what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 1,689 RSS Feed

Files from Google Security Research

First Active2000-02-18
Last Active2022-08-12
Windows sxssrv!BaseSrvActivationContextCacheDuplicateUnicodeString Heap Buffer Overflow
Posted Aug 12, 2022
Authored by Google Security Research, Glazvunov

A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.

tags | exploit, overflow, arbitrary
systems | windows
advisories | CVE-2022-22049
SHA-256 | cb8f7be542f04c635c86858c21eaa7b6cc6ce03a9209a26428307fdbe1ed92a7
Windows sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity Heap Buffer Overflow
Posted Aug 12, 2022
Authored by Google Security Research, Glazvunov

A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.

tags | exploit, overflow, arbitrary
systems | windows
advisories | CVE-2020-1027, CVE-2022-22026
SHA-256 | d9d1207247ebb20f56509add11b90166662a5bc61929b7ae0d9356619f52a0b3
Chrome WebGL Uniform Integer Overflows
Posted Aug 4, 2022
Authored by Google Security Research, Mark Brand

The WebGL implementation for setting uniform values with an ArrayBuffer argument do not properly handle large buffer sizes. As WASM now allows allocating large ArrayBuffers, this can lead to buffer overflows when writing to the GPU command buffer.

tags | exploit, overflow
advisories | CVE-2022-2415
SHA-256 | 0bdf6d06a281ed2823e5f46ea472615509e7f1f676d5bd3238d8cfd3b783d262
Chrome Scope Break
Posted Jul 21, 2022
Authored by Google Security Research, Mark Brand

Chrome has an issue where raw_ptr broke implicit scoped_refptr for receivers in base::Bind.

tags | exploit
advisories | CVE-2022-2156
SHA-256 | 608734695dfbbf56d37a25c6b0e92ec571e720ac20c50496dd9608c3ee36b587
Windows Kernel nt!MiRelocateImage Invalid Read
Posted Jul 15, 2022
Authored by Google Security Research, mjurczyk

The Microsoft Windows kernel suffers from an invalid read in nt!MiRelocateImage while parsing a malformed PE file.

tags | exploit, kernel
systems | windows
advisories | CVE-2022-30155
SHA-256 | 14cc97653808a5e83777838181351383480596c1a9ab0edd737615c558008d89
Windows LSA Service LsapGetClientInfo Impersonation Level Check Privilege Escalation
Posted Jul 15, 2022
Authored by James Forshaw, Google Security Research

On Microsoft Windows, the LsapGetClientInfo API in LSASRV will fallback and directly capture a caller's impersonation token if it fails to impersonate, leading to elevation of privilege if the impersonation level is not checked.

tags | exploit
systems | windows
advisories | CVE-2022-30166
SHA-256 | 4f77530c88d7c141599b603fabccbde4f773bc1697a54702749961ba91a1346a
Chrome PaintImage Deserialization Out-Of-Bounds Read
Posted Jul 11, 2022
Authored by Google Security Research, Mark Brand

The code in cc::PaintImageReader::Read (cc::PaintImage*) does not properly check the incoming data when handling embedded image data, resulting in an out-of-bounds copy into the filter bitmap data.

tags | exploit
advisories | CVE-2022-2010
SHA-256 | 3442a632be9dec3260619421059a97062f1e5b5331769ad612a11a97ecf3ec9b
Xen TLB Flush Bypass
Posted Jul 11, 2022
Authored by Jann Horn, Google Security Research

Xen's _get_page_type() contains an ABAC cmpxchg() race, where the code incorrectly assumes that if it reads a specific type_info value, and then later cmpxchg() succeeds, the type_info can't have changed in between.

tags | exploit
advisories | CVE-2022-26362
SHA-256 | 88fe91f31a1fa5b68860cd0112d829c44076320a17d995120f8a3d426cc59af7
Mutt mutt_decode_uuencoded() Memory Disclosure
Posted Jul 11, 2022
Authored by Tavis Ormandy, Google Security Research

In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys.

tags | exploit
advisories | CVE-2022-1328
SHA-256 | 1a0da9d9e3bf42ea5367e18954311a408e444a40a4960bbf41e240bbab050a63
Windows Kerberos KerbRetrieveEncodedTicketMessage AppContainer Privilege Escalation
Posted Jul 7, 2022
Authored by James Forshaw, Google Security Research

On Windows 11, the Kerberos SSP's KerbRetrieveEncodedTicketMessage message can be used to get an arbitrary service ticket and session key from an AppContainer even without the enterprise authentication capability leading to elevation of privilege.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2022-30164
SHA-256 | 78434d5ce4cfd024dc8d980cdbc2c6c5bfc491c59fd75bca49f3b74f62b3a77a
Windows Kerberos Redirected Logon Buffer Privilege Escalation
Posted Jul 6, 2022
Authored by James Forshaw, Google Security Research

On Windows, the buffer for redirected logon context does not protect against spoofing resulting in arbitrary code execution in the LSA leading to local elevation of privilege.

tags | exploit, arbitrary, local, spoof, code execution
systems | windows
advisories | CVE-2022-24545, CVE-2022-30165
SHA-256 | e5fb08a6edcf0b1b0510543eebe8a2074c96f610873eefbc81fd441dc6b36c39
Xen PV Guest Non-SELFSNOOP CPU Memory Corruption
Posted Jul 6, 2022
Authored by Jann Horn, Google Security Research

On CPUs without SELFSNOOP support, a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the "clean" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable.

