• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 

Dahua Camera flaws allow remote hacking. Update firmware now

 | 

Researchers released a decryptor for the FunkSec ransomware

 | 

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Mobile
  • Security
  • Cellebrite ‘s forensics tool affected by arbitrary code execution issue

Cellebrite ‘s forensics tool affected by arbitrary code execution issue

Pierluigi Paganini April 22, 2021

Cellebrite mobile forensics tool Ufed contains multiple flaws that allow arbitrary code execution on the device, SIGNAL creator warns.

Moxie Marlinspike, the creator of the popular encrypted messaging app Signal, announced that Cellebrite mobile forensics tools developed by Cellebrite are affected by multiple vulnerabilities that could be exploited to achieve arbitrary code execution.

Cellebrite develops forensics tools for law enforcement and intelligence agencies that allow automating physically extracting and indexing data from mobile devices. The popular cryptographer and researcher Moxie claims the list of customers of the company includes authoritarian regimes in Belarus, Russia, Venezuela, and China, death squads in Bangladesh, and military juntas in Myanmar.

In December December announced that its Physical Analyzer is able to decrypt messages and data from the Signal’s messaging app.

Cellebrite produce two primary pieces products, the UFED and Physical Analyzer. the former allows experts to create a backup the device onto the Windows machine running UFED, the latter parses the files from the backup to display the data in browsable form.

Moxie pointed out that the Cellebrite software parses data that comes from multiple apps running on the devices that represent an untrusted source. The data may not be formatted correctly and could potentially trigger a memory corruption vulnerability that leads to code execution on the device.

“the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.” reads the post published by Moxie. “Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present”

The popular expert explained that the flaw could be exploited in multiple ways by simply including a specially formatted but otherwise innocuous file in any app on a device that when parsed by Cellebrite software could trigger the exploit.

“For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures” continues the expert.

The researcher shared a video POC of the attack that demonstrates how to trigger the issue while analyzing files stored in the device, the payload used by the expert leverages the MessageBox Windows API to deliver a message to the user.

Video Player
https://signal.org/blog/videos/cellebrite-hacktheplanet.mp4

Media error: Format(s) not supported or source(s) not found

Download File: https://signal.org/blog/videos/cellebrite-hacktheplanet.mp4?_=1
00:00
00:00
00:00
Use Up/Down Arrow keys to increase or decrease volume.

Moxie also noticed that that the installer for the Packet Analyzer includes MSI packages digitally signed by Apple and apparently extracted from the Windows installer for iTunes version 12.9.0.167.

Both packages import DLLs used to allow the forensic tools to extract data from iOS devices.

“It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users.” concludes the expert.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cellebrite code execution vulnerability Hacking information security news IT Information Security malware mobile forensics Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 31, 2025
Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware
Read more
Pierluigi Paganini July 31, 2025
Attackers actively exploit critical zero-day in Alone WordPress Theme
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

    APT / July 31, 2025

    Dahua Camera flaws allow remote hacking. Update firmware now

    Hacking / July 31, 2025

    Researchers released a decryptor for the FunkSec ransomware

    Malware / July 31, 2025

    Apple fixed a zero-day exploited in attacks against Google Chrome users

    Security / July 30, 2025

    PyPI maintainers alert users to email verification phishing attack

    Hacking / July 30, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT