POSTS

Why is it so hot here? Hacking Electra Smart air conditioners for fun and profit
By Lev Aronsky & Idan Strovinsky,
19-Jun 2023
,

CVE-2023-24500

CVE-2023-24501

CVE-2023-24502

CVE-2023-24503

CVE-2023-24504

CVE-2023-30160
AFL++ on Android with QEMU support
By Itai Greenhut,
16-Nov 2021
,
SuDump: Exploiting suid binaries through the kernel
By Itai Greenhut,
20-Oct 2021
,
Aruba in Chains: Chaining Vulnerabilities for Fun and Profit
By Itai Greenhut & Gal Zror,
15-Jul 2021
,

CVE-2021-25155

CVE-2021-25156

CVE-2021-25157

CVE-2021-25158

CVE-2021-25159

CVE-2021-25160

CVE-2021-25161

CVE-2021-25162
Revised Homograph Attacks - Part 3
By Tzachy Horesh,
28-Feb 2021
,
Exploiting crash handlers: LPE on Ubuntu
By Itai Greenhut,
16-Feb 2021
,

CVE-2021-25682

CVE-2021-25683

CVE-2021-25684
Don't Ruck Us Again - The Exploit Returns
By Gal Zror,
14-Oct 2020
,

CVE-2020-13913

CVE-2020-13914

CVE-2020-13915

CVE-2020-13916

CVE-2020-13918

CVE-2020-13917
Revised Homograph Attacks - Part 2
By Tzachy Horesh,
23-Jul 2020
,

CVE-2020-6401
Accelerating iOS on QEMU with hardware virtualization (KVM)
By Lev Aronsky,
19-Jul 2020
,
Tunnelling TCP connections into iOS on QEMU
By Lev Aronsky,
29-Mar 2020
,
Don't Ruck Us Too Hard - Owning Ruckus AP devices
By Gal Zror,
14-Jan 2020
,

CVE-2019-19834

CVE-2019-19835

CVE-2019-19836

CVE-2019-19837

CVE-2019-19838

CVE-2019-19839

CVE-2019-19840

CVE-2019-19841

CVE-2019-19842

CVE-2019-19843
Revised Homograph Attacks
By Tzachy Horesh,
29-Dec 2019
,
Breaking Algorithms - SMT Solvers for WebApp Security
By Leo Goldstien,
02-Sep 2019
,
Xiaomi Zigbee (3): Live Debugging
By Lev Aronsky,
15-Jul 2019
,
Xiaomi Zigbee (2): Beyond Architecture
By Lev Aronsky,
09-Jul 2019
,
Xiaomi Zigbee (1): Getting to know the hardware
By Lev Aronsky,
01-Jul 2019
,
Running iOS in QEMU to an interactive bash shell (2): research
By Jonathan Afek,
25-Jun 2019
,
Running iOS in QEMU to an interactive bash shell (1): tutorial
By Jonathan Afek,
17-Jun 2019
,
It takes only one StackOverflowException to bring down an Application deployed on IIS
By Gil Mirmovitch,
22-Oct 2018
,

CVE-2018-8269

ALEPH-2018002

ALEPH-2018003

ALEPH-2018004

ALEPH-2018005

ALEPH-2018006
Overcoming (some) Spectre browser mitigations
By Noam Hadad & Jonathan Afek,
26-Jun 2018
,
Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6's Secure Boot
By Roee Hay & Noam Hadad,
22-Jan 2018
,

QPSIIR-909

ALEPH-2017029

CVE-2017-13174

CVE-2017-5947
Exploiting Qualcomm EDL Programmers (4): Runtime Debugger
By Roee Hay & Noam Hadad,
22-Jan 2018
,

QPSIIR-909

ALEPH-2017029

CVE-2017-13174

CVE-2017-5947
Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction
By Roee Hay & Noam Hadad,
22-Jan 2018
,

QPSIIR-909

ALEPH-2017029

CVE-2017-13174

CVE-2017-5947
Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting
By Roee Hay & Noam Hadad,
22-Jan 2018
,

