Memory corruption - Case studies
Very high-profile example
Chaining of several vulnerabilities, circumvention of hardware mitigations (including pointer authentication). Many people believe these shouyld be attributed to the NSA; some believe that Apple somehow helped them. I do not have any element in support.
- New iPhone Exploit Uses Four Zero-Days Kaspersky researchers are detailing “an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky.” It’s a zero-click exploit that makes use of four iPhone zero-days.
- 4-year campaign backdoored iPhones using possibly the most advanced exploit ever.
Not very difficult to understand
- Technical Advisory: Vulnerabilities Identified within ListServ ListServ is a widely used email list management application. In October 2023 a stack overflow vulnerability was identified (section "Stack Based Overflow Vulnerability"). Easy to understand but hardly exploitable.
- Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 Citrix NetScaler is a network device providing load balancing, firewall and VPN services. A buffer overflow in a variable filled with the
Host
header of a received HTTP request (thus a variable indirectly controlled by the attacker) allow dumping portions of memory in the matching HTTP response, including currently valid session cookies.
More difficult to understand
Understanding all the details in the following analyses is difficult and often some details are not reported. In particular, the steps for obtaining RCE from the overflow are rarely shown (the descriptions only illustrate the overflow).
- CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) Heap-based buffer overflow in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Any unprivileged user can gain root privileges on a vulnerable host using a default sudo configuration. The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011.
- TALOS-2023-1734 Microsoft Office Excel WebCharts out-of-bounds write vulnerability An access violation vulnerability exists in the WebCharts functionality of Microsoft Office Excel 2019 Plus version 2302 build 16130.20332. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can use arbitrary code execution to trigger this vulnerability.
- Akamai 2023 - Exploring Three Remote Code Execution Vulnerabilities in RPC Runtime Important vulnerabilities in Microsoft Windows RPC runtime that can lead to remote code execution. Since the RPC runtime library is loaded into all RPC servers, and these are commonly used by Windows services, all Windows versions (Desktop and Server) are affected. The vulnerabilities are integer overflows in three data structures used by the RPC runtime.
- The Equation Group's Firewall Exploit Chain In August 2016 a near-complete exploit kit targeting all major firewall manufacturers (including CISCO ASA) was released by a group known as the ShadowBrokers. This exploit kit has been widely attributed as belonging to a group in the NSA known as the Tailored Access Operations Unit (also commonly referred to as "The Equation Group”). Description of an exploit chain consisting of 6 elements: the two first steps exploit a buffer overflow; the other steps do not exploit any vulnerability: secondary stage loading, persistence, C&C.
- A short video explaining at a very high level the Heartbleed vulnerability in OpenSSL. This is an old vulnerability in OpenSSL that affected a lot of web servers around the world (many HTTPS servers use OpenSSL). It allowed stealing the private key of a web server, as well as username and passwords of users currently logged in, from a remote location. The slides on Heartbleed on this page describe the code problem in detail.