Exploit the possiblities
Showing 1 - 25 of 53 RSS Feed

Files from Jann Horn

Email addressjannhorn at googlemail.com
First Active2013-03-14
Last Active2018-01-27
MacOS sysctl_vfs_generic_conf Stack Leak
Posted Jan 27, 2018
Authored by Jann Horn, Google Security Research

MacOS suffers from a sysctl_vfs_generic_conf stack leak through struct padding.

tags | advisory
advisories | CVE-2018-4090
MD5 | 376a5cb1ecad7a5a4de3c6b7b7067429
MacOS sysctl_default_netsvctype_to_dscp_map / sysctl_dscp_to_wifi_ac_map Stack Leak
Posted Jan 27, 2018
Authored by Jann Horn, Google Security Research

MacOS suffers from a sysctl_default_netsvctype_to_dscp_map and sysctl_dscp_to_wifi_ac_map stack leak through struct padding.

tags | advisory
advisories | CVE-2018-4093
MD5 | ae34699e2753df4dc0f4fbe8b25d4bd5
eBPF 4.9-stable Verifier Bug Backported
Posted Jan 12, 2018
Authored by Jann Horn, Google Security Research

eBPF had the verifier bug backported to version 4.9-stable.

tags | exploit
MD5 | 8a1c22a5152b26d19ce1cffd65c19ab9
macOS process_policy Stack Leak
Posted Jan 12, 2018
Authored by Jann Horn, Google Security Research

macOS suffers from a process_policy stack leak through an uninitialized field.

tags | exploit
advisories | CVE-2017-7154
MD5 | 087461a94f1e181ee115eef15d6fd864
CPU Speculative Execution Information Leak
Posted Jan 10, 2018
Authored by Jann Horn, Google Security Research

An information leak using speculative execution exists in CPUs by Intel, AMD, and to some extent, ARM.

tags | exploit
MD5 | b69690cdd34a7503e0457b6da3b6cd0e
VMware Workstation ALSA Config File Local Privilege Escalation
Posted Jan 5, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This Metasploit module has been tested successfully on VMware Player version 12.5.0 on Debian Linux.

tags | exploit, root
systems | linux, debian
advisories | CVE-2017-4915
MD5 | f3b6448b87cca47f57a97189ff144abb
Reading Privileged Memory With A Side-Channel
Posted Jan 4, 2018
Authored by Jann Horn, Google Security Research | Site googleprojectzero.blogspot.co.uk

This is the very thorough blog write-up discussing three variants of side-channel attacks that can be leveraged against CPU data cache timing.

tags | paper
advisories | CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
MD5 | 2363cefeef0652a5bd4abcd5e6ee4559
eBPF Arbitrary Read/Write Via Incorrect Range Tracking
Posted Dec 22, 2017
Authored by Jann Horn, Google Security Research

eBPF suffers from an arbitrary read and write vulnerability via incorrect range tracking.

tags | exploit, arbitrary
MD5 | ad6516e5054737ab0ef7abdefd3ba79b
macOS getrusage Stack Leak
Posted Dec 12, 2017
Authored by Jann Horn, Google Security Research

macOS suffers from a getrusage stack leak through struct padding.

tags | exploit
advisories | CVE-2017-13869
MD5 | 7b47e5940f3ef53d7ed82338cc4b4ae9
macOS necp_get_socket_attributes so_pcb Type Confusion
Posted Dec 12, 2017
Authored by Jann Horn, Google Security Research

macOS suffers from an so_pcb type confusion vulnerability in necp_get_socket_attributes.

tags | exploit
advisories | CVE-2017-13855
MD5 | 420bee1dc1be795e79cb3c03b5f47731
Linux mincore() Kernel Heap Page Disclosure
Posted Nov 25, 2017
Authored by Jann Horn, Google Security Research

Linux mincore() discloses uninitialized kernel heap pages. When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.

tags | exploit, kernel
systems | linux
MD5 | bd34c6c3fcf525c4eeb4d8210cfb768c
Xen Unbounded Recursion In Pagetable De-Typing
Posted Oct 19, 2017
Authored by Jann Horn, Google Security Research

