what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 51 - 75 of 193 RSS Feed

Files

OS X Coreaudiod Calls Uninitialized Function Pointer
Posted Jan 27, 2016
Authored by Google Security Research, markbrand

com.apple.audio.coreaudiod is reachable from various sandboxes including the Safari renderer. coreaudiod is sandboxed and runs as its own user, nevertheless it has access to various other interesting attack surfaces which safari doesn't, allowing this bug to potentially form part of a full sandbox escape chain.

tags | exploit
systems | linux, apple
advisories | CVE-2015-7003
SHA-256 | 040c5bc4ee814b9abdf174150d4582e8d233b7e6ea6fe2992ae37f08d1dc46e2
IOBluetoothHCIUserClient Lack Of Bounds Checking
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks the size of that structInput, and SimpleDispatchWL goes on to read the field at +0x70 of the structInput.

tags | exploit
systems | linux
advisories | CVE-2015-7108
SHA-256 | c56f8e5cc82da06ddca32f877f2fa338106ff32a8c69efe2c67b6ac5c6b5196a
OS X Kernel Hypervisor Driver Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

The hv_space lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method (which calls lck_rw_free on the lock group using the pointer hanging off the global _hv variable) and secondly via the hypervisor machine_thread_destroy callback (hv_callback_thread_destroy) which also calls lck_rw_free with a lock group pointer taken from _hv.

tags | exploit
systems | linux
advisories | CVE-2015-7078
SHA-256 | 05bbdc4f970de720232f0fe75333057f8dbe21b2c91a3d821e577be39c6aed9b
Gst_configure Lack Of Bounds Checking / Toctou Buffer Overflow
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

The external method 0x206 of IGAccelGLContext is gst_configure. This method takes an arbitrary sized input structure (passed in rsi) but doesn't check the size of that structure (passed in rcx).

tags | exploit, arbitrary
systems | linux
advisories | CVE-2015-7077
SHA-256 | e94e24fe8cba2913f917f0f60d22c0acf21be5b012b6f82c3594d9dd86932b95
Pdfium Opj_jp2_apply_pclr Out-Of-Bounds Read
Posted Jan 27, 2016
Authored by Google Security Research, mjurczyk

Pdfium suffers from a heap-based out-of-bounds read in Opj_jp2_apply_pclr (libopenjpeg).

tags | exploit
systems | linux
SHA-256 | 97247ca7bd5dbf856539b4911c7436201d602271e02e9af4f663fa3fc5efda7a
iOS / OS X Iokit Registry Iterator Double Free
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

iOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.

tags | exploit, kernel, registry
systems | cisco, linux, apple, osx, ios
advisories | CVE-2015-7084
SHA-256 | 8165a567612f28c0b556478f27c6f67dcb0caeb69b674c8e9e622681a9e157de
iOS Kernel IOReportHub Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

The iOS kernel suffers from a use-after-free vulnerability in IOReportHub.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
SHA-256 | 372880071edb71ad2025e05e64439b5087b17a0a293d3814c5d4fbabdcbcdc0d
Wireshark Dissect_ber_constrained_bitstring Out-Of-Bounds Read
Posted Jan 27, 2016
Authored by Google Security Research, mjurczyk

Wireshark suffers from a heap-based out-of-bounds read in Dissect_ber_constrained_bitstring.

tags | exploit
systems | linux
SHA-256 | 629dc30b18484b20b8be6555ca4819e49f96bc1ce8b28537cc9772f20bfea7a8
iOS Kernel AppleOscarCMA Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCMA.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
SHA-256 | 4640878ce067410ae3596bf74bbbfd8ccf473388034000bd3f132d57616e2107
IntelAccelerator:gstqConfigure Kernel NULL Dereference
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206) calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling this external method before calling any others which allocate the GSTContextKernel we can cause a kernel NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.

tags | exploit, kernel
systems | linux
advisories | CVE-2015-7106
SHA-256 | 9ba4909584ef4a22ac3f38fbff2047915ff0e5cb4a39226d02f5540d8bac2d54
IOKit Methods Being Called Without Locks From IOServiceClose
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. You can in fact do this very simply by calling IOServiceClose on two threads. Like the spoofed notifications this leads to many bugs in many userclients, the exact nature of which depends on the semantics of the clientClose implementation.

tags | exploit, spoof
systems | linux
advisories | CVE-2016-1720
SHA-256 | 25c87d331724c51d81b1658a116bd5e77ebeedb53b236aa9fe1efaac0e2a8831
iOS / OS X NECP System Control Integer Overflow
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

iOS and OS X suffers from a kernel code execution vulnerability due to an integer overflow in NECP system control socket packet parsing.

tags | exploit, overflow, kernel, code execution
systems | cisco, linux, apple, osx, ios
advisories | CVE-2015-7083
SHA-256 | a90f8ff051275e3a2763ebcc399a8891e5415fd85649de1e7df1f7d097d14c5e
iOS / OS X IOHIDEventQueue:start Code Execution
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

iOS and OS X suffer from a kernel code execution vulnerability via double-delete in IOHIDEventQueue:start due to incorrect error handling.

tags | exploit, kernel, code execution
systems | cisco, linux, apple, osx, ios
advisories | CVE-2015-7112
SHA-256 | 6ac15af258a146b8752ac818073462c4ae8b5c574c8d1f8ee6cb3d0d6bc85d9f
Wireshark Iseries_check_file_type Out-Of-Bounds Read
Posted Jan 27, 2016
Authored by Google Security Research, mjurczyk

