// disclosures, vulnerability analyses and published CVEs
May 16, 2025Apple iOS
Apple iOS < 18.5 โ Screen Time and settings passcode research
The research focused on the Screen Time functionality and the settings passcode mechanics in iOS. I concentrated on CWE-307 (improper restriction of authentication attempts) and CWE-799 (improper control of interaction frequency).
The analysis covered how the system enforces limits on the number and frequency of passcode attempts. Weaknesses here translate into a real risk of bypassing parental restrictions and access control to device settings.
I prepared a detailed technical write-up with reproducible steps and an impact assessment. Mitigations were included in the iOS 18.5 line of updates.
VeraCrypt < 1.26.18 โ path hijacking and secure volume mounting
I collaborated on two vulnerabilities in VeraCrypt fixed in version 1.26.18. They concern path hijacking, system binary execution and the security of volume mounting in Linux/macOS environments.
The issue came down to how VeraCrypt located and executed external system binaries during mount operations. The lack of hardened execution paths opened a path-hijacking scenario โ an attacker able to influence the environment could cause execution of an attacker-controlled binary with elevated privileges.
During the analysis I built scenarios validating the real impact and prepared recommendations to harden the execution paths (full, trusted paths instead of relying on PATH). The fixes shipped in release 1.26.18.
A public exploit chain combining Stored XSS (CVE-2021-27889) with SQL Injection (CVE-2021-27890), leading to remote code execution in the popular MyBB forum engine.
The entry point was a Stored XSS in MyBB's nested video MyCode, allowing injection of code executed in the administrator context. Abusing the admin session opened the door to SQL Injection in the admin panel, and finally to RCE via template configuration overwrite.
I published a proof-of-concept and a full technical analysis of the chain. The vulnerabilities were fixed in MyBB 1.8.26.
VLC Player < 2.2.5 โ heap-based buffer overflow in the subtitle parser
A Proof of Concept for a heap-based buffer overflow in the ParseJSS subtitle parser, potentially allowing code execution via a crafted subtitle file.
The vulnerability resided in the function parsing JACOsub-format subtitles (ParseJSS). A crafted subtitle file led to heap corruption, which under favorable conditions could be leveraged for code execution in the player context.
I prepared a PoC and a technical description enabling reproduction of the issue and verification of the fix.
Analysis of an exploit chain in the Netgear DGN2200 router involving command injection / RCE in the device panel, chained with an authentication bypass and CSRF.
The chain exploited weaknesses in the admin panel authentication and the lack of proper validation of diagnostic parameters, allowing system command injection on the device. Combined with CSRF, the scenario could be carried out from a remote attacker's perspective.