exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 148 RSS Feed

Files from lokihardt

First Active2017-02-24
Last Active2019-08-29
Webkit JSC JIT ArgumentsEliminationPhase::transform Uninitialized Variable Access
Posted Aug 29, 2019
Authored by Google Security Research, lokihardt

Webkit JSC JIT suffers from an uninitialized variable access vulnerability in ArgumentsEliminationPhase::transform.

tags | exploit
advisories | CVE-2019-8689
SHA-256 | 13d8e2202cdebf7ff53e2e5906bdd6ba343e47a89003e53597579db4cb95bcdc
JSC YarrJIT initParenContextFreeList Byte Overwrite
Posted Jul 30, 2019
Authored by Google Security Research, lokihardt

A bug in JSC YarrJIT initParenContextFreeList allows for bytes to be overwritten.

tags | exploit
SHA-256 | 038399bf2390bfa66637b2a2feb687184873772e215bfdc1e773cfc1d47d7c58
JSC BytecodeGenerator::emitEqualityOpImpl Data Mishandling
Posted Jul 30, 2019
Authored by Google Security Research, lokihardt

JSC suffers from a data mishandling bug in ytecodeGenerator::emitEqualityOpImpl.

tags | exploit
advisories | CVE-2019-8684
SHA-256 | 8bea8fb18d0ac7ce60485d227dcad33f12182219301a7157fc251e6f00c07bfb
WebKit JSC reifyStaticProperty Attribute Flag Issue
Posted Feb 21, 2019
Authored by Google Security Research, lokihardt

WebKit JSC has an issue where reifyStaticProperty needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter.

tags | exploit
advisories | CVE-2019-6215
SHA-256 | 8b5b037a7c556813e39c8ace7602b2465e0d1f1bd48644498c3c77c7c30f96e6
Microsoft Edge Chakra InlineArrayPush Type Confusion
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra related type confusion vulnerability in InlineArrayPush.

tags | exploit
advisories | CVE-2018-8617
SHA-256 | 789b214a31a71d7137e78ec7849729dcb9e3b8a75a7308f4a4b8b569c079222e
Microsoft Edge Chakra JIT Use-After-Free / Flag Issue
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.

tags | exploit, javascript
advisories | CVE-2019-0568
SHA-256 | 14479c28aa5ae1e0dc9a32a161983c6f54edccede8ffc1cffcdd19ac29ae8022
Microsoft Edge Chakra JIT InitClass Type Confusion
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a type confusion vulnerability in InitClass.

tags | advisory
advisories | CVE-2019-0539
SHA-256 | 367c15a86b6530dbd43aa9b2697e9a86c38d5e598f2ee86f71e076458456cbc2
Microsoft Edge Chakra JIT NewScObjectNoCtor / InitProto Type Confusion
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.

tags | exploit
advisories | CVE-2019-0567
SHA-256 | 834d31cccca1204e88d3a244cd1080b2a05229d26e439537775eea80ec254732
WebKit JSC JIT Use-After-Free
Posted Jan 16, 2019
Authored by Google Security Research, lokihardt

The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings. As a result, it can lead to a use-after-free condition.

tags | exploit
advisories | CVE-2018-4442
SHA-256 | bc8f411013dffe95aeaebd8e26ff3d39ee578b4902d99f8e61e2efdb6d784584
WebKit JSC AbstractValue::set Use-After-Free
Posted Dec 27, 2018
Authored by Google Security Research, lokihardt

WebKit JSC suffers from a use-after-free vulnerability that can be used to bypass write barriers.

tags | exploit
advisories | CVE-2018-4443
SHA-256 | e2420c7cbbee92aac272000675d9ecac14ee6bdf6f20e39b27fbf5fba2af6409
WebKit JSC JSArray::shiftCountWithArrayStorage Out-Of-Band Read / Write
Posted Dec 27, 2018
Authored by Google Security Research, lokihardt

WebKit JSC suffers from out-of-bounds read and write vulnerabilities in JSArray::shiftCountWithArrayStorage.

tags | exploit, vulnerability
advisories | CVE-2018-4441
SHA-256 | c4b1f3aa03b2cfee8c12ef1dd3ea676dd2720b30657ed4e85a3e0f70a77f9a7c
WebKit JIT Proxy Object Issue
Posted Dec 12, 2018
Authored by Google Security Research, lokihardt

WebKit JIT int32/double arrays can have proxy objects in the prototype chains.

tags | exploit
advisories | CVE-2018-4438
SHA-256 | b72e0f1dda78c9271d153bfcea2251e8e8076edf33feb8f85efce34262d3b258
WebKit JSC ForInContext Invalidation
Posted Nov 30, 2018
Authored by Google Security Research, lokihardt

