Twenty Year Anniversary
Showing 1 - 25 of 70 RSS Feed

Files from Jann Horn

Email addressjannhorn at googlemail.com
First Active2013-03-14
Last Active2018-09-13
Linux dmesg Arbitrary Kernel Read
Posted Sep 13, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from an arbitrary kernel read into dmesg via a missing address check in the segfault handler.

tags | advisory, arbitrary, kernel
systems | linux
MD5 | 06e9283f3dd8c10929847de0f7b403d2
Chrome OS gRPC garcon Command Execution
Posted Sep 13, 2018
Authored by Jann Horn, Google Security Research

There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889, which is used by the "garcon" service. garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock, but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is initiated by the host; for others, it is initiated by the guest. Both guest and host are listening on [::]:8889; however, the iptables rules of the host prevent an outside host from simply connecting to those sockets. However, apps running on the host are not affected by such restrictions.

tags | exploit, web, tcp, protocol
MD5 | aff1ab159e8069bed85cefa1dff66810
Android Privilege Escalation
Posted Sep 11, 2018
Authored by Jann Horn, Google Security Research

Android suffers from a privilege escalation vulnerability in zygote that can be leveraged by CVE-2018-9445.

tags | exploit
advisories | CVE-2018-9445, CVE-2018-9488
MD5 | ab958bdb52ab9f8d11c64fe093731380
Linux Insufficient Shootdown For Paging-Structure Caches
Posted Sep 11, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from an insufficient shootdown for paging-structure caches.

tags | exploit
systems | linux
MD5 | 8c0d36eab2a0b162e885643f73377706
gVisor Sentry Invalid Access
Posted Aug 31, 2018
Authored by Jann Horn, Google Security Research

gVisor Sentry permits access to the renameat() syscall. As the sentry is not chrooted, it permits renaming files in the host system.

tags | advisory
MD5 | 82846292495d155d34683eb88e13fade
Linux reiserfs listxattr_filler() Heap Overflow
Posted Aug 31, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from a reiserfs listxattr_filler() heap overflow vulnerability.

tags | exploit, overflow
systems | linux
MD5 | 32f35281c7d063fa006860df2819530e
Wayland wl_connection_demarshal() Out-Of-Bounds Memory Access
Posted Aug 28, 2018
Authored by Jann Horn, Google Security Research

Wayland suffers from an out-of-bounds memory access vulnerability in wl_connection_demarshal() on 32-bit systems.

tags | exploit
MD5 | d6df3a560088b2c39f11b2f8dc3a2c2d
Linux percpu Race Condition
Posted Aug 23, 2018
Authored by Jann Horn, Google Security Research

Race conditions exist on percpu refcounts on struct mount.

tags | exploit
MD5 | 2431157d4031096f9869974723e0f6f4
Google Android USB Directory Traversal
Posted Aug 13, 2018
Authored by Jann Horn, Google Security Research

Android suffers from a directory traversal vulnerability leveraged over USB via injection in blkid output.

tags | exploit
advisories | CVE-2018-9445
MD5 | 54330565924c07e00a436420e71adec0
cgit cgit_clone_objects() Directory Traversal
Posted Aug 6, 2018
Authored by Jann Horn, Google Security Research

cgit suffers from a directory traversal vulnerability in cgit_clone_objects().

tags | exploit
advisories | CVE-2018-14912
MD5 | f306e9c0fb056a4bc0fe47e73bb69b90
fusermount Restriction Bypass
Posted Jul 30, 2018
Authored by Jann Horn, Google Security Research

It is possible to bypass fusermount's restrictions on the use of the "allow_other" mount option as follows if SELinux is active.

tags | exploit
advisories | CVE-2018-10906
MD5 | 9e10d920caa48857046e580c577e1ff4
Linux BPF Sign Extension Local Privilege Escalation
Posted Jul 19, 2018
Authored by h00die, Jann Horn, vnik, rlarabee, bleidl, bcoles | Site metasploit.com

Linux kernel versions prior to 4.14.8 utilize the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform signing for an extension. This can be utilized to escalate privileges. The target system must be compiled with BPF support and must not have kernel.unprivileged_bpf_disabled set to 1. This Metasploit module has been tested successfully on many different kernels.

tags | exploit, kernel
systems | linux
advisories | CVE-2017-16995
MD5 | 4596fc215a7899eb6de8fccca0e92708
Linux/Ubuntu Coredump Reading Access Bypass
Posted Jul 13, 2018
Authored by Jann Horn, Google Security Research

Linux/Ubuntu suffers from a vulnerability where other users' coredumps can be read via a setgid directory and killpriv bypass.

