accept no compromises
Showing 1 - 21 of 21 RSS Feed

Files from Mark Brand

First Active2015-03-18
Last Active2017-06-30
LG ASFParser::SetMetaData Stack Overflow
Posted Jun 30, 2017
Authored by Google Security Research, Mark Brand

LG suffers from multiple stack overflows in ASFParser::SetMetaData.

tags | exploit, overflow
MD5 | 11032cdfb45063fe394b921e0d88804a
LG ASFParser::ParseHeaderExtensionObjects Missing Bounds Check
Posted Jun 13, 2017
Authored by Google Security Research, Mark Brand

LG has a memcpy in ASFParser::ParseHeaderExtensionObjects that does not check that the size of the copy is smaller than the size of the source buffer, resulting in an out-of-bounds heap read.

tags | exploit
MD5 | cc4a461769ce92dca6a0c1f92a819609
LG CAVIFileParser::Destroy Out-Of-Bounds Heap Read
Posted Jun 13, 2017
Authored by Google Security Research, Mark Brand

LG suffers from an out-of-bounds read in CAVIFileParser::Destroy resulting in an invalid free.

tags | exploit
MD5 | 51ab5dda3b960588d3452a78cee02602
LG AVI Stream Parsing Missing Bounds-Checking
Posted Jun 13, 2017
Authored by Google Security Research, Mark Brand

LG suffers from missing bounds-checking in AVI stream parsing.

tags | exploit
MD5 | a78e9a54318e6e5bb216dc94b8637df3
LG OGMParser::VerifyVorbisHeader Uninitialized Pointer
Posted May 23, 2017
Authored by Google Security Research, Mark Brand

LG has an issue where a malformed OGM file can cause the use of an uninitialized pointer during Vorbis header verification - vorbis_info_clear is called on a vorbis_info structure that has not previously been initialised by a call to vorbis_info_init.

tags | exploit
MD5 | cc75081f5748ec93fe019a15eef25343
LG mkvparser::Tracks Failed Pointer Initialization
Posted May 9, 2017
Authored by Google Security Research, Mark Brand

LG suffers from a failure to initialize pointer in the mkvparser::Tracks constructor.

tags | exploit
MD5 | 0888abdf84945f9209219f9db48ad8f6
LG mkvparser::Block::Block Heap Buffer Overflows
Posted May 9, 2017
Authored by Google Security Research, Mark Brand

LG suffers from multiple heap buffer overflow vulnerabilities in mkvparser::Block::Block.

tags | exploit, overflow, vulnerability
MD5 | 3d0e37a13001f12db4209248c38a7463
LG liblg_parser_mkv.so Bad Allocation Calls
Posted May 9, 2017
Authored by Google Security Research, Mark Brand

During EBML node parsing the EBML element_size is used unvalidated to allocate a stack buffer to store the element contents. Since calls to alloca simply compile to a subtraction from the current stack pointer, for large sizes this can result in memory corruption and potential remote-code-execution in the mediaserver process. Tested on an LG-G4 with firmware MRA58K.

tags | exploit, remote
MD5 | 711c46670019250996b82da037a5b3ab
LG lgdrmserver Race Conditions
Posted Feb 9, 2017
Authored by Google Security Research, Mark Brand

LG suffers from multiple race conditions in the lgdrmserver binder service.

tags | exploit
MD5 | ac7713f9963acc09ade2abd6cafa0ded
LG lghashstorageserver Directory Traversal
Posted Feb 9, 2017
Authored by Google Security Research, Mark Brand

LG suffers from a directory traversal vulnerability in lghashstorageserver.

tags | exploit
MD5 | b3f7e919c94cf82228b1ed65b155ad0b
LG Touchscreen Driver write_log Kernel Read / Write
Posted Feb 9, 2017
Authored by Google Security Research, Mark Brand

The LG touchscreen driver suffers from a write_log kernel read/write vulnerability.

tags | exploit, kernel
MD5 | 1e851e06a7f4f7a39835926ab5d014ad
LG Felica Driver Dangerous set_fs Usage
Posted Feb 9, 2017
Authored by Google Security Research, Mark Brand

The LG Felica driver performs a dangerous set_fs usage.

tags | advisory
MD5 | 9108661250254eadad315d7b7ba1cfd2
Android WifiNative::setHotlist Stack Overflow
Posted Dec 22, 2016
Authored by Google Security Research, Mark Brand

