Twenty Year Anniversary
Showing 1 - 25 of 57 RSS Feed

Files from Jann Horn

Email addressjannhorn at googlemail.com
First Active2013-03-14
Last Active2018-05-24
Linux Ext4 Out-Of-Bounds Memcpy
Posted May 24, 2018
Authored by Jann Horn, Google Security Research

Linux ext4 suffers from an out-of-bounds memcpy via a non-inline system.data xattr.

tags | exploit
systems | linux
MD5 | 0cb247cca18add1aee1a164432f6a72c
Speculative Execution Variant 4
Posted May 24, 2018
Authored by Jann Horn, Google Security Research

Variant 4 of the speculative execution vulnerability that focuses on a speculative store bypass.

tags | exploit
advisories | CVE-2018-3639
MD5 | 0c2f7e12ec920a6130940707130bd9fe
Linux 4-Byte Information Leak
Posted May 18, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from a 4-byte information leak via an uninitialized struct field in the compat adjtimex syscall.

tags | exploit
systems | linux
MD5 | 3e22473d4edff1e68082884c6f7a235b
FreeBSD Security Advisory - FreeBSD-SA-18:03.speculative_execution
Posted Mar 14, 2018
Authored by Jann Horn, Yuval Yarom, Michael Schwarz, Mike Hamburg, Moritz Lipp, Paul Kocher, Werner Haas, Thomas Prescher, Stefan Mangard, Daniel Gruss, Daniel Genkin | Site security.freebsd.org

FreeBSD Security Advisory - A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here.

tags | advisory
systems | freebsd, bsd
advisories | CVE-2017-5715, CVE-2017-5754
MD5 | a26c0e3e31cfe9f94c14cc22c3de9089
MacOS sysctl_vfs_generic_conf Stack Leak
Posted Jan 27, 2018
Authored by Jann Horn, Google Security Research

MacOS suffers from a sysctl_vfs_generic_conf stack leak through struct padding.

tags | advisory
advisories | CVE-2018-4090
MD5 | 376a5cb1ecad7a5a4de3c6b7b7067429
MacOS sysctl_default_netsvctype_to_dscp_map / sysctl_dscp_to_wifi_ac_map Stack Leak
Posted Jan 27, 2018
Authored by Jann Horn, Google Security Research

MacOS suffers from a sysctl_default_netsvctype_to_dscp_map and sysctl_dscp_to_wifi_ac_map stack leak through struct padding.

tags | advisory
advisories | CVE-2018-4093
MD5 | ae34699e2753df4dc0f4fbe8b25d4bd5
eBPF 4.9-stable Verifier Bug Backported
Posted Jan 12, 2018
Authored by Jann Horn, Google Security Research

eBPF had the verifier bug backported to version 4.9-stable.

tags | exploit
MD5 | 8a1c22a5152b26d19ce1cffd65c19ab9
macOS process_policy Stack Leak
Posted Jan 12, 2018
Authored by Jann Horn, Google Security Research

macOS suffers from a process_policy stack leak through an uninitialized field.

tags | exploit
advisories | CVE-2017-7154
MD5 | 087461a94f1e181ee115eef15d6fd864
CPU Speculative Execution Information Leak
Posted Jan 10, 2018
Authored by Jann Horn, Google Security Research

An information leak using speculative execution exists in CPUs by Intel, AMD, and to some extent, ARM.

tags | exploit
MD5 | b69690cdd34a7503e0457b6da3b6cd0e
VMware Workstation ALSA Config File Local Privilege Escalation
Posted Jan 5, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This Metasploit module has been tested successfully on VMware Player version 12.5.0 on Debian Linux.

tags | exploit, root
systems | linux, debian
advisories | CVE-2017-4915
MD5 | f3b6448b87cca47f57a97189ff144abb
Reading Privileged Memory With A Side-Channel
Posted Jan 4, 2018
Authored by Jann Horn, Google Security Research | Site googleprojectzero.blogspot.co.uk

This is the very thorough blog write-up discussing three variants of side-channel attacks that can be leveraged against CPU data cache timing.

tags | paper
advisories | CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
MD5 | 2363cefeef0652a5bd4abcd5e6ee4559
eBPF Arbitrary Read/Write Via Incorrect Range Tracking
Posted Dec 22, 2017
Authored by Jann Horn, Google Security Research

eBPF suffers from an arbitrary read and write vulnerability via incorrect range tracking.