tags | exploit, arbitrary
advisories | CVE-2022-26364
SHA-256 | 0ca3bec4eaa9cefc4bd68628da583653303fb2bb08f1b14700118565ff032f9c
Windows Defender Remote Credential Guard Authentication Relay Privilege Escalation
Posted Jul 5, 2022
Authored by James Forshaw, Google Security Research

The handling of Windows Defender Remote Credential Guard credentials is vulnerable to authentication relay attacks leading to elevation of privilege or authentication bypass.

tags | exploit, remote
systems | windows
advisories | CVE-2022-30150
SHA-256 | 59d20260a71bd3953d7c62c227f9a18519548cd6196f851a5c6ffb7ee4def447
launchd Heap Corruption
Posted Jun 30, 2022
Authored by Google Security Research, Ian Beer

launchd suffers from a heap corruption vulnerability due to incorrect rounding in launch_data_unpack.

tags | advisory
advisories | CVE-2014-1359
SHA-256 | 5728e5ebf948c4d9fcd1bcdca177b71ce40167df17cbb2d5d1900427d642880f
XNU Flow Divert Race Condition Use-After-Free
Posted Jun 20, 2022
Authored by Google Security Research, nedwill

XNU suffers from a flow divert race condition use-after-free vulnerability.

tags | exploit
advisories | CVE-2022-26757
SHA-256 | 18168cefa7044ee89ba183a692734419daa60890808dbb1d62407aa2c4c7f70c
Chrome CVE-2022-1096 Incomplete Fix
Posted Jun 20, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from having an incomplete fix for CVE-2022-1096.

tags | exploit
advisories | CVE-2022-1096, CVE-2022-1232
SHA-256 | a034f87b7b68c9e71d23b3a96392d323625a4e9fd5c2246a143f439e0d73ddee
Chrome WebGPUDecoderImpl::DoRequestDevice Missing Bounds Check
Posted Jun 20, 2022
Authored by Google Security Research, Mark Brand

Chrome suffers from a missing bounds check in WebGPUDecoderImpl::DoRequestDevice.

tags | exploit
advisories | CVE-2022-1483
SHA-256 | ef3fbfbf0d934cc45efe08abfdf55bd55ba171f52a654e23e476c7b46f1b6cca
Kik Messenger XMPP Stanza Smuggling
Posted Jun 10, 2022
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in Kik Messenger for Android that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Kik client, including XMPP stanzas that are normally sent only by the Kik server. Included is a proof of concept that demonstrates sending of the stc stanza which triggers a captcha dialog and opens an arbitrary attacker-control webpage on the victim client. However, the full impact is likely larger than this, and includes any application features accessible over XMPP.

tags | exploit, arbitrary, proof of concept
SHA-256 | 3f66b31a34e395df392668d6453b6eee4bbfd623765c95d99108116f95c8a143
libxml2 xmlBufAdd Heap Buffer Overflow
Posted Jun 1, 2022
Authored by Google Security Research, Felix Wilhelm

libxml2 is vulnerable to a heap buffer overflow when xmlBufAdd is called on a very large buffer.

tags | exploit, overflow
advisories | CVE-2022-29824
SHA-256 | 2e836bc71a5f639b38695645fac3e6f8cf11af986d63af75240bf0a926a562f1
OpenSSL 1.0.2 / 1.1.1 / 3.0 BN_mod_sqrt() Infinite Loop
Posted Jun 1, 2022
Authored by Tavis Ormandy, Google Security Research

The BN_mod_sqrt() function in OpenSSL versions 1.0.2, 1.1.1, and 3.0, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

tags | exploit, root
advisories | CVE-2022-0778
SHA-256 | b8c560eda5504347f10dd0a9166545d0f6d2637eb9ca4cc2944f2c46e26d7f2b
Tigase XMPP Server Stanza Smuggling
Posted May 26, 2022
Authored by Ivan Fratric, Google Security Research

Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).

tags | exploit, arbitrary
SHA-256 | 80c339179764f04e39876070e482957638cbcf822ccdb04b5cc72ea035585e1e
ChromeOS usbguard Bypass
Posted May 26, 2022
Authored by Jann Horn, Google Security Research

ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.

tags | exploit
SHA-256 | 686e2d50596cc3cee3dd66e0fc5f2a715094be5a79c099a547c49d3457af1129
Zoom XMPP Stanza Smuggling Remote Code Execution
Posted May 24, 2022
Authored by Ivan Fratric, Google Security Research

This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.

tags | exploit, arbitrary, code execution, protocol
systems | windows
advisories | CVE-2022-22787, CVE-2022-25236
SHA-256 | c5835f3651ef4f351fdd27038787c6bd633712398f3562132cf3224e2a0a5e16
Linux USB Use-After-Free
Posted May 20, 2022
Authored by Jann Horn, Google Security Research

Linux usbnet code tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.

tags | exploit
systems | linux
SHA-256 | 9cbdb1ccc149a355b2d267a848a75d3513d0e33cb89787801e49bf0110235f37
Chrome 100 extensions::ExtensionApiFrameIdMap::GetFrameId Heap Use-After-Free
Posted May 16, 2022
Authored by Google Security Research, Glazvunov

A use-after-free issue exists in Chrome 100 and earlier versions. A malicious extension can achieve arbitrary code execution in the browser process.

tags | exploit, arbitrary, code execution
advisories | CVE-2022-0972
SHA-256 | 595428413ed6af41648e85f12bfacfc4d3b4b659dea62dab16b66777c9ddb014
Page 1 of 68
Back12345Next

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close