what you don't know can hurt you
Showing 1 - 25 of 29 RSS Feed

Files from Felix Wilhelm

Email addressfwilhelm at google.com
First Active2010-11-20
Last Active2021-11-22
KVM SVM Out-Of-Bounds Read/Write
Posted Nov 22, 2021
Authored by Google Security Research, Felix Wilhelm

A KVM guest using SEV-ES (Secure Encrypted Virtualization - Encrypted State) can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT using the exit reason SVM_EXIT_IOIO.

tags | advisory, kernel
MD5 | 24767f69b195bc395343e5e0783896f5
KVM nested_svm_vmrun Double Fetch
Posted Jun 30, 2021
Authored by Google Security Research, Felix Wilhelm

A KVM guest on AMD can launch a L2 guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. Executing vmrun from the L2 guest, will then trigger a second call to nested_svm_vmrun and corrupt svm->nested.hsave with data copied out of the L2 vmcb. For kernel versions that include the commit "2fcf4876: KVM: nSVM: implement on demand allocation of the nested state" (>=5.10), the guest can free the MSR permission bit in svm->nested.msrpm, while it's still in use and gain unrestricted access to host MSRs.

tags | exploit, kernel
advisories | CVE-2021-29657
MD5 | 814987fd3e7902c83f77c7f4aa4a3585
AWS CloudShell Terminal Escape Injection / Remote Code Execution
Posted May 10, 2021
Authored by Google Security Research, Felix Wilhelm

The javascript terminal emulator used by AWS CloudShell handles certain terminal escape codes incorrectly. This can lead to remote code execution if attacker controlled data is displayed in a CloudShell instance.

tags | exploit, remote, javascript, code execution
MD5 | a07ebf4a753f14e46c966e23a4c3cf0b
F5 Big IP ASM is_hdr_criteria_matches Buffer Overflow
Posted Mar 11, 2021
Authored by Google Security Research, Felix Wilhelm

The bd daemon, which runs as part of the F5 BIG-IP Application Security Manager (ASM), is vulnerable to a stack-based buffer overflow when processing overlong HTTP response headers in the is_hdr_criteria_matches function.

tags | exploit, web, overflow
advisories | CVE-2021-22992
MD5 | fb4bb5a73422ead38863ca80421b7215
F5 Big IP TMM uri_normalize_host Information Disclosure / Out-Of-Bounds Write
Posted Mar 11, 2021
Authored by Google Security Research, Felix Wilhelm

Big IP's Traffic Management Microkernels (TMM) URI normalization incorrectly handles invalid IPv6 hostnames allowing for information disclosure and an out-of-bounds write condition.

tags | exploit, info disclosure
advisories | CVE-2021-22991
MD5 | 7bbc96ec1d50a3a238d0764ad16101ea
Package Control Arbitrary File Write
Posted Feb 26, 2021
Authored by Google Security Research, Felix Wilhelm

Package Control suffers from an arbitrary file write vulnerability.

tags | exploit, arbitrary
MD5 | fc1001c8bbe8a7cae533f770aa149604
Node.js TLSWrap Use-After-Free
Posted Jan 5, 2021
Authored by Google Security Research, Felix Wilhelm

Node version 14.11.0 is vulnerable to a use-after-free bug in its TLS implementation.

tags | exploit
MD5 | 605c74b7f6ed00900884dafc459cf57e
usrsctp HMAC Generation Out-Of-Bounds Access
Posted Dec 14, 2020
Authored by Google Security Research, Felix Wilhelm

usrsctp suffers from insecure HMAC generation that can lead to out-of-bounds access.

tags | exploit
MD5 | 60dae1b024aad137dbbc2e032f8413ac
usrsctp pending_reply_queue Out-Of-Bounds Access
Posted Dec 14, 2020
Authored by Google Security Research, Felix Wilhelm

usrsctp suffers from a usrsctp pending_reply_queue out-of-bounds access vulnerability.

tags | exploit
MD5 | fbfd1f9af88626326bb98128c859b372
Apache 2 HTTP2 Module Concurrent Pool Usage
Posted Dec 7, 2020
Authored by Google Security Research, Felix Wilhelm

Apache 2 suffers from an issue with concurrent pool usage in the http2 module.

tags | advisory
advisories | CVE-2020-11993
MD5 | 8e2f6c32f5529339e29797af43253dee
Apache 2.4.43 mod_http2 Memory Corruption
Posted Dec 7, 2020
Authored by Google Security Research, Felix Wilhelm

Apache 2 suffers from a memory corruption vulnerability in the mod_http2 push diary implementation.

tags | exploit
advisories | CVE-2020-9490
MD5 | 8368f936e5103096fbffcf0dc212a89e
GitHub Widespread Injection
Posted Nov 3, 2020
Authored by Google Security Research, Felix Wilhelm

Github Actions supports a feature called workflow commands that is susceptible to widespread code injection vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2020-15228
MD5 | ed0cc8399b9664318e4cac10f05729b5
Kubernetes AWS IAM Integration Issues
Posted Oct 13, 2020
Authored by Google Security Research, Felix Wilhelm

