what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 131 RSS Feed

Files from Ian Beer

Email addressianbeer at google.com
First Active2014-12-02
Last Active2023-01-17
XNU vm_map_copy_overwrite_unaligned Race Condition
Posted Jan 17, 2023
Authored by Google Security Research, Ian Beer

A XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings.

tags | exploit
advisories | CVE-2022-46689
SHA-256 | d28599b3adaf36ddb22cc63b493aedbe6d4bd9c80ab19441c0799cf163fd9d83
XNU VM Copy-On-Write Bypass
Posted Jan 17, 2023
Authored by Google Security Research, Ian Beer

XNU VM suffers from a copy-on-write bypass vulnerability due to incorrect shadow creation logic used during unaligned vm_map_copy operations.

tags | exploit, bypass
advisories | CVE-2022-46689
SHA-256 | 5a1b882267ecf571c7ea7314e620f51e45be202a17fa7c8a02fcea5a7a5b3641
XNU vm_object Use-After-Free
Posted Nov 25, 2022
Authored by Google Security Research, Ian Beer

XNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.

tags | exploit
advisories | CVE-2022-42801
SHA-256 | 5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87df
XNU Dangling PTE Entry
Posted Nov 25, 2022
Authored by Google Security Research, Ian Beer

XNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.

tags | exploit
advisories | CVE-2022-32924
SHA-256 | 29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698
launchd Heap Corruption
Posted Jun 30, 2022
Authored by Google Security Research, Ian Beer

launchd suffers from a heap corruption vulnerability due to incorrect rounding in launch_data_unpack.

tags | advisory
advisories | CVE-2014-1359
SHA-256 | 5728e5ebf948c4d9fcd1bcdca177b71ce40167df17cbb2d5d1900427d642880f
XNU Kernel mach_msg Use-After-Free
Posted Jan 24, 2022
Authored by Google Security Research, Ian Beer

The XNU kernel suffers from a use-after-free vulnerability in mach_msg.

tags | exploit, kernel
advisories | CVE-2021-30949
SHA-256 | 2f6301f083bee339053850c19d2a821eb5bf15e94079651382aba5531646e6f1
XNU Network Stack Kernel Heap Overflow
Posted Jul 14, 2021
Authored by Google Security Research, Ian Beer

XNU suffers from a network stack kernel heap overflow due to an out-of-bounds memmove in 6lowpan. Proof of concept code included.

tags | exploit, overflow, kernel, proof of concept
advisories | CVE-2020-9967, CVE-2021-30736
SHA-256 | a1d06d7c40ef5cee75dbfed56b2263d072ffb407a0a5a9ac79847d59421ad896
iOS / macOS Radio Proximity Kernel Memory Corruption
Posted Apr 7, 2021
Authored by Google Security Research, Ian Beer

A radio proximity kernel memory corruption vulnerability exists in iOS and macOS due to bad state machine in BSS steering.

tags | exploit, kernel
systems | ios
advisories | CVE-2020-3843, CVE-2020-9906
SHA-256 | 9e6c28acc2dc2cdb2acc5704dda5595cbbba3c80139500e4fad8a275eaa86716
XNU Kernel Mach Message Trailers Memory Disclosure
Posted Feb 5, 2021
Authored by Google Security Research, Ian Beer

The XNU kernel suffers from a memory disclosure vulnerability in mach message trailers.

tags | exploit, kernel
advisories | CVE-2020-27950
SHA-256 | 642f39fd92a5ac4ffb770427ffb354a2a9fadfb25d5b0622ea37837653fb0f84
XNU Kernel Turnstiles Type Confusion
Posted Feb 5, 2021
Authored by Google Security Research, Ian Beer

The XNU kernel suffers from a type confusion vulnerability in turnstiles.

tags | exploit, kernel
advisories | CVE-2020-27932
SHA-256 | d3d2bb641fe186858d248f07b853338f4be5d90e81441c7f7abebd7540ae579c
Safari Webkit For iOS 7.1.2 JIT Optimization Bug
Posted Aug 14, 2020
Authored by timwr, Ian Beer, kudima, WanderingGlitch | Site metasploit.com

This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.

tags | exploit, kernel, root, shellcode
systems | apple, iphone, ios
advisories | CVE-2016-4669, CVE-2018-4162
SHA-256 | 8ca4b125e9aba514f4d2bd3c12b5189f4dceafcaab577262cc602a11c87480fb
iOS / macOS Wifi Proximity Kernel Double-Free
Posted Jun 25, 2020
Authored by Google Security Research, Ian Beer

iOS and macOS suffered from a wifi proximity kernel double-free vulnerability in AWDL BSS Steering.

tags | exploit, kernel
systems | ios
advisories | CVE-2020-3843, CVE-2020-9844
SHA-256 | 185ed329e279974bff794995bb28d911a3d0487fe537cf5e9f91c71beea77fb6
iOS / macOS AWDL Heap Corruption / Bounds Checking
Posted Mar 9, 2020
Authored by Google Security Research, Ian Beer

A remote iOS / macOS heap corruption issue exists due to insufficient bounds checking in AWDL.