tags | exploit, arbitrary
MD5 | ad6516e5054737ab0ef7abdefd3ba79b
macOS getrusage Stack Leak
Posted Dec 12, 2017
Authored by Jann Horn, Google Security Research

macOS suffers from a getrusage stack leak through struct padding.

tags | exploit
advisories | CVE-2017-13869
MD5 | 7b47e5940f3ef53d7ed82338cc4b4ae9
macOS necp_get_socket_attributes so_pcb Type Confusion
Posted Dec 12, 2017
Authored by Jann Horn, Google Security Research

macOS suffers from an so_pcb type confusion vulnerability in necp_get_socket_attributes.

tags | exploit
advisories | CVE-2017-13855
MD5 | 420bee1dc1be795e79cb3c03b5f47731
Linux mincore() Kernel Heap Page Disclosure
Posted Nov 25, 2017
Authored by Jann Horn, Google Security Research

Linux mincore() discloses uninitialized kernel heap pages. When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.

tags | exploit, kernel
systems | linux
MD5 | bd34c6c3fcf525c4eeb4d8210cfb768c
Xen Unbounded Recursion In Pagetable De-Typing
Posted Oct 19, 2017
Authored by Jann Horn, Google Security Research

Xen allows pagetables of the same level to map each other as readonly in PV domains. This is useful if a guest wants to use the self-referential pagetable trick for easy access to pagetables by mapped virtual address.

tags | exploit
MD5 | 7b0613bdfa02a772faa0631e1daf6f95
Tor Linux Sandbox Breakout Via X11
Posted Sep 7, 2017
Authored by Jann Horn, Google Security Research

It appears that you can still talk to X11 outside of the Tor sandbox.

tags | exploit
MD5 | 21d81cf14e7577ac16e4401020dd33e8
Linux eBPF Verify Log Leak
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

On Linux, the eBPF verifier log leaks the lower half of a map pointer.

tags | advisory
systems | linux
MD5 | 4dc6117fdf8c57334009b5e438357d7d
MacOS Raw Frame Pointers In Stackshot
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

This is an issue on MacOS that allows un-entitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug.

tags | exploit, kernel, root
advisories | CVE-2017-2516
MD5 | 5681e6a07ccbf5cc21fde6f5e3fa61b7
MacOS 32-Bit Syscall Exit Kernel Register Leak
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

MacOS suffers from a kernel register leak via 32-bit syscall exit.

tags | exploit, kernel
advisories | CVE-2017-2509
MD5 | 843234a6ae86bbe1332e22a54aaa96c1
VMWare Workstation On Linux Privilege Escalation
Posted May 22, 2017
Authored by Jann Horn, Google Security Research

This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at ~/.asoundrc. libasound is not designed to run in a setuid context and deliberately permits loading arbitrary shared libraries via dlopen().

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2017-4915
MD5 | 6cd7c22bba1395ea99fb53bce68676a2
Xen 64bit PV Guest Breakout Via Pagetable Use-After-Type-Change
Posted May 8, 2017
Authored by Jann Horn, Google Security Research

This is a bug in Xen that permits an attacker with control over the kernel of a 64bit X86 PV guest to write arbitrary entries into a live top-level pagetable.

tags | exploit, arbitrary, x86, kernel
MD5 | 5a144654a1b03c1ef898b305457a091d
VirtualBox Unprivilege Host User To Host Kernel Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from an unprivileged host user to host kernel privilege escalation via ALSA config.

tags | exploit, kernel
advisories | CVE-2017-3576
MD5 | dca9d69e8a8c16f4ac99724d454653cf
VirtualBox Guest-To-Host Out-Of-Bounds Write
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from a guest-to-host out-of-bounds write via virtio-net.

tags | advisory
advisories | CVE-2017-3575
MD5 | 0748ee091b775b94daca046bf551edc0
VirtualBox Host User To Host Kernel Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from an unprivileged host user to host kernel privilege escalation vulnerability via environment and ioctl.

tags | exploit, kernel
advisories | CVE-2017-3561
MD5 | 5f5257c0521f76504084b603e8ef11c6
Page 1 of 3
Back123Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close