Wireshark suffers from a stack-based out-of-bounds read in Iseries_check_file_type.

tags | exploit
systems | linux
SHA-256 | d6928b50237f7c73c00ae88d01280c9cb05194d807b3a8048e954dfd065e219d
WordPress Ultimate CSV Importer 3.8.6 Cross Site Scripting
Posted Jan 27, 2016
Authored by Rahul Pratap Singh

WordPress Ultimate CSV Importer plugin version 3.8.6 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 4071fb697a7d5576f5de1863e60fe165edb9a8eb8735fa56cb438d04c37fe470
iOS / OS X Unsandboxable Kernel Use-After-Free In Mach Vouchers
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages. ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports. If the msgh_id of the message can't be found in the mig_buckets hash table then this function calls ipc_kobject_notify. Note that this is the same code path which would be taken for a real no-more-senders notification message but there's nothing stopping user-space from also just sending one.

tags | exploit, kernel, spoof
systems | linux
advisories | CVE-2015-7047
SHA-256 | 1042bf509240fef0a9ac35c0d9ae68166b05f9869f97a04609c7cfaf25873502
OS X Kernel Panic Due To Bad Patch For CVE-2015-3712
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

A bad patch for CVE-2015-3712 allows for code execution due to insufficient bounds checking in nvidia GeForce command buffer processing.

tags | exploit, code execution
systems | linux
advisories | CVE-2015-7019
SHA-256 | ee9c46d5821b8af0488acb255e77382b0306b6ba04c458cde11f5fab2f6efff2
OSMetaClassBase:safeMetaCast Return Value Check Fail
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection of a second connection." In fact IOKit provides no default implementation and only a handful of userclients actually implement it, and it's pretty much up to them to define the semantics of what "informing the connection of a second connection" actually means. One of the userclients which implements connectClient is IOAccelContext2 which is the parent of the IGAccelContext userclient family (which are the intel GPU accelerator userclients.) IOUserClient::connectClient is exposed to userspace as IOConnectAddClient.

tags | exploit
systems | linux
advisories | CVE-2015-6996
SHA-256 | e6b28ef3cbbacff31eb961ab63d921cbf6e4a18a44fb51c2925eaa646004d804
iOS Kernel AppleOscarGyro Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

The iOS kernel suffers from a use-after-free vulnerability in AppleOscarGyro.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
SHA-256 | 4e06593eee3ee14b6e919071b2131a9da0f8320a680e792d7ad5ff9d7dbc3557
Barracuda Networks Message Archiver 650 XSS
Posted Jan 27, 2016
Authored by Ateeq ur Rehman Khan, Vulnerability Laboratory | Site vulnerability-lab.com

Barracuda Networks Message Archiver 650 suffers from client-side cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 1c0b73f24b7667d9fb0327e285dc28d2284d74620d2883f0ce6c017bf7538e6a
Atlassian Jira 6.1.4 Cross Site Scripting
Posted Jan 27, 2016
Authored by Razvan Cernaianu

Atlassian Jira versions 6.1.4 and below suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 69982c2e62642ecdd6d36596ed6e34438ea61178dc78a728f96a3b398a394b62
Wireshark Dissect_nhdr_extopt Buffer Overflow
Posted Jan 27, 2016
Authored by Google Security Research, mjurczyk

Wireshark suffers from a stack-based buffer overflow in Dissect_nhdr_extopt.

tags | exploit, overflow
systems | linux
SHA-256 | e5bb93c3d0ae53a0370f67f79a20eec4d3bc179a65634b7d8197cdbc08479166
Android sensord Local Root
Posted Jan 27, 2016
Authored by s0m3b0dy

Android sensord local root exploit.

tags | exploit, local, root
SHA-256 | 81fc11ebb3e31b76d066ddd79bc476422e02bd43e5bb43e9ef99238f55eb448e
IOHDIXControllerUserClient:convertClientBuffer Integer Overflow
Posted Jan 27, 2016
Authored by Google Security Research, Ian Beer

Method 5 of the IOHDIXController user client is createDrive64. This takes a 0x10 0 byte structure input from which it reads a userspace pointer and a size which it passes to IOHDIXController::convertClientBuffer. This wraps the memory pointed to by the userspace pointer in an IOMemoryDescriptor then takes the user-provided size, casts it to a 32-bit type and adds one. It passes that value to IOMalloc. By passing a size of 0xffffffff we can cause an integer overflow and IOMalloc will be passed a size of 0. IOMalloc falls through to kalloc which will quite happily make a 0-sized allocation for us and return a valid, writable kernel heap pointer.

tags | exploit, overflow, kernel
systems | linux
advisories | CVE-2015-6995
SHA-256 | 7c1b4d44f576a45333e8a5f38a438bc7780560237ca558e684660c3e2a87a9cb
WordPress Appointment Booking Calendar 1.1.23 Shortcode SQL Injection
Posted Jan 26, 2016
Authored by Joaquin Ramirez Martinez

WordPress Appointment Booking Calendar plugin versions 1.1.23 and below suffer from a shortcode remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 0c5cdf3268781bb2f238da8e18318c0012ae4af07a426704ca51e73453e1392d
Page 3 of 8
Back12345Next

Top Authors In Last 30 Days

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close