May. 5, 2025
Talos Intelligence advisories
Mostly complete archive of vulnerabilities I found while working at Talos.
For good 10 years (2015. to 2025.) I’ve had the privilege of being part of Talos Intelligence, a successor to SourceFire VRT. As part of the vulnerability research team, I’ve worked on a number of projects that I hold dear. I’ve had loads of fun during the execution of these and have been proud to publish the details. Over the years, some of the publications have suffered from linkrot and CMS changes, so I am archiving them here. You will find a short synopsis of the project, archived page, a link to Web Archive and a link to Talos Blog.
A cornerstone of my work at Talos has always been discovery and analysis of vulnerabilities. The whole team still takes pride at publishing detailed advisories that contain root cause analysis of all of the vulnerabilities that we have reported. Those discovered and analyzed by me can be found archived here.
There were many other projects, engagements, assessments and consultations that I had contributed to, but those are up to others to archive or publish.
Mostly complete archive of vulnerabilities I found while working at Talos.
Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). After wrapping up the macOS investigation, we decided to take a look at how other operating systems handle the same functionality.
Finding novel and unique vulnerabilities often requires the development of unique tools that are best suited for the task. Platforms and hardware that target software run on usually dictate tools and techniques that can be used. This is especially true for parts of the macOS operating system and kernel due to its close-sourced nature and lack of tools that support advanced debugging, introspection or instrumentation.
Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties. Things are closed-source, so we can’t use compile-time instrumentation. While Dynamic Binary instrumentation tools like Dynamorio and TinyInst work on macOS, they cannot be used to instrument kernel components.
MSRPC implementations on macOS and vCenter are based on the same DCERPC codebase, forked at different times and modified to suit different use cases Uncovered issues fall into use-after-free, buffer-overflow, information leak and denial-of-service vulnerability classes. Some of these could be combined to achieve remote code execution or privilege escalation. Apple has addressed all of the vulnerabilities on three separate occasions in their scheduled monthly updates in January, March and May 2023. VMWare has addressed all reported issues in an update on June 22. Talos is now disclosing all these vulnerabilities in adherence to Cisco’s third-party vulnerability disclosure policy. Approaching a target’s attack surface layer by layer, we show vulnerabilities that stem from single packet parsing, temporal vulnerabilities that require multiple interacting sessions and complex vulnerabilities that can only be reached by performing concrete and well-formed RPC calls.
Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions.
OpenUSD stands for “Open Universal Scene Descriptor.” Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. This stands at odds with security considerations.
Video conferencing and calling software has spiked in popularity as individuals across the globe are forced to stay home due to the COVID-19 pandemic. There are a plethora of players in this space, with one or two getting increased attention. One service in particular — Zoom — has received an enormous amount of attention from the media and users.
Today, Cisco Talos is disclosing a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization. There has been a lot of discussion around what is and is not a vulnerability and what security features should exist in video conferencing software. This is not the purpose of this blog. This disclosure is made in accordance with our vulnerability disclosure policy, in the interests of ensuring the security and privacy of users at-large against this information disclosure vulnerability.
With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodan and Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet.
While IPv4 is the norm, the use of IPv6 is on the rise. However, there’s been very little analysis on the most recent version of the internet protocol because it’s impossible to run exhaustive scans given the size of the address space. We need to deploy novel techniques to enumerate active IPv6 hosts.
In October last year, we performed a source code audit of Memcached server and identified three distinct but similar vulnerabilities. All three are in the implementation of the binary protocol. Two vulnerabilities lie in the part of the code dealing with adding and updating cached objects, while the third is in the aforementioned SASL authentication mechanism. All three vulnerabilities are due to integer overflows leading to controlled heap buffer overflows and due to the nature of the protocol can be abused for sensitive memory disclosure which can lead to straightforward and reliable exploitation.
MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.
In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 (“Universal Pwn n Play”) about the client side attack surface of UPnP and this vulnerability was part of it.