QPSIIR-909

ALEPH-2017029

CVE-2017-13174

CVE-2017-5947
Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
By Roee Hay & Noam Hadad,
22-Jan 2018
,

QPSIIR-909

ALEPH-2017029

CVE-2017-13174

CVE-2017-5947
Untethered initroot (USENIX WOOT '17)
By Roee Hay,
30-Aug 2017
,

CVE-2016-10277

A-62345923
Nexus 9 vs. Malicious Headphones, Take Two
By Roee Hay,
13-Jun 2017
,

CVE-2017-0648

CVE-2017-0510

CVE-2017-0563

CVE-2017-0582
initroot: Hello Moto
By Roee Hay,
07-Jun 2017
,

CVE-2016-10277
initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection
By Roee Hay,
23-May 2017
,

CVE-2016-10277

CVE-2017-1000363
OnePlus OTAs: Analysis & Exploitation
By Roee Hay,
11-May 2017
,

CVE-2017-5948

CVE-2017-8850

CVE-2017-8851

CVE-2016-10370
Owning OnePlus 3/3T with a Malicious Charger: The Last Piece of the Puzzle
By Roee Hay,
26-Mar 2017
,

CVE-2017-5622

CVE-2017-5626

CVE-2017-5624
Attacking Nexus 9 with Malicious Headphones
By Roee Hay,
08-Mar 2017
,

CVE-2017-0510

CVE-2017-0563

CVE-2017-0582
Owning a Locked OnePlus 3/3T: Bootloader Vulns
By Roee Hay,
08-Feb 2017
,

CVE-2017-5626

CVE-2017-5624
Attacking Nexus 6/6P Custom Boot Modes
By Roee Hay & Michael Goberman,
05-Jan 2017
,

CVE-2016-8467

CVE-2016-6678

VULNS

03/12/23

CVE-2023-30160
Unauthorized attacker can connect to the MQTT server controlling all of Electra's Smart AC units and gain full control of them
03/12/23

CVE-2023-24504
Attacker within WiFi range can cause unconfigured units to connect to a malicious update server
03/12/23

CVE-2023-24503
Attacker within IR range can install arbitrary firmware over the air
03/12/23

CVE-2023-24502
A WiFi hotspot with a known password is always availiable on unconfigured units
03/12/23

CVE-2023-24501
Credentials for connecting to the MQTT server hardcoded inside the firmware
03/12/23

CVE-2023-24500
Attacker within WiFi range can install arbitrary firmware over the air on unconfigured units
06/03/21

CVE-2021-33813
XXE in JDOM library - Java
03/09/21

CVE-2021-25155
Authenticated Arbitrary File Write via Web UI (cplogo-install)
03/09/21

CVE-2021-25162
Unauthenticated Command Injection via Web UI
03/09/21

CVE-2021-25161
Authenticated Reflected Cross-Site Scripting (cp_perview)
03/09/21

CVE-2021-25160
Authenticated Arbitrary File Write via Web UI to Specific Backup File
03/09/21

CVE-2021-25159
Authenticated Arbitrary File Write via Web UI (cp-upload)
03/09/21

CVE-2021-25158
Unauthenticated Arbitrary File Read via Race Condition Vulnerability
03/09/21

CVE-2021-25157
Authenticated Arbitrary File Read via Web UI (cplogo-install)
03/09/21

CVE-2021-25156
Authenticated Arbitrary Directory Create via Web UI (cplogo-install)
01/21/21

CVE-2021-25684
Stuck reading fifo file in Apport
01/21/21

CVE-2021-25683
Incorrect parsing of /proc/pid/stat in Apport
01/21/21

CVE-2021-25682
Incorrect parsing of /proc/pid/status in Apport
06/07/20

CVE-2020-13917
rkscli jailbreak
06/07/20

CVE-2020-13919
Authenticated command injection in emfd/libemf
06/07/20

CVE-2020-13918
Infromation leakage from /upnp.jsp
06/07/20

CVE-2020-13916
Stack buffer overflow in webs
06/07/20

CVE-2020-13915
Unauthenticated admin credentials overwrite