what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 37 RSS Feed

Files from Felix Wilhelm

Email addressfwilhelm at google.com
First Active2010-11-20
Last Active2023-01-02
crewjam/saml Signature Bypass
Posted Jan 2, 2023
Authored by Google Security Research, Felix Wilhelm

The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.

tags | exploit
advisories | CVE-2022-41912
SHA-256 | b98f26482dd59c89089a43c62936c2461318247bab55a7aaca8bb5e77ff8ba10
Node-saml Root Element Signature Bypass
Posted Nov 14, 2022
Authored by Google Security Research, Felix Wilhelm

Node-saml and its partner project passport-saml are vulnerable to an authentication bypass due to lax parsing of SAML responses.

tags | exploit
advisories | CVE-2022-39299
SHA-256 | 1409b388d1ff3591b0f738957b81678639bad9a730829cf9d04b2f5f4e2e8a40
.NET XML Signature Verification External Entity Injection
Posted Sep 9, 2022
Authored by Google Security Research, Felix Wilhelm

XML signature verification in .NET 6 as implemented in System.Security.Cryptography.Xml.SignedXml is vulnerable to external entity injection attacks.

tags | exploit
advisories | CVE-2022-34716
SHA-256 | fb9e0a77092860baf50e4dd27de48b363926968c3606d0db1631fac8f83f0ff4
Xalan-J XSLTC Integer Truncation
Posted Aug 26, 2022
Authored by Google Security Research, Felix Wilhelm

The Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.

tags | exploit, java, arbitrary
advisories | CVE-2022-34169
SHA-256 | 2ba78b07aefa0b49411c9850601bb70eafd9ced41709aea21651ae90f931e2ad
libxml2 xmlBufAdd Heap Buffer Overflow
Posted Jun 1, 2022
Authored by Google Security Research, Felix Wilhelm

libxml2 is vulnerable to a heap buffer overflow when xmlBufAdd is called on a very large buffer.

tags | exploit, overflow
advisories | CVE-2022-29824
SHA-256 | 2e836bc71a5f639b38695645fac3e6f8cf11af986d63af75240bf0a926a562f1
cmark-gfm Integer overflow
Posted Apr 6, 2022
Authored by Google Security Research, Felix Wilhelm

cmark-gfm, Github's markdown parsing library, is vulnerable to an out-of-bounds write when parsing markdown tables with a high number of columns due to an overflow of the 16bit columns count.

tags | exploit, overflow
advisories | CVE-2022-24724
SHA-256 | 27a5460a6816fd26f0145be9abc1875edcaf581344dee907385de97828a29203
containerd Image Volume Insecure Handling
Posted Mar 24, 2022
Authored by Google Security Research, Felix Wilhelm

containerd suffers from an insecure handling vulnerability related to image volumes.

tags | exploit
advisories | CVE-2022-23648
SHA-256 | b48bfd4366814227d48303e9535b5ccfe89e805d02c9e299e3b73f9fe15bbda5
runc / libcontainer Bind Mount Sources Insecure Handling
Posted Dec 6, 2021
Authored by Google Security Research, Felix Wilhelm

The recent commit #9c4440 introduces two vulnerabilities to libcontainer that can be exploited by an attacker with partial control over the bind mount sources of a new container.

tags | exploit, vulnerability
advisories | CVE-2021-43784
SHA-256 | ed408918fa162c1e37fcd4ed27b9ab361935aa46728e7fcbca4f23d94f8f25d3
KVM SVM Out-Of-Bounds Read/Write
Posted Nov 22, 2021
Authored by Google Security Research, Felix Wilhelm

A KVM guest using SEV-ES (Secure Encrypted Virtualization - Encrypted State) can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT using the exit reason SVM_EXIT_IOIO.

tags | advisory, kernel
SHA-256 | ccc3c93435dc2cf6f740404e0f3468344e1a65dc1fc33ad4cbde80538cdac73e
KVM nested_svm_vmrun Double Fetch
Posted Jun 30, 2021
Authored by Google Security Research, Felix Wilhelm

A KVM guest on AMD can launch a L2 guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. Executing vmrun from the L2 guest, will then trigger a second call to nested_svm_vmrun and corrupt svm->nested.hsave with data copied out of the L2 vmcb. For kernel versions that include the commit "2fcf4876: KVM: nSVM: implement on demand allocation of the nested state" (>=5.10), the guest can free the MSR permission bit in svm->nested.msrpm, while it's still in use and gain unrestricted access to host MSRs.

tags | exploit, kernel
advisories | CVE-2021-29657
SHA-256 | d7d8893258c173535d6129f18da5eea5e87415de98e53b981565c55447d30da4
AWS CloudShell Terminal Escape Injection / Remote Code Execution
Posted May 10, 2021
Authored by Google Security Research, Felix Wilhelm

The javascript terminal emulator used by AWS CloudShell handles certain terminal escape codes incorrectly. This can lead to remote code execution if attacker controlled data is displayed in a CloudShell instance.

tags | exploit, remote, javascript, code execution
SHA-256 | f02320214893002ab2b97694c08e9e2330bbb20f2f2bada5f83933c577f951ef
F5 Big IP ASM is_hdr_criteria_matches Buffer Overflow
Posted Mar 11, 2021
Authored by Google Security Research, Felix Wilhelm

The bd daemon, which runs as part of the F5 BIG-IP Application Security Manager (ASM), is vulnerable to a stack-based buffer overflow when processing overlong HTTP response headers in the is_hdr_criteria_matches function.

tags | exploit, web, overflow
advisories | CVE-2021-22992
SHA-256 | 9c44ca360a14fa4cc12518c3c7b3dc3db600141f5960afa5516ad2e74a06f1b5
F5 Big IP TMM uri_normalize_host Information Disclosure / Out-Of-Bounds Write
Posted Mar 11, 2021
Authored by Google Security Research, Felix Wilhelm

