exploit the possibilities
Showing 1 - 25 of 132 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2020-05-08
Linux 5.6 IORING_OP_MADVISE Race Condition
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.

tags | exploit
systems | linux
MD5 | 48173960a553b8ac2d2d1b4706631456
Linux futex+VFS Use-After-Free
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.

tags | exploit
systems | linux
MD5 | b10f0f2bf1162cf416ade38ced936f86
Linux Omitted TID Increment
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.

tags | exploit
systems | linux
MD5 | b56ff43167ac1143eeafa23f56b39a25
Linux 5.3 Insecure Root Path Handling
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.

tags | exploit, root
systems | linux
MD5 | cd4620f1e39d2b19219c64ba6facc1f3
Android Binder Use-After-Free
Posted Feb 24, 2020
Authored by Jann Horn, timwr, Maddie Stone, grant-h | Site metasploit.com

Android Binder use-after-free exploit.

tags | exploit
advisories | CVE-2019-2215
MD5 | b8930f3f9adad2325c20b748158a44e3
Samsung SEND_FILE_WITH_HEADER Use-After-Free
Posted Feb 12, 2020
Authored by Jann Horn, Google Security Research

Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.

tags | exploit
MD5 | c32b0a6b8edad815d87eab3aadeb33e9
Samsung Kernel PROCA Use-After-Free / Double-Free
Posted Feb 12, 2020
Authored by Jann Horn, Google Security Research

The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.

tags | exploit, kernel
MD5 | 4809998625c6770bf24721a33e8e7f18
Reliable Datagram Sockets (RDS) rds_atomic_free_op Privilege Escalation
Posted Jan 22, 2020
Authored by Brendan Coles, Jann Horn, Mohamed Ghannam, nstarke, wbowling | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.

tags | exploit, kernel, root
systems | linux, ubuntu
advisories | CVE-2018-5333, CVE-2019-9213
MD5 | e83495fea436d8a384500ace26357f2f
Android ashmem Read-Only Bypasses
Posted Jan 10, 2020
Authored by Jann Horn, Google Security Research

Android suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.

tags | exploit, vulnerability
advisories | CVE-2020-0009
MD5 | 1ce1f492c6697220a1377f632e2b8f79
Linux sendmsg() Privilege Escalation
Posted Dec 16, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.

tags | exploit, kernel
systems | linux
advisories | CVE-2019-19241
MD5 | 7594e7ead982b1ba2cb61b42fa00ac35
macOS update_dyld_shared_cache Privilege Escalation
Posted Nov 21, 2019
Authored by Jann Horn, Google Security Research

macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.

tags | exploit
MD5 | ccb563e2e8325980cd5cfa90ec74c416
Ubuntu shiftfs refcount Underflow / Type Confusion
Posted Nov 14, 2019
Authored by Jann Horn, Google Security Research

Ubuntu suffers from refcount underflow and type confusion vulnerabilities in shiftfs.

tags | exploit, vulnerability
systems | linux, ubuntu
advisories | CVE-2019-15793
MD5 | 0997e77626bf20fe372537310c94c69f
Ubuntu ubuntu-aufs-modified mmap_region() Refcounting Issue
Posted Nov 12, 2019
Authored by Jann Horn, Google Security Research

Ubuntu suffers from an issue where ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path.

tags | exploit
systems | linux, ubuntu
advisories | CVE-2019-15794
MD5 | dbc5f5b20329ede3b61e960c453e1e6a
XNU Missing Locking Race Condition
Posted Nov 5, 2019
Authored by Jann Horn, Google Security Research

XNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().

tags | exploit
MD5 | 85e06607829ab208006bfe5a5ef59847
Linux Polkit pkexec Helper PTRACE_TRACEME Local Root
Posted Oct 23, 2019
Authored by Brendan Coles, Jann Horn, timwr | Site metasploit.com

This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.

tags | exploit, kernel, local, root
systems | linux
advisories | CVE-2019-13272
MD5 | a67b52657090e25d42aa370f66e7ca88
XNU Data Race Remote Double-Free
Posted Oct 7, 2019
Authored by Jann Horn, Google Security Research

XNU suffers from a remote double-free vulnerability due to a data race in IPComp input path.

tags | exploit, remote
advisories | CVE-2019-8717
MD5 | f107571d24ce915ad24992a19c351dc1
Linux show_numa_stats() Use-After-Free
Posted Aug 8, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from use-after-free read vulnerabilities in show_numa_stats().

tags | exploit, vulnerability
systems | linux
MD5 | 19f13c14c14a87e2b867f6b005de2eae
Linux PTRACE_TRACEME Broken Permission / Object Lifetime Handling
Posted Jul 16, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from broken permission and object lifetime handling for PTRACE_TRACEME.

tags | exploit
systems | linux
advisories | CVE-2019-13272
MD5 | 91c78e7e5a824d9c7ed235f47eecb190
Google ChromeOS SafeSetID LSM Transitive Trust
Posted Jul 3, 2019
Authored by Jann Horn, Google Security Research

Google ChromeOS SafeSetID LSM suffers from privilege escalation vulnerabilities.

tags | advisory, vulnerability
MD5 | 1eb159ed1602375544f5e4c09949e034
Linux Race Condition Use-After-Free
Posted Jun 20, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a use-after-free via a race condition between modify_ldt() and #BR exception.

tags | exploit
systems | linux
MD5 | bde5e2b4c6bf6932f0057efcb1d79bac
Qualcomm Android Kernel Use-After-Free
Posted May 29, 2019
Authored by Jann Horn, Google Security Research

The Qualcomm Android kernel suffers from a use-after-free vulnerability via an incorrect set_page_dirty() in KGSL.

tags | exploit, kernel
advisories | CVE-2019-10529
MD5 | 934ee0432bced903b9c092168a681f86
Linux Missing Lockdown
Posted Apr 29, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a missing locking between ELF coredump code and userfaultfd VMA modification.

tags | exploit
systems | linux
advisories | CVE-2019-11599
MD5 | 6e83b659aeebd1f611e769f9fff5b64b
systemd DynamicUser SetUID Binary Creation
Posted Apr 25, 2019
Authored by Jann Horn, Google Security Research

This bug report describes a bug in systemd that allows a service with DynamicUser in collaboration with another service or user to create a setuid binary that can be used to access its UID beyond the lifetime of the service. This bug probably has relatively low severity, given that there are not many services yet that use DynamicUser, and the requirement of collaboration with another process limits the circumstances in which it would be useful to an attacker further; but in a system that makes heavy use of DynamicUser, it would probably have impact.

tags | exploit
advisories | CVE-2019-3844
MD5 | cb138590286ec36c3796f89c3e18cff6
Linux Siemens R3964 Line Discipline Missing Lock
Posted Apr 23, 2019
Authored by Jann Horn, Google Security Research

The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races around its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline is enabled in the kernel config; Ubuntu 18.04, for example, ships this line discipline as a module.

tags | exploit, kernel
systems | linux, ubuntu
MD5 | 1820caa252c106e5cc11b80e59c7e65c
Linux Overflow Via FUSE
Posted Apr 23, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a page->_refcount overflow via FUSE with ~140GiB RAM usage.

tags | exploit, overflow
systems | linux
MD5 | 47cf01f1d9bc811d111aac20bfd03627
Page 1 of 6
Back12345Next

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close