exploit the possibilities
Showing 1 - 25 of 137 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2020-10-02
udisks / Linux Kernel romfs Leakage
Posted Oct 2, 2020
Authored by Jann Horn, Google Security Research

udisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.

tags | exploit, kernel
systems | linux
MD5 | c048313af977e032061fd3c992081768
Linux expand_downwards() / munmap() Race Condition
Posted Sep 14, 2020
Authored by Jann Horn, Google Security Research

A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.

tags | exploit, kernel
systems | linux
MD5 | af84b28deac71be6c5fa63ed3e242c89
Linux CoW Incorrect Access Grant
Posted Aug 25, 2020
Authored by Jann Horn, Google Security Research

A Linux copy-on-write issue can wrongly grant write access.

tags | exploit
systems | linux
MD5 | cb589228c2f3845aa384c84f4717d60e
Android App Zygotes Improper Guarding
Posted Aug 14, 2020
Authored by Jann Horn, Google Security Research

On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.

tags | exploit
advisories | CVE-2020-0258
MD5 | eebe6e6bf1383e7dfd3785cc4de920bc
c-ares 1.16.0 Use-After-Free
Posted Aug 4, 2020
Authored by Jann Horn, Google Security Research

c-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.

tags | advisory
MD5 | 1464ba2a11ec60f5b9714b8e26693d59
Linux 5.6 IORING_OP_MADVISE Race Condition
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.

tags | exploit
systems | linux
MD5 | 48173960a553b8ac2d2d1b4706631456
Linux futex+VFS Use-After-Free
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.

tags | exploit
systems | linux
MD5 | b10f0f2bf1162cf416ade38ced936f86
Linux Omitted TID Increment
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.

tags | exploit
systems | linux
MD5 | b56ff43167ac1143eeafa23f56b39a25
Linux 5.3 Insecure Root Path Handling
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.

tags | exploit, root
systems | linux
MD5 | cd4620f1e39d2b19219c64ba6facc1f3
Android Binder Use-After-Free
Posted Feb 24, 2020
Authored by Jann Horn, timwr, Maddie Stone, grant-h | Site metasploit.com

Android Binder use-after-free exploit.

tags | exploit
advisories | CVE-2019-2215
MD5 | b8930f3f9adad2325c20b748158a44e3
Samsung SEND_FILE_WITH_HEADER Use-After-Free
Posted Feb 12, 2020
Authored by Jann Horn, Google Security Research

Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.

tags | exploit
MD5 | c32b0a6b8edad815d87eab3aadeb33e9
Samsung Kernel PROCA Use-After-Free / Double-Free
Posted Feb 12, 2020
Authored by Jann Horn, Google Security Research

The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.

tags | exploit, kernel
MD5 | 4809998625c6770bf24721a33e8e7f18
Reliable Datagram Sockets (RDS) rds_atomic_free_op Privilege Escalation
Posted Jan 22, 2020
Authored by Brendan Coles, Jann Horn, Mohamed Ghannam, nstarke, wbowling | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.

tags | exploit, kernel, root
systems | linux, ubuntu
advisories | CVE-2018-5333, CVE-2019-9213
MD5 | e83495fea436d8a384500ace26357f2f
Android ashmem Read-Only Bypasses
Posted Jan 10, 2020
Authored by Jann Horn, Google Security Research

Android suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.

tags | exploit, vulnerability
advisories | CVE-2020-0009
MD5 | 1ce1f492c6697220a1377f632e2b8f79
Linux sendmsg() Privilege Escalation
Posted Dec 16, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.

tags | exploit, kernel
systems | linux
advisories | CVE-2019-19241
MD5 | 7594e7ead982b1ba2cb61b42fa00ac35
macOS update_dyld_shared_cache Privilege Escalation
Posted Nov 21, 2019
Authored by Jann Horn, Google Security Research

macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.

tags | exploit
MD5 | ccb563e2e8325980cd5cfa90ec74c416
Ubuntu shiftfs refcount Underflow / Type Confusion
Posted Nov 14, 2019
Authored by Jann Horn, Google Security Research

Ubuntu suffers from refcount underflow and type confusion vulnerabilities in shiftfs.

tags | exploit, vulnerability
systems | linux, ubuntu
advisories | CVE-2019-15793
MD5 | 0997e77626bf20fe372537310c94c69f
Ubuntu ubuntu-aufs-modified mmap_region() Refcounting Issue
Posted Nov 12, 2019
Authored by Jann Horn, Google Security Research

Ubuntu suffers from an issue where ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path.

tags | exploit
systems | linux, ubuntu
advisories | CVE-2019-15794
MD5 | dbc5f5b20329ede3b61e960c453e1e6a
XNU Missing Locking Race Condition
Posted Nov 5, 2019
Authored by Jann Horn, Google Security Research

XNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().

tags | exploit
MD5 | 85e06607829ab208006bfe5a5ef59847
Linux Polkit pkexec Helper PTRACE_TRACEME Local Root
Posted Oct 23, 2019
Authored by Brendan Coles, Jann Horn, timwr | Site metasploit.com

This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.

tags | exploit, kernel, local, root
systems | linux
advisories | CVE-2019-13272
MD5 | a67b52657090e25d42aa370f66e7ca88
XNU Data Race Remote Double-Free
Posted Oct 7, 2019
Authored by Jann Horn, Google Security Research

XNU suffers from a remote double-free vulnerability due to a data race in IPComp input path.

tags | exploit, remote
advisories | CVE-2019-8717
MD5 | f107571d24ce915ad24992a19c351dc1
Linux show_numa_stats() Use-After-Free
Posted Aug 8, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from use-after-free read vulnerabilities in show_numa_stats().

tags | exploit, vulnerability
systems | linux
MD5 | 19f13c14c14a87e2b867f6b005de2eae
Linux PTRACE_TRACEME Broken Permission / Object Lifetime Handling
Posted Jul 16, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from broken permission and object lifetime handling for PTRACE_TRACEME.

tags | exploit
systems | linux
advisories | CVE-2019-13272
MD5 | 91c78e7e5a824d9c7ed235f47eecb190
Google ChromeOS SafeSetID LSM Transitive Trust
Posted Jul 3, 2019
Authored by Jann Horn, Google Security Research

Google ChromeOS SafeSetID LSM suffers from privilege escalation vulnerabilities.

tags | advisory, vulnerability
MD5 | 1eb159ed1602375544f5e4c09949e034
Linux Race Condition Use-After-Free
Posted Jun 20, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a use-after-free via a race condition between modify_ldt() and #BR exception.

tags | exploit
systems | linux
MD5 | bde5e2b4c6bf6932f0057efcb1d79bac
Page 1 of 6
Back12345Next

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close