Posted by Berend-Jan Wever on Jun 24

(You can read all this information in more detail on
http://blog.skylined.nl)

Software components such as memory managers often use magic values to
mark memory as having a certain state. These magic values can be used
during debugging to determine the state of the memory, and have often
(but not always) been chosen to coincide with addresses that fall
outside of the user-land address space on 32-bit versions of the
Operating System. This can…

Posted by Berend-Jan Wever on Jun 24

Obviously, this may be of interest to authors of security software that
aims to mitigate exploitation of 0-day: it should be possible to:
1) actively reserve memory regions referenced by such pointers to
prevent allocation by an exploit. The additional address space
fragmentation should not be a problem for most applications, but I have
no data, so you might want to consider:
2) analyze various binaries for their use of magic values, and actively…

Posted by Karn Ganeshen on Jun 24

*Sierra Wireless AirLink Raven XE Industrial 3G Gateway – Multiple
Vulnerabilities*

*About*
http://www.sierrawireless.com/products-and-solutions/gateway-solutions/raven-series/

Rugged Design and Advanced Security for Fixed and Portable Wireless
Communication

Raven XE/XT
Compact design for industrial applications
Ethernet (XE) or serial (XT) options with USB and digital I/O

*APPLICATIONS:*
Remote Monitoring Surveillance Vending/Kiosk…

Posted by Berend-Jan Wever on Jun 24

I’ve released a Proof-of-Concept html page that uses Javascript typed
arrays in 32-bit Chrome and Firefox on 64-bit Windows to allocated
address 0xDEADBEEF and store the value 0xBADC0DED there. You can find
this and details on the implementation at
http://blog.skylined.nl/20160622001.html.

That page also contains a write-up on CVE-2014-1736; a vulnerability in
32-bit Chrome on 64-bit Windows that allows arbitrary read&write that
was…