what you don't know can hurt you
Showing 26 - 50 of 125 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2020-01-22
Android seccomp Filter Ptrace Hole
Posted Feb 19, 2019
Authored by Jann Horn, Google Security Research

On Android, a ptrace hold makes the seccomp filter useless on devices with a kernel with a version lower than 4.8.

tags | exploit, kernel
MD5 | ec62513ec742cfdc38e9e8d04849f77c
Linux kvm_ioctl_create_device() Reference Flow Failure
Posted Feb 15, 2019
Authored by Jann Horn, Google Security Research

Linux kvm_ioctl_create_device() installs fd before taking reference.

tags | exploit
systems | linux
advisories | CVE-2019-6974
MD5 | 2c781194b8d221ac15f3178b357e1b58
Android Binder VMA Use-After-Free
Posted Feb 12, 2019
Authored by Jann Horn, Google Security Research

Android binder suffers from a use-after-free vulnerability in VMA via a race between reclaim and munmap.

tags | exploit
advisories | CVE-2019-1999
MD5 | b595de41d1f8f84b4916fab4d16567de
Android Binder fdget() Optimization Use-After-Free
Posted Feb 12, 2019
Authored by Jann Horn, Google Security Research

Android binder suffers from a use-after-free vulnerability via fdget() optimization.

tags | exploit
advisories | CVE-2019-2000
MD5 | bc3a95911082f54f5d3a2b398792bb8b
Linux Insufficient eBPF Spectre V1 Mitigation
Posted Feb 2, 2019
Authored by Jann Horn, Google Security Research

It has been discovered that the Linux eBPF Spectre v1 mitigation is insufficient.

tags | exploit
systems | linux
advisories | CVE-2019-7308
MD5 | 60ad2b402e4b79e4579ab76baec63e80
XNU copy-on-write Behavior Bypass
Posted Jan 31, 2019
Authored by Jann Horn, Google Security Research

XNU suffers from a copy-on-write behavior bypass via partial-page truncation of file.

tags | exploit
advisories | CVE-2019-6208
MD5 | 777063e937de55773212655e72ee59fb
Polkit Temporary Authentication Hijacking
Posted Jan 8, 2019
Authored by Jann Horn, Google Security Research

Polkit suffers from a temporary auth hijacking vulnerability via PID reuse and a non-atomic fork.

tags | exploit
MD5 | 57634c3dcea314066b8d2beba7cfe951
CUPS Weak Session Cookie Generation
Posted Dec 12, 2018
Authored by Jann Horn, Google Security Research

CUPS generates session cookies srandom(time(NULL)) and random() on Linux.

tags | advisory
systems | linux
advisories | CVE-2018-4700
MD5 | 583f7c6a7321642c12877e79a0682883
Linux userfaultfd tmpfs File Permission Bypass
Posted Dec 12, 2018
Authored by Jann Horn, Google Security Research

Linux userfaultfd bypasses tmpfs file permissions.

tags | exploit
systems | linux
advisories | CVE-2018-18397
MD5 | 61256d48b95082beb5d8e4ef759bcd4c
Google Chrome 70.0.3538.77 Cross Site Scripting / Man-In-The-Middle
Posted Dec 11, 2018
Authored by Jann Horn, Google Security Research

Google Chrome version 70.0.3538.77 stable suffers from cross site scripting and man-in-the-middle vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 983c9bbc501d7d7ca4d8d631173677e7
XNU POSIX Shared Memory Mapping Issue
Posted Dec 11, 2018
Authored by Jann Horn, Google Security Research

XNU POSIX has an issue where shared memory mapping have an incorrect maximum protection.

tags | exploit
advisories | CVE-2018-4435
MD5 | ac2760f95d5d33a22ed9bc8cebfab544
Linux Nested User Namespace idmap Limit Local Privilege Escalation
Posted Nov 28, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2018-18955
MD5 | bcf9a7b1fda21bc456a3d65c534bf1af
Linux Broken UID/GID Mapping
Posted Nov 16, 2018
Authored by Jann Horn, Google Security Research

Linux has a broken uid/gid mapping for nested user namespaces with greater than 5 ranges.

