Vulnerability Research

BlueKeep: A Journey from DoS to RCE (CVE-2019-0708)

Due to the serious risk of a BlueKeep based worm, I’ve held back this write-up to avoid advancing the timeline. Now that a proof-of-concept for RCE (remote code execution) has been release as part of Metasploit, i feel it’s now safe for me to post this. This article will be …

Vulnerability Research

DejaBlue: Analyzing a RDP Heap Overflow

In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same …

Vulnerability Research

Analysis of CVE-2019-0708 (BlueKeep)

I held back this write-up until a proof of concept (PoC) was publicly available, as not to cause any harm. Now that there are multiple denial-of-service PoC on github, I’m posting my analysis. Binary Diffing As always, I started with a BinDiff of the binaries modified by the patch (in …

Vulnerability Research

Analysis of a VB Script Heap Overflow (CVE-2019-0666)

Anyone who uses RegEx knows how easy it is to shoot yourself in the foot; but, is it possible to write RegEx so badly that it can lead to RCE? With VB Script, the answer is yes! In this article I’ll be writing about what I assume to be CVE-2019-0666. …

Vulnerability Research

Analyzing a Windows DHCP Server Bug (CVE-2019-0626)

Today I’ll be doing an in-depth write up on CVE-2019-0626, and how to find it. Due to the fact this bug only exists on Windows Server, I’ll be using a Server 2016 VM (corresponding patch is KB4487026). Note: this bug was not found by me, I reverse engineered it from …

Vulnerability Research

MS14-066 In Depth Analysis

A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that doesn’t support client certificates. I had stated I was not familiar with ECC signatures and was unsure …