Big IP's Traffic Management Microkernels (TMM) URI normalization incorrectly handles invalid IPv6 hostnames allowing for information disclosure and an out-of-bounds write condition.

tags | exploit, info disclosure
advisories | CVE-2021-22991
SHA-256 | 3871783e2fe19713b45a5661f9772f7a4d4281e5f8687d7bb3041ddb2bd1b662
Package Control Arbitrary File Write
Posted Feb 26, 2021
Authored by Google Security Research, Felix Wilhelm

Package Control suffers from an arbitrary file write vulnerability.

tags | exploit, arbitrary
SHA-256 | d829e043ae3215e9a2fc3e3d229f6478a414c15426280fcd8d1c11242690ef75
Node.js TLSWrap Use-After-Free
Posted Jan 5, 2021
Authored by Google Security Research, Felix Wilhelm

Node version 14.11.0 is vulnerable to a use-after-free bug in its TLS implementation.

tags | exploit
SHA-256 | 1f513e648d5b8f3a7fbacd8992a272057c993baa2d4402fc73136e7984a51276
usrsctp HMAC Generation Out-Of-Bounds Access
Posted Dec 14, 2020
Authored by Google Security Research, Felix Wilhelm

usrsctp suffers from insecure HMAC generation that can lead to out-of-bounds access.

tags | exploit
SHA-256 | 69e92243c6bd41974a900dc98b7a0757d386d20f488d2990c84c93ea121be861
usrsctp pending_reply_queue Out-Of-Bounds Access
Posted Dec 14, 2020
Authored by Google Security Research, Felix Wilhelm

usrsctp suffers from a usrsctp pending_reply_queue out-of-bounds access vulnerability.

tags | exploit
SHA-256 | ea5557c59234c8615d7ded46ca3513dc591370aae707b02618e0d07c3615d064
Apache 2 HTTP2 Module Concurrent Pool Usage
Posted Dec 7, 2020
Authored by Google Security Research, Felix Wilhelm

Apache 2 suffers from an issue with concurrent pool usage in the http2 module.

tags | advisory
advisories | CVE-2020-11993
SHA-256 | 4ec68bf66866cfc8f4895d0ba320c5de4dece24c05a02f8d5fafd3449a9ba771
Apache 2.4.43 mod_http2 Memory Corruption
Posted Dec 7, 2020
Authored by Google Security Research, Felix Wilhelm

Apache 2 suffers from a memory corruption vulnerability in the mod_http2 push diary implementation.

tags | exploit
advisories | CVE-2020-9490
SHA-256 | fac8f451f590f673b91a5fc43c92dbcc4b70a80fdb9922484d3853ac610b2025
GitHub Widespread Injection
Posted Nov 3, 2020
Authored by Google Security Research, Felix Wilhelm

Github Actions supports a feature called workflow commands that is susceptible to widespread code injection vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2020-15228
SHA-256 | fad674c47b105cfc1035cbe0b4661f311b3d8159fc76033622fa185b205e5785
Kubernetes AWS IAM Integration Issues
Posted Oct 13, 2020
Authored by Google Security Research, Felix Wilhelm

Kubernetes has multiple issues in aws-iam-authenticator where lax controls can lead to a lower security posture.

tags | advisory
SHA-256 | e9aec083853e55df0de4b8243a5f9b2535fd421f5ca95a63ffa2769b14ec08e5
Hashicorp Vault GCP IAM Integration Authentication Bypass
Posted Oct 6, 2020
Authored by Google Security Research, Felix Wilhelm

HashiCorp Vault's GCP authentication method can be bypassed on gce type roles that do not specify bound_service_accounts. Vault does not enforce that the compute_engine data in a signed JWT token has any relationship to the service account that created the token. This makes it possible to impersonate arbitrary GCE instances, by creating a JWT token with a faked compute_engine struct, using an arbitrary attacker controlled service account.

tags | exploit, arbitrary
advisories | CVE-2020-16251
SHA-256 | 34f611b87b68b7fd6cab37412c7d4092e8b5a0d5ec0b29df2c510e9bc1a45ab4
Hashicorp Vault AWS IAM Integration Authentication Bypass
Posted Oct 6, 2020
Authored by Google Security Research, Felix Wilhelm

HashiCorp Vault's AWS IAM authentication method can be bypassed by sending a serialized request to the STS AssumeRoleWithWebIdentity method as part of the authentication flow. The request triggers a JSON encoded response from the STS server, which can contain a fully-attacker controlled fake GetCallerIdentityResponse as part of its body. As the Vault response parser ignores non-xml content before and after the malicious response, this can be used to spoof arbitrary AWS identities and roles.

tags | exploit, arbitrary, spoof
advisories | CVE-2020-16250
SHA-256 | b13c4db73c9c1c434d36ca980312a9413268770cfb76417ed250b35bd357b407
Apache2 mod_proxy_uwsgi Incorrect Request Handling
Posted Aug 31, 2020
Authored by Google Security Research, Felix Wilhelm

Apache2 suffers from an incorrect handling of large requests issue in mod_proxy_uwsgi.

tags | advisory
advisories | CVE-2020-11984
SHA-256 | a6d25204a474a382b45dc4bcc2aef5cc3b47408552e918aedeac6dce35405571
Node.js Hostname Verification Bypass
Posted Jun 3, 2020
Authored by Google Security Research, Felix Wilhelm

Insecure TLS session reuse can lead to a hostname verification bypass in Node.js.

tags | exploit
SHA-256 | b404dcfa6d845cbd272f8eca0446855bd9671e0f4684dcd3a059efe2b423226d
Page 1 of 2
Back12Next

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close