on that this would require modifying the user's profile on-disk to exploit.

PS: I tried exploiting this using ncat with SSL but the session is not stable and it dies.

Issue Reported: 19-11-2017
Fixed Released: 05- 12-2017
Awarded with 750$ 

For everyone who might need a better understanding of how this bug works and how it can be exploited, read further.

My Assumption:
As stated in the blog, a corruption in cert8.db causes this crash, and every beginner in BOF knows crash is how we fuzz to create an exploit.
Since there is no check in the value of the variable 'off' any overwrite can make the value of 'off' to be set lower than ino[n] resulting in the crash.
Assuming 'hashp' is a pointer to a buffer size or memory address, a lower or negative value of 'off' may be result of getting higher memory address value from the stack thus setting key.size to much greater and when you have crashes and deals with memory there is high chances that this can be taken advantage to inject shell code into memory to execute.
For now what I tired was adding a shell code in h_page.c with a handler but established connection was not stable, I am sure a more experienced exploit writer can get a reverse shell by overwriting the cert8.db