WebKit JSC has an issue where BytecodeGenerator::hoistSloppyModeFunctionIfNecessary does not invalidate the ForInContext object.

tags | exploit
advisories | CVE-2018-4386
SHA-256 | 2751e0f6a8f902aff80fed20940889e7b425689a3222eb806fc6878759565dbc
WebKit JIT ByteCodeParser::handleIntrinsicCall Type Confusion
Posted Nov 30, 2018
Authored by Google Security Research, lokihardt

WebKit JIT has type confusion bugs in ByteCodeParser::handleIntrinsicCall.

tags | exploit
advisories | CVE-2018-4382
SHA-256 | 80230144bdea861cdd786d198f4417655144fdae813a68d336ee57b1a9cea2fd
WebKit JSC JIT JSPropertyNameEnumerator Type Confusion
Posted Nov 30, 2018
Authored by Google Security Research, lokihardt

When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every get_by_id expression taking the loop variable as the index is compared to the cached structure ID from the JSPropertyNameEnumerator object. If it's the same, the "this" object of the get_by_id expression will be considered having the same structure as the input object to the for-in loop has. The problem is, it doesn't have anything to prevent the structure from which the cached structure ID from being freed. As structure IDs can be reused after their owners get freed, this can lead to type confusion.

tags | exploit
advisories | CVE-2018-4416
SHA-256 | 8f4f4959d722f37276fc6cd1ba9725d214fa2d1eafa97af721346d7487bda487
Microsoft Edge Chakra OP_Memset Type Confusion
Posted Nov 19, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra OP_Memset type confusion vulnerability.

tags | exploit
SHA-256 | 611fa33be1a70a1567073da40901233c4521faaaa46eb3028856e6977091b785
Microsoft Edge Chakra JIT Type Confusion Bug
Posted Oct 11, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra JIT type confusion bug.

tags | exploit
advisories | CVE-2018-8467
SHA-256 | f1c02ccc951ceda6d6a1421129878de1d9f26aadbd450419b54c25dda564411f
Microsoft Edge Chakra JIT BailOutOnInvalidatedArrayHeadSegment Check Bypass
Posted Oct 11, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra JIT BailOutOnInvalidatedArrayHeadSegment check bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2018-8466
SHA-256 | ec00b94941d6f0c365dbfe398115342baba4da955810b213e9dedced9dae355c
Microsoft Edge Sandbox Escape
Posted Sep 27, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a sandbox escape vulnerability.

tags | exploit
advisories | CVE-2018-8463, CVE-2018-8468, CVE-2018-8469
SHA-256 | 53dae687e4a4409c81987ce450a88ac52d2a2a51eac4971e2a0712be2ba423d2
Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion
Posted Sep 18, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from a type confusion vulnerability with PathTypeHandlerBase::SetAttributesHelper.

tags | exploit
advisories | CVE-2018-8384
SHA-256 | 4e5a6b1c1ad36809123bcb9eced0fa48ac450dae86ec04c8b0efbd7b86c77fd8
Microsoft Edge Chakra JIT localeCompare Type Confusion
Posted Sep 18, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a type confusion vulnerability in localeCompare.

tags | exploit
advisories | CVE-2018-8355
SHA-256 | 78f38be2f2306af460f7ceb3b4272fa71d5e515678096e5f3e5ef2769afdf332
Microsoft Edge Chakra InitializeNumberFormat / InitializeDateTimeFormat Type Confusion
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.

tags | exploit
advisories | CVE-2018-8298
SHA-256 | f97ca7991e591cef05e7ed6feb1a7ced14a0b1f33f4e0b684d0bbfae83d9c790
Microsoft Edge Chakra JIT InlineArrayPush Type Confusion
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a type confusion vulnerability with InlineArrayPush.

tags | exploit
SHA-256 | 4d7c1c0bd391258ccf4d2a6df0bbe9fce45d445b76d8eb5317891fd7fc1cfef5
Microsoft Edge Chakra DictionaryPropertyDescriptor::CopyFrom Failed Copy
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra has an issue where DictionaryPropertyDescriptor::CopyFrom does not copy all fields.

tags | exploit
advisories | CVE-2018-8291
SHA-256 | 02a9af64a615a45ba93686901284c1ca585f8e53c27860a4cfcb2c7a25376b37
Microsoft Edge Chakra Parameter Scope Parsing Bug
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from a parameter scope parsing bug.

tags | exploit
advisories | CVE-2018-8279
SHA-256 | a916e8ee259ed452ab0ef0b7d6f4f736a5c6609e52233de54ab3341897861228
Page 1 of 6
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close