what you don't know can hurt you
Showing 51 - 75 of 97 RSS Feed

Files from Jann Horn

Email addressjannhorn at googlemail.com
First Active2013-03-14
Last Active2019-02-15
Reading Privileged Memory With A Side-Channel
Posted Jan 4, 2018
Authored by Jann Horn, Google Security Research | Site googleprojectzero.blogspot.co.uk

This is the very thorough blog write-up discussing three variants of side-channel attacks that can be leveraged against CPU data cache timing.

tags | paper
advisories | CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
MD5 | 2363cefeef0652a5bd4abcd5e6ee4559
eBPF Arbitrary Read/Write Via Incorrect Range Tracking
Posted Dec 22, 2017
Authored by Jann Horn, Google Security Research

eBPF suffers from an arbitrary read and write vulnerability via incorrect range tracking.

tags | exploit, arbitrary
MD5 | ad6516e5054737ab0ef7abdefd3ba79b
macOS getrusage Stack Leak
Posted Dec 12, 2017
Authored by Jann Horn, Google Security Research

macOS suffers from a getrusage stack leak through struct padding.

tags | exploit
advisories | CVE-2017-13869
MD5 | 7b47e5940f3ef53d7ed82338cc4b4ae9
macOS necp_get_socket_attributes so_pcb Type Confusion
Posted Dec 12, 2017
Authored by Jann Horn, Google Security Research

macOS suffers from an so_pcb type confusion vulnerability in necp_get_socket_attributes.

tags | exploit
advisories | CVE-2017-13855
MD