Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

CVE-2020-13757: python-rsa does not detect ciphertext modification (prepended "0" bytes) in PKCS1_v1_5 · Issue #146 · sybrenstuvel/python-rsa

Sympa before 6.2.56 allows privilege escalation.

Durant bon nombre de formations dispensées à Sysdream, les consultants ont pu révéler l’existence d’outils internes divers et variés, employés lors de tests d’intrusion ou de tests d’applications, sans pouvoir (ou vouloir ?) les diffuser. Dans un souci d’ouverture à la communauté, le laboratoire R&D a décidé de publier les sources de certains des outils développés et employés en interne, pour des raisons évidentes:

*   Ils contiennent encore des bugs, ou manquent de fonctionnalités, et nécessitent donc des tests à plus large échelle
*   L’apport de la communauté de la sécurité informatique ne peut être que bénéfique, et faire en sorte que ces outils soient améliorés
*   Github intègre un bug tracker qui permettra d’avoir un réel suivi des bugs ainsi que d’avoir une vision des fonctionnalités futures

L’ensemble des outils se trouvent donc sur notre Github. Nous allons ainsi publier durant les prochains mois différents outils sous licence GPL aggrémentés de leurs documentations respectives. Ces outils sont majoritairement développés en Python et en C, et certains même sont issus des recherches effectués au laboratoire. A l’heure actuelle, nous avons diffusé deux outils qu’il nous semble intéressant de partager:

**Protod**

Lorsque nous avions diffusé la première version de cet outil, ses capacités étaient somme toute relativement limitées. Nous avons profité d’un peu de temps disponible pour redévelopper intégralement cet outil, et améliorer la routine de localisation et d’extraction des méta-données. Protod supporte désormais aussi bien les exécutables Linux que Windows, ainsi que les fichiers Python compilés (pyc).

Comme nous le disions précédemment, cet outil fait aussi écho à un autre outil développé par Emilien Girault qui lui a permis de retrouver les fichiers de description des messages (.proto) employés par le Play Store de Google, basé sur micro-protobuf (une version allégée et sans méta-données de Protocol Buffers). Nous vous invitons bien sûr à consulter la méthode employée **\[1\]** ainsi que le code de son outil !

Code source sur Github

**Socketjump**

Un autre outil développé par nos soins, lors d’un test d’intrusion où socat ne convenait pas. Il s’agit d’un petit outil permettant de faire un pont entre deux sockets TCP, peu importe qu’elles soient en écoute ou en connexion sortante. Des options complémentaires comme la spécification du port source, ou le chiffrement (léger) de la communication sont aussi disponibles.

Le nom de cet outil est bien évidemment issu du célèbre “Rocket Jump” de Quake, son objectif premier étant de pouvoir faire du rebond vers un réseau interne à partir d’une machine compromise ouverte à un accès extérieur (Internet par exemple). 

Code source sur Github

Nous espérons que ces différents outils seront utiles à la communauté de la sécurité informatique.

**Références**

**\[1\]** http://www.segmentationfault.fr/publications/reversing-google-play-and-micro-protobuf-applications/

**\[2\]** https://sysdream.com/reverse-engineering-of-protobuf-based/

CVE-2020-10936: Le labo R&D a désormais son Github - SysDream

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.

**Mozilla Foundation Security Advisory 2020-17**

Announced

May 5, 2020

Impact

critical

Products

Firefox ESR

Fixed in

*   Firefox ESR 68.8

**#CVE-2020-12387: Use-after-free during worker shutdown**

Reporter

Looben Yang

Impact

critical

**Description**

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.

**References**

*   Bug 1545345

**#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens**

Reporter

James Forshaw of Google Project Zero

Impact

critical

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1618911

**#CVE-2020-12389: Sandbox escape with improperly separated process types**

Reporter

Niklas Baumstark

Impact

high

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1554110

**#CVE-2020-6831: Buffer overflow in SCTP chunk input validation**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

high

**Description**

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1632241

**#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.

**References**

*   Bug 1614468

**#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

David Yesland

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1615471

**#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Alexandru Michis, Jason Kratzer, philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

CVE-2020-12387: Security Vulnerabilities fixed in Firefox ESR 68.8

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.

**Mozilla Foundation Security Advisory 2020-16**

Announced

May 5, 2020

Impact

critical

Products

Firefox

Fixed in

*   Firefox 76

**#CVE-2020-12387: Use-after-free during worker shutdown**

Reporter

Looben Yang

Impact

critical

**Description**

A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash.

**References**

*   Bug 1545345

**#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens**

Reporter

James Forshaw of Google Project Zero

Impact

critical

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1618911

**#CVE-2020-12389: Sandbox escape with improperly separated process types**

Reporter

Niklas Baumstark

Impact

high

**Description**

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1554110

**#CVE-2020-6831: Buffer overflow in SCTP chunk input validation**

Reporter

Natalie Silvanovich of Google Project Zero

Impact

high

**Description**

A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1632241

**#CVE-2020-12390: Incorrect serialization of nsIPrincipal.origin for IPv6 addresses**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks

**References**

*   Bug 1141959

**#CVE-2020-12391: Content-Security-Policy bypass using object elements**

Reporter

Giorgio Maone

Impact

moderate

**Description**

Documents formed using `data:` URLs in an `object` element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.

**References**

*   Bug 1457100

**#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'**

Reporter

Ophir LOJKINE

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.

**References**

*   Bug 1614468

**#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection**

Reporter

David Yesland

Impact

moderate

**Description**

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.  
_Note: this issue only affects Firefox on Windows operating systems._

**References**

*   Bug 1615471

**#CVE-2020-12394: URL spoofing in location bar when unfocussed**

Reporter

Kestrel

Impact

low

**Description**

A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element.

**References**

*   Bug 1628288

**#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Alexandru Michis, Jason Kratzer, philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8

**#CVE-2020-12396: Memory safety bugs fixed in Firefox 76**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Frederik Braun, Andrew McCreight, C.M.Chang, and Dan Minor reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 76

CVE-2020-12394: Security Vulnerabilities fixed in Firefox 76

An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data.

Permalink

Browse files

Add a failsafe on the maximum number of Canon MakerNote subtags.

A malicious file could be crafted to cause extremely large values in some
tags without tripping any buffer range checks.  This is bad with the libexif
representation of Canon MakerNotes because some arrays are turned into
individual tags that the application must loop around.

The largest value I've seen for failsafe\_size in a (very small) sample of valid
Canon files is <5000.  The limit is set two orders of magnitude larger to avoid
tripping up falsely in case some models use much larger values.

Patch from Google.

CVE-2020-13114

*   Loading branch information

Showing with **21 additions** and **0 deletions**.

1.  +21 −0 libexif/canon/exif-mnote-data-canon.c

CVE-2020-13114: Add a failsafe on the maximum number of Canon MakerNote subtags. · libexif/libexif@e6a38a1

Insufficient data validation in site information in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted domain name.

CVE-2020-6491

Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-6466

Use after free in speech recognizer in Google Chrome prior to 81.0.4044.113 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-6457

Insufficient data validation in URL formatting in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to perform domain spoofing via a crafted domain name.

CVE-2020-6460

Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

Tag

#google