tags | exploit
systems | linux, ubuntu
MD5 | 643a11ef1ca33c7ad1aef476e210c8b8
Linux Ext4 Out-Of-Bounds Memcpy
Posted May 24, 2018
Authored by Jann Horn, Google Security Research

Linux ext4 suffers from an out-of-bounds memcpy via a non-inline system.data xattr.

tags | exploit
systems | linux
MD5 | 0cb247cca18add1aee1a164432f6a72c
Speculative Execution Variant 4
Posted May 24, 2018
Authored by Jann Horn, Google Security Research

Variant 4 of the speculative execution vulnerability that focuses on a speculative store bypass.

tags | exploit
advisories | CVE-2018-3639
MD5 | 0c2f7e12ec920a6130940707130bd9fe
Linux 4-Byte Information Leak
Posted May 18, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from a 4-byte information leak via an uninitialized struct field in the compat adjtimex syscall.

tags | exploit
systems | linux
MD5 | 3e22473d4edff1e68082884c6f7a235b
FreeBSD Security Advisory - FreeBSD-SA-18:03.speculative_execution
Posted Mar 14, 2018
Authored by Jann Horn, Yuval Yarom, Michael Schwarz, Mike Hamburg, Moritz Lipp, Paul Kocher, Werner Haas, Thomas Prescher, Stefan Mangard, Daniel Gruss, Daniel Genkin | Site security.freebsd.org

FreeBSD Security Advisory - A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here.

tags | advisory
systems | freebsd, bsd
advisories | CVE-2017-5715, CVE-2017-5754
MD5 | a26c0e3e31cfe9f94c14cc22c3de9089
MacOS sysctl_vfs_generic_conf Stack Leak
Posted Jan 27, 2018
Authored by Jann Horn, Google Security Research

MacOS suffers from a sysctl_vfs_generic_conf stack leak through struct padding.

tags | advisory
advisories | CVE-2018-4090
MD5 | 376a5cb1ecad7a5a4de3c6b7b7067429
MacOS sysctl_default_netsvctype_to_dscp_map / sysctl_dscp_to_wifi_ac_map Stack Leak
Posted Jan 27, 2018
Authored by Jann Horn, Google Security Research

MacOS suffers from a sysctl_default_netsvctype_to_dscp_map and sysctl_dscp_to_wifi_ac_map stack leak through struct padding.

tags | advisory
advisories | CVE-2018-4093
MD5 | ae34699e2753df4dc0f4fbe8b25d4bd5
eBPF 4.9-stable Verifier Bug Backported
Posted Jan 12, 2018
Authored by Jann Horn, Google Security Research

eBPF had the verifier bug backported to version 4.9-stable.

tags | exploit
MD5 | 8a1c22a5152b26d19ce1cffd65c19ab9
macOS process_policy Stack Leak
Posted Jan 12, 2018
Authored by Jann Horn, Google Security Research

macOS suffers from a process_policy stack leak through an uninitialized field.

tags | exploit
advisories | CVE-2017-7154
MD5 | 087461a94f1e181ee115eef15d6fd864
CPU Speculative Execution Information Leak
Posted Jan 10, 2018
Authored by Jann Horn, Google Security Research

An information leak using speculative execution exists in CPUs by Intel, AMD, and to some extent, ARM.

tags | exploit
MD5 | b69690cdd34a7503e0457b6da3b6cd0e
VMware Workstation ALSA Config File Local Privilege Escalation
Posted Jan 5, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This Metasploit module has been tested successfully on VMware Player version 12.5.0 on Debian Linux.

tags | exploit, root
systems | linux, debian
advisories | CVE-2017-4915
MD5 | f3b6448b87cca47f57a97189ff144abb
Reading Privileged Memory With A Side-Channel
Posted Jan 4, 2018
Authored by Jann Horn, Google Security Research | Site googleprojectzero.blogspot.co.uk

This is the very thorough blog write-up discussing three variants of side-channel attacks that can be leveraged against CPU data cache timing.

tags | paper
advisories | CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
MD5 | 2363cefeef0652a5bd4abcd5e6ee4559
eBPF Arbitrary Read/Write Via Incorrect Range Tracking
Posted Dec 22, 2017
Authored by Jann Horn, Google Security Research

eBPF suffers from an arbitrary read and write vulnerability via incorrect range tracking.

tags | exploit, arbitrary
MD5 | ad6516e5054737ab0ef7abdefd3ba79b
Page 1 of 3
Back123Next

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    5 Files
  • 22
    Sep 22nd
    2 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close