tags | exploit
systems | linux
advisories | CVE-2018-18955
MD5 | 5a4e9282df80bcac13075f0181391a8b
gVisor runsc Guest -> Host Breakout Via Filesystem Cache Desync
Posted Oct 31, 2018
Authored by Jann Horn, Google Security Research

gVisor runsc suffers from a guest->host breakout via filsystem cache desync.

tags | advisory
MD5 | c5955d055e040d0690a596b137e3036d
Linux mremap() TLB Flush Too Late
Posted Oct 29, 2018
Authored by Jann Horn, Google Security Research

Linux has an issue where mremap() performs a TLB flush too late with concurrent ftruncate().

tags | exploit
systems | linux
advisories | CVE-2018-18281
MD5 | 662f158d83c31c10c9b25a7d01c09b0a
Chrome OS Ancient unrar In CAP_SYS_ADMIN Context
Posted Oct 29, 2018
Authored by Jann Horn, Google Security Research

Chrome OS runs an ancient unrar in CAP_SYS_ADMIN context.

tags | advisory
MD5 | 8fb9a08410a49c789a6cd995c55a1b9e
Linux systemd Symlink Dereference Via chown_one()
Posted Oct 26, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from an issue with systemd where chown_one() can dereference symlinks.

tags | exploit
systems | linux
advisories | CVE-2018-15687
MD5 | 8a7385919cce2220b792617aa434b36b
Linux systemd Line Splitting
Posted Oct 26, 2018
Authored by Jann Horn, Google Security Research

Linux has an issue with systemd where overlong input to fgets() during reexec state injection can lead to line splitting.

tags | exploit
systems | linux
advisories | CVE-2018-15686
MD5 | 7eee1ef6f7faca88b348b6dac9d6b20c
Chrome Debugger Extension API Is Too Powerful
Posted Oct 22, 2018
Authored by Jann Horn, Google Security Research

The Chrome debugger extension API appears to have more power than necessary, including the ability to bypass the check for disabled natives.

tags | advisory
MD5 | 7f04b4dbaa37e47793da6858cb2f0661
Linux BPF Verifier Failed Truncation
Posted Oct 18, 2018
Authored by Jann Horn, Google Security Research

The Linux BPF verifier has an issue where 32-bit RSH verification does not truncate input before the ALU op.

tags | advisory
systems | linux
advisories | CVE-2018-18445
MD5 | 373edc458d7e0a3a57e28573408ae811
Linux Semi-Arbitrary Task Stack Read On ARM64 / x86
Posted Oct 18, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from a semi-arbitrary task stack read on ARM64 (and x86) via /proc/$pid/stack.

tags | advisory, arbitrary, x86
systems | linux
MD5 | 7100e417a396e293988088f73c3b7c3a
Android current-fs Improper Locking
Posted Oct 8, 2018
Authored by Jann Horn, Google Security Research

Android sdcardfs changes current->fs without proper locking.

tags | exploit
advisories | CVE-2018-9515
MD5 | 30d07510d647a3e253ccd32f80cd1b03
Linux Kernel PTR Leak Via BPF
Posted Oct 5, 2018
Authored by Jann Horn, Google Security Research

The Linux kernel suffers from a ptr leak via BPF due to a broken subtraction check.

tags | exploit, kernel
systems | linux
MD5 | 3c1a45fa16b073a790adbcf32e65e7e7
Chrome OS /sbin/crash_reporter Symlink Traversal
Posted Oct 5, 2018
Authored by Jann Horn, Google Security Research

Chrome OS suffers from a /sbin/crash_reporter symlink traversal vulnerability.

tags | exploit
MD5 | c687c89c005c3b62a720e1c1f587693f
Debian/Ubuntu AppArmor evince Policy Bypass
Posted Oct 1, 2018
Authored by Jann Horn, Google Security Research

The Debian/Ubuntu AppArmor policy for evince in bypassable.

tags | exploit
systems | linux, debian, ubuntu
MD5 | 1b19708e83a1bfd77dfc118b056fc7ee
Page 2 of 5
Back12345Next

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    21 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    19 Files
  • 24
    Jan 24th
    11 Files
  • 25
    Jan 25th
    1 Files
  • 26
    Jan 26th
    1 Files
  • 27
    Jan 27th
    19 Files
  • 28
    Jan 28th
    9 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close