what you don't know can hurt you
Showing 1 - 25 of 152 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2022-05-09
Linux PT_SUSPEND_SECCOMP Permission Bypass / Death Race
Posted May 9, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.

tags | exploit
systems | linux
SHA-256 | 090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40
Watch Queue Out-Of-Bounds Write
Posted Apr 21, 2022
Authored by Jann Horn, bwatters-r7, bonfee | Site metasploit.com

This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.

tags | exploit, denial of service, kernel
systems | linux
advisories | CVE-2022-0995
SHA-256 | b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5f
BlueZ Key Theft / bluetoothd Double-Free
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

BlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.

tags | exploit
SHA-256 | 8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055
Linux FUSE Use-After-Free
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.

tags | exploit
systems | linux
advisories | CVE-2022-1011
SHA-256 | 2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efb
Linux watch_queue Filter Out-Of-Bounds Write
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

The Linux watch_queue filter suffers from an out of bounds write vulnerability.

tags | exploit
systems | linux
advisories | CVE-2022-0995
SHA-256 | 48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51
Linux ax88179_rx_fixup() Out-Of-Bounds Access
Posted Mar 21, 2022
Authored by Jann Horn, Google Security Research

In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.

tags | advisory
systems | linux
SHA-256 | d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21
Linux Garbage Collection Memory Corruption
Posted Jan 10, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.

tags | exploit
systems | linux
advisories | CVE-2021-4083
SHA-256 | 638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687de
Android VM_MAYWRITE Access To Shared Zygote JIT Mapping
Posted Dec 17, 2021
Authored by Jann Horn, Google Security Research

This bug report describes a vulnerability in ART that allows normal applications to insert arbitrary code into unused executable memory in zygote and other applications.

tags | exploit, arbitrary
advisories | CVE-2021-0959
SHA-256 | 0b76a7bc1be55f6a0ca439ea53194142e663f42e1e49261458b945a5c953244c
Android vold Unsafe Mounting
Posted Dec 2, 2021
Authored by Jann Horn, Google Security Research

Android's vold's incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold's IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn't be under system_server control.

tags | exploit, arbitrary
advisories | CVE-2022-20002
SHA-256 | 6308f611ecd07bd987f8455171c29a25eff87e81ccf2cc8daeca7812645ea262
Linux SO_PEERCRED / SO_PEERGROUPS Race Condition / Use-After-Free
Posted Nov 18, 2021
Authored by Jann Horn, Google Security Research

Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.

tags | exploit
systems | linux
SHA-256 | e9d2577d94228c65d76a056d879671aaba39469ae3acffd647bebed060eeeb31
Linux SELinux PTRACE_TRACEME Handler Use-After-Free
Posted Oct 26, 2021
Authored by Jann Horn, Google Security Research

Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.

tags | exploit
systems | linux
SHA-256 | 796440de4a29bc2603d127196092fc9ccdd7e9044bbb208b4660cc96ceeb0dcd
Tor Half-Closed Connection Stream Confusion
Posted Jul 15, 2021
Authored by Jann Horn, Google Security Research

Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.

tags | exploit, spoof
advisories | CVE-2021-34548
SHA-256 | 0544acc1f8cb71eaae260f7d2c03e6b0c3ebabe6b8549cd83018b8757f7db64a
ChromeOS arc-obb-mounter Missing Path Restriction
Posted Jun 14, 2021
Authored by Jann Horn, Google Security Research

ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.

tags | exploit
SHA-256 | 5a39171dc660d2c47df5696635fea0f20a0814593c67d9aa4f2ca1cf665e8660
Linux TIOCSPGRP Broken Locking
Posted Dec 22, 2020
Authored by Jann Horn, Google Security Research

Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.

tags | exploit
systems | linux
advisories | CVE-2020-29661
SHA-256 | 3d16d56ff43c2ab3355f19116f22e1a94fc89347899d1d2c15556ab0e4b4191b
Linux io_uring SUID Boundary Access Violation
Posted Dec 7, 2020
Authored by Jann Horn, Google Security Research

Linux io_uring suffers from mm and files access across suid binaries.

tags | exploit
systems | linux
SHA-256 | 31c54d98daff1e1981a30c608516455dff4f229558f13e5503ad476e283c3e0f
udisks / Linux Kernel romfs Leakage
Posted Oct 2, 2020
Authored by Jann Horn, Google Security Research

udisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.

tags | exploit, kernel
systems | linux
SHA-256 | 35a3fb65f205fc4d18eb799a00a5f48e0f59e4554d59a19758e3936768b1b633
Linux expand_downwards() / munmap() Race Condition
Posted Sep 14, 2020
Authored by Jann Horn, Google Security Research

A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.

tags | exploit, kernel
systems | linux
SHA-256 | 12c19d8bb64bc07c6c91f0dc616830116f9cf648c2c843890b7c779c318ceed4
Linux CoW Incorrect Access Grant
Posted Aug 25, 2020
Authored by Jann Horn, Google Security Research

A Linux copy-on-write issue can wrongly grant write access.

tags | exploit
systems | linux
SHA-256 | fb12dc1d9b3c3b8710974411c8e04357da6fc10cd0ae77c98600c7e8fdfa8813
Android App Zygotes Improper Guarding
Posted Aug 14, 2020
Authored by Jann Horn, Google Security Research

On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.

tags | exploit
advisories | CVE-2020-0258
SHA-256 | 259e249f92035fcc7a0f05456a83799f739c985a9863269f49049822d3dfa37f
c-ares 1.16.0 Use-After-Free
Posted Aug 4, 2020
Authored by Jann Horn, Google Security Research

c-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.

tags | advisory
SHA-256 | 7dac05abea704e153870ceb3821b9fcf3b37ca198add02caa774bdda39438cd9
Linux 5.6 IORING_OP_MADVISE Race Condition
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.

tags | exploit
systems | linux
SHA-256 | 3d4ed25c006b4d44e2fc925724eb8ef4c383a536453c0793e4b5aa7eb8d74965
Linux futex+VFS Use-After-Free
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.

tags | exploit
systems | linux
SHA-256 | 1f2f71584b62477d5804bbbbde1135bf3a474ccf5086c8de8d354737d3f45ec5
Linux Omitted TID Increment
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.

tags | exploit
systems | linux
SHA-256 | 14cca69626f7eaf7a068b4d1e29e645abe5f5066bfb2ea4db2fa373a5b4f17a5
Linux 5.3 Insecure Root Path Handling
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.

tags | exploit, root
systems | linux
SHA-256 | ed2dd2cbf35df24e9ba5bd981126270b47009603233e401d33e76fe529690153
Android Binder Use-After-Free
Posted Feb 24, 2020
Authored by Jann Horn, timwr, Maddie Stone, grant-h | Site metasploit.com

Android Binder use-after-free exploit.

tags | exploit
advisories | CVE-2019-2215
SHA-256 | 8311b9bec91595d2878834472570bf80e596b211d30a53cac581c4c7c5478c85
Page 1 of 7
Back12345Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close