tags | exploit, remote
systems | ios
advisories | CVE-2020-3843
SHA-256 | 1e68cf9915d34a1e26c5b0144404e1b0fe8b04f018d7bdc8675b27fbd497f2c1
Samsung /dev/tsmux Heap Out-Of-Bounds Write
Posted Feb 13, 2020
Authored by Google Security Research, Ian Beer

The Samsung kernel suffers from a heap out-of-bounds write in /dev/tsmux.

tags | exploit, kernel
SHA-256 | cfdc74006e656bf14b792a3ef9b9b45e5579d2eed455326e014482691d8ebf38
XPC Memory Disclosure / Corruption
Posted Feb 13, 2020
Authored by Google Security Research, Ian Beer

XPC fast path fails to ensure NULL termination of XPC strings, leading to memory disclosure and corruption vulnerabilities in XPC services.

tags | exploit, vulnerability
advisories | CVE-2020-3856
SHA-256 | 177cb639e6a25a5904e8f4f9ae68c987f945f93207a3d09333a7ea42bc47e766
macOS / iOS launchd XPC Message Parsing Memory Corruption
Posted Feb 13, 2020
Authored by Google Security Research, Ian Beer

launchd on macOS and iOS suffer from a memory corruption issue due to a lack of bounds checking when parsing XPC messages.

tags | exploit
systems | ios
advisories | CVE-2020-3829
SHA-256 | 13c83122693a08ee0f24211a2e669324b5b58b62191c82afb69d83c51fdecf4a
XNU vm_map_copy Insufficient Fix
Posted Jan 22, 2020
Authored by Google Security Research, Ian Beer

An insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still is not atomic.

tags | exploit
advisories | CVE-2019-6205, CVE-2019-8833
SHA-256 | 64852008642517c7a6286853a18dc6ef2a98bff2e171d9812bbe7c77a11b7b7d
iOS mediaserverd Integer Overflow Sandbox Escape
Posted Nov 15, 2019
Authored by Google Security Research, Ian Beer

iOS suffers from a sandbox escape vulnerability due to an integer overflow in mediaserverd.

tags | exploit, overflow
systems | ios
SHA-256 | 2b4a9f24dc9fb9fa02db02c8a4e93a710241e3d12f49d9ae097344a6df912908
Safari Webkit Proxy Object Type Confusion
Posted Jun 2, 2019
Authored by saelo, Ian Beer, Siguza, niklasb | Site metasploit.com

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

tags | exploit, arbitrary, kernel, javascript, shellcode
advisories | CVE-2017-13861, CVE-2018-4233
SHA-256 | ac8550e0b0dd814a249c313353fcb65341e18bb2e59885151b0cffac8172e060
iOS / MacOS PF_KEY Kernel Heap Overflow
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

iOS and MacOS suffer from a kernel heap overflow in PF_KEY due to lack of bounds checking when retrieving statistics.

tags | exploit, overflow, kernel
systems | ios
advisories | CVE-2019-6213
SHA-256 | bdaf091fad9a237fd95f4fa168b1b385cfb161f48fc179a6801b4e62a8099278
XNU vm_map_copy Optimization Issue
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

XNU vm_map_copy optimization which requires atomicity is not atomic. This violates the semantics of mach message OOL memory, and leads to TOCTOU issues which can lead to memory corruption.

tags | exploit
advisories | CVE-2019-6205
SHA-256 | b373ad17106c25ccfb2435934691e9a515824d6d61c83d2a4930737e86b27e33
iOS / MacOS iohideventsystem Sandbox Escape
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

iOS and MacOS suffers from sandbox escape vulnerabilities due to type confusions and memory safety issues in iohideventsystem.

tags | exploit, vulnerability
systems | ios
advisories | CVE-2019-6214
SHA-256 | b146623feeb4a1369ee8ad78d27a529480b21c17737e192ad3c2686b0448d8cb
MacOS 10.14.1 libxpc Deallocation
Posted Jan 31, 2019
Authored by Google Security Research, Ian Beer

libxpc on MacOS version 10.14.1 suffers from an arbitrary mach port name deallocation in XPC services due to invalid mach message parsing in _xpc_serializer_unpack.

tags | exploit, arbitrary
advisories | CVE-2019-6218
SHA-256 | 861787c4c8e28e6258f60f01561930d07585075db06c25a1f80b7aadb5eeb770
Apple Intel GPU Driver Use-After-Free / Double-Delete
Posted Oct 19, 2018
Authored by Google Security Research, Ian Beer

The Apple Intel GPU driver suffers from use-after-free and double-delete issues due to bad locking.

tags | advisory
systems | apple
advisories | CVE-2018-4334
SHA-256 | 4d6791432618061cb975059371e237f9a46d82d2bec01d12172ccd55d321b85d
iOS / macOS HID Event System Sandbox Escape
Posted Oct 19, 2018
Authored by Google Security Research, Ian Beer

iOS and macOS suffers from a sandbox escape due to trusted length field in shared memory used by the HID event subsystem.

tags | advisory
systems | ios
SHA-256 | 9f92e17a4bc90ee3be401ed5757d7b0662a8fcc83025305c4d6a1dcfb6c4d537
Page 1 of 6
Back12345Next

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close