what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 4 of 4 RSS Feed

Files from matttait

First Active2015-08-28
Last Active2015-10-13
.NET Partial-Trust Bypass
Posted Oct 13, 2015
Authored by Google Security Research, matttait

A command-line injection vulnerability exists in the core .NET class System.Windows.Forms.Help::ShowHelp function allowing an attacker without "UnmanagedCode" permission to nevertheless directly control arguments passed to a "ShellExecute" invocation of the users' default browser. This vulnerability allows an attacker who is able to run arbitrary .NET code within a .NET PartialTrust sandbox including the "WebPermission" permission for any URL to inject arbitrary parameters after the first parameter into the command line of the users' default browser.

tags | exploit, arbitrary
systems | linux, windows
SHA-256 | b4f6f4c64fcea757962a5b5527370c1e23ba0b0610e975f129a09d22efa39baa
Windows Type-Confusion / Memory Corruption
Posted Sep 14, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.

tags | advisory, kernel, vulnerability
systems | linux, windows
SHA-256 | 1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013ba
Windows win32k!NtUserSetInformationThread Type Confusion
Posted Sep 9, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to a kernel-mode type-confusion vulnerability inside win32k!NtUserSetInformationThread due to referencing a user-mode handle via ObReferenceObjectByHandle with a "NULL" type specified (it should instead be using *LpcPortObjectType to protect against this vulnerability). This vulnerability can be triggered from inside CSRSS via the syscall win32k!NtUserSetInformationThread with ThreadInformationClass set to "UserThreadCsrApiPort" and the parameter of the syscall set to a HANDLE that is not an LPC object.

tags | advisory, kernel
systems | linux, windows
SHA-256 | f08ca467d2241babc70e51da65057abb65b9ecf85249b35405cfc513910c45d6
QEMU Programmable Interrupt Timer Controller Heap Overflow
Posted Aug 28, 2015
Authored by Google Security Research, matttait

The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and a heap overflow within the context of the host.

tags | exploit, overflow, info disclosure
systems | linux
SHA-256 | 13f86bfcab19e0b4b4a2b31f5267866e4f2e1bf60fa810d064d79e7a787b0c07
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close