Kubernetes has multiple issues in aws-iam-authenticator where lax controls can lead to a lower security posture.

tags | advisory
MD5 | 0efac33980805dcdab8d64773d7981d5
Hashicorp Vault GCP IAM Integration Authentication Bypass
Posted Oct 6, 2020
Authored by Google Security Research, Felix Wilhelm

HashiCorp Vault's GCP authentication method can be bypassed on gce type roles that do not specify bound_service_accounts. Vault does not enforce that the compute_engine data in a signed JWT token has any relationship to the service account that created the token. This makes it possible to impersonate arbitrary GCE instances, by creating a JWT token with a faked compute_engine struct, using an arbitrary attacker controlled service account.

tags | exploit, arbitrary
advisories | CVE-2020-16251
MD5 | 7b83f776aff7e235a44aa2d4f4125bb8
Hashicorp Vault AWS IAM Integration Authentication Bypass
Posted Oct 6, 2020
Authored by Google Security Research, Felix Wilhelm

HashiCorp Vault's AWS IAM authentication method can be bypassed by sending a serialized request to the STS AssumeRoleWithWebIdentity method as part of the authentication flow. The request triggers a JSON encoded response from the STS server, which can contain a fully-attacker controlled fake GetCallerIdentityResponse as part of its body. As the Vault response parser ignores non-xml content before and after the malicious response, this can be used to spoof arbitrary AWS identities and roles.

tags | exploit, arbitrary, spoof
advisories | CVE-2020-16250
MD5 | c2e3c92a813a0ec7ee985df9b624b079
Apache2 mod_proxy_uwsgi Incorrect Request Handling
Posted Aug 31, 2020
Authored by Google Security Research, Felix Wilhelm

Apache2 suffers from an incorrect handling of large requests issue in mod_proxy_uwsgi.

tags | advisory
advisories | CVE-2020-11984
MD5 | 794813ee73c7fb742550accd8b61f2e2
Node.js Hostname Verification Bypass
Posted Jun 3, 2020
Authored by Google Security Research, Felix Wilhelm

Insecure TLS session reuse can lead to a hostname verification bypass in Node.js.

tags | exploit
MD5 | 9bde5356a44eb307d096d404cbcdc1d0
haproxy hpack-tbl.c Out-Of-Bounds Write
Posted Apr 21, 2020
Authored by Google Security Research, Felix Wilhelm

The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. This can lead to a fully controlled relative out-of-bounds write when processing a malicious HTTP2 request (or response).

tags | exploit, web
advisories | CVE-2020-11100
MD5 | ec4200ed138e11159b83e1a1d18ff6d3
Git Credential Helper Protocol Newline Injection
Posted Apr 15, 2020
Authored by Google Security Research, Felix Wilhelm

A git clone action can leak cached / stored credentials for github.com to example.com due to insecure handling of newlines in the credential helper protocol.

tags | exploit, protocol
advisories | CVE-2020-5260
MD5 | c958ad3ac0a7a989d1f7f2c9f24fadb6
KVM VMX Preemption Timer Use-After-Free
Posted Feb 16, 2019
Authored by Google Security Research, Felix Wilhelm

KVM suffers from a use-after-free vulnerability after using the emulated VMX preemption timer.

tags | exploit
advisories | CVE-2019-7221
MD5 | a0d1f27f5e38bc4b60b7e3417a578978
KVM kvm_inject_page_fault Uninitialized Memory Leak
Posted Feb 16, 2019
Authored by Google Security Research, Felix Wilhelm

KVM suffers from an uninitialized memory leak vulnerability in kvm_inject_page_fault.

tags | exploit, memory leak
advisories | CVE-2019-7222
MD5 | d143badc5670e32e28cf7e6fb40d4424
Evince CBT File Command Injection
Posted Feb 7, 2019
Authored by Sebastian Krahmer, Brendan Coles, Matlink, Felix Wilhelm | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload.

tags | exploit
advisories | CVE-2017-1000083
MD5 | 518ed0c670d289725a426edf1b4243c3
NetworkManager Daemon Command Execution
Posted Sep 6, 2018
Authored by Sameer Goyal, Felix Wilhelm

This is a small tutorial write up that provides a DynoRoot exploit proof of concept.

tags | exploit, proof of concept
advisories | CVE-2018-1111
MD5 | 34564033c2577542c76d3de9c82d2615
Xen xen-netback xenvif_set_hash_mapping Integer Overflow
Posted Aug 17, 2018
Authored by Google Security Research, Felix Wilhelm

Xen suffers from an integer overflow vulnerability in xen-netback xenvif_set_hash_mapping.

tags | advisory, overflow
MD5 | 056a37f9c265e3d9566b012c2ea95423
KVM Nest Virtualization L1 Guest Privilege Escalation
Posted Jun 25, 2018
Authored by Google Security Research, Felix Wilhelm

When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.

tags | exploit
MD5 | 52237ddbf09d9e8e93706408732deecf
Page 1 of 2
Back12Next

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close