Stephen Fewer
@stephenfewer.bsky.social
Senior Principal Security Researcher at @rapid7.com. Specializing in software vulnerabilities and exploitation. stephenfewer.github.io
Phase 2 achieves RCE by leveraging an authenticated stack based buffer overflow, to execute arbitrary OS commands, and then a code signing bypass to execute arbitrary native code as root.
December 4, 2024 at 9:38 AM
Phase 2 achieves RCE by leveraging an authenticated stack based buffer overflow, to execute arbitrary OS commands, and then a code signing bypass to execute arbitrary native code as root.
Phase 1 achieves an auth bypass by leveraging an unauth stack based buffer overflow to reach an out-of-bounds heap read, in turn leaking a secret from heap memory which allows us to reset the admin password. Finally a null pointer dereference forces a device reboot.
December 4, 2024 at 9:37 AM
Phase 1 achieves an auth bypass by leveraging an unauth stack based buffer overflow to reach an out-of-bounds heap read, in turn leaking a secret from heap memory which allows us to reset the admin password. Finally a null pointer dereference forces a device reboot.