Android suffers from a stack overflow vulnerability in WifiNative::setHotlist.

tags | exploit, overflow
advisories | CVE-2016-6772
MD5 | b761c3665f954faf1df05f42e3ddf58a
Android libutils Heap Buffer Overflow
Posted Sep 8, 2016
Authored by Google Security Research, Mark Brand

Android suffers from an inconsistency between the way that the two functions in libutils/Unicode.cpp handle invalid surrogate pairs in UTF16, resulting in a mismatch between the size calculated by utf16_to_utf8_length and the number of bytes written by utf16_to_utf8. This results in a heap buffer overflow.

tags | exploit, overflow
advisories | CVE-2016-3861
MD5 | ca48cd81170253fac6461c982222bb7a
AppArmor aa_fs_seq_hash_show Reference Count Leak
Posted Jul 28, 2016
Authored by Google Security Research, Mark Brand

AppArmor has a reference count leak in aa_fs_seq_hash_show that can be used to overflow the reference counter and trigger a kernel use-after-free.

tags | exploit, overflow, kernel
MD5 | 91de71cb39c0e5e61e7239423aaa5547
Samsung Android JACK Privilege Escalation
Posted Jul 6, 2016
Authored by Google Security Research, Mark Brand

The usermode audio subsystem for the "Samsung Android Professional Audio" is based on JACK and appears to suffer from a privilege escalation vulnerability.

tags | advisory
systems | linux
MD5 | cb942ef82a22bd3ecbe7f271d98180f2
Samsung Android JACK ASLR Bypass
Posted Jul 6, 2016
Authored by Google Security Research, Mark Brand

The usermode audio subsystem for the "Samsung Android Professional Audio" is based on JACK, which appears to be designed for single-user usage. The common JACK configuration on Linux systems appears to be a JACK server running under the current user account, and interacting with JACK clients from the same user account; so with a minimal privilege difference; this is not the case with the configuration on Android, where the JACK service runs as a more privileged user in a less restrictive SELinux domain to the clients that can connect to it. The JACK shared memory implementation uses the struct jack_shm_info_t defined in /common/shm.h to do some bookkeeping. This struct is stored at the start of every JackShmAble object. This means that whenever the JACK server creates an object backed by shared memory, it also stores a pointer to that object (in the address space of the JACK server), allowing a malicious client to bypass ASLR in the JACK server process.

tags | advisory
systems | linux
MD5 | 8288db414362e6a728044ca93ad526bf
Chrome GPU Process MailboxManagerImpl Double Read
Posted Jun 16, 2016
Authored by Google Security Research, Mark Brand

Several functions in the GPU command buffer service interact with the GPU mailbox manager (gpu/command_buffer/service/mailbox_manager_impl.cc), passing a reference to shared memory as the mailbox argument. MailboxManagerImpl does not expect this mailbox argument to be malleable in this way, and it is in several places copied and passed to various stl functions, resulting in unexpected behavior from double-reads when an attacker modifies the mailbox name mid function.

tags | exploit
systems | linux
MD5 | fe0ec225a5e3c3b2535961de5c8c6c37
Chrome GPU Process BufferManager Double Reads
Posted Jun 16, 2016
Authored by Google Security Research, Mark Brand

The GPU buffer manager doesn't handle pointers to shared memory with adequate care, allowing an attacker to bypass chrome's validation and pass invalid buffer data to the hosting OpenGL implementation.

tags | advisory
systems | linux
MD5 | 4ddfdd43a3a25890ab8b2dc9e9f0803c
Android One Privilege Escalation
Posted Mar 25, 2016
Authored by Google Security Research, Mark Brand

The wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL. This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.

tags | exploit, kernel
systems | linux
MD5 | 7d01af0e02063811d5bd3b75fea8dd70
Adobe Flash Player PCRE Regex Logic Error
Posted Mar 18, 2015
Authored by sinn3r, Mark Brand | Site metasploit.com

This Metasploit module exploits a vulnerability found in Adobe Flash Player. A compilation logic error in the PCRE engine, specifically in the handling of the \c escape sequence when followed by a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.

tags | exploit, arbitrary
advisories | CVE-2015-0318
MD5 | b5032ff486bb039b112177d0b7f0fce0
Page 1 of 1
Back1Next

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    5 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close