Xen allows pagetables of the same level to map each other as readonly in PV domains. This is useful if a guest wants to use the self-referential pagetable trick for easy access to pagetables by mapped virtual address.

tags | exploit
MD5 | 7b0613bdfa02a772faa0631e1daf6f95
Tor Linux Sandbox Breakout Via X11
Posted Sep 7, 2017
Authored by Jann Horn, Google Security Research

It appears that you can still talk to X11 outside of the Tor sandbox.

tags | exploit
MD5 | 21d81cf14e7577ac16e4401020dd33e8
Linux eBPF Verify Log Leak
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

On Linux, the eBPF verifier log leaks the lower half of a map pointer.

tags | advisory
systems | linux
MD5 | 4dc6117fdf8c57334009b5e438357d7d
MacOS Raw Frame Pointers In Stackshot
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

This is an issue on MacOS that allows un-entitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug.

tags | exploit, kernel, root
advisories | CVE-2017-2516
MD5 | 5681e6a07ccbf5cc21fde6f5e3fa61b7
MacOS 32-Bit Syscall Exit Kernel Register Leak
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

MacOS suffers from a kernel register leak via 32-bit syscall exit.

tags | exploit, kernel
advisories | CVE-2017-2509
MD5 | 843234a6ae86bbe1332e22a54aaa96c1
VMWare Workstation On Linux Privilege Escalation
Posted May 22, 2017
Authored by Jann Horn, Google Security Research

This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at ~/.asoundrc. libasound is not designed to run in a setuid context and deliberately permits loading arbitrary shared libraries via dlopen().

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2017-4915
MD5 | 6cd7c22bba1395ea99fb53bce68676a2
Xen 64bit PV Guest Breakout Via Pagetable Use-After-Type-Change
Posted May 8, 2017
Authored by Jann Horn, Google Security Research

This is a bug in Xen that permits an attacker with control over the kernel of a 64bit X86 PV guest to write arbitrary entries into a live top-level pagetable.

tags | exploit, arbitrary, x86, kernel
MD5 | 5a144654a1b03c1ef898b305457a091d
VirtualBox Unprivilege Host User To Host Kernel Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from an unprivileged host user to host kernel privilege escalation via ALSA config.

tags | exploit, kernel
advisories | CVE-2017-3576
MD5 | dca9d69e8a8c16f4ac99724d454653cf
VirtualBox Guest-To-Host Out-Of-Bounds Write
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from a guest-to-host out-of-bounds write via virtio-net.

tags | advisory
advisories | CVE-2017-3575
MD5 | 0748ee091b775b94daca046bf551edc0
VirtualBox Host User To Host Kernel Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from an unprivileged host user to host kernel privilege escalation vulnerability via environment and ioctl.

tags | exploit, kernel
advisories | CVE-2017-3561
MD5 | 5f5257c0521f76504084b603e8ef11c6
VirtualBox Guest-To-Host Local Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from a guest-to-host local privilege escalation vulnerability via broken length handling in slirp copy.

tags | exploit, local
advisories | CVE-2017-3558
MD5 | a88ca7fea026237f49504743f2ebd524
Xen memory_exchange() Guest Breakout
Posted Apr 10, 2017
Authored by Jann Horn, Google Security Research

Xen suffers from a broken check in memory_exchange() that permits a PV guest breakout.

tags | exploit
advisories | CVE-2017-7228
MD5 | aa31f251ac964d32a781e52a20d3824f
Samba Symlink Race Permits Opening Files
Posted Mar 27, 2017
Authored by Jann Horn, Google Security Research

Samba suffers from a symlink race that permits opening files outside of the share directory.

tags | exploit
advisories | CVE-2017-2619
MD5 | 25450779e8fb998831d9a67d898707d0
OpenSSH On Cygwin SFTP Client Directory Traversal
Posted Mar 22, 2017
Authored by Jann Horn, Google Security Research

Portable OpenSSH supports running on Cygwin. However, the SFTP client only filters out forward slashes (in do_lsreaddir()) and the directory names "." and ".." (in download_dir_internal()). On Windows, including in Cygwin, backslashes can a lso be used for directory traversal.

tags | exploit
systems | windows
MD5 | 2069de5aceb936104c15b6d7d812f974
Page 1 of 3
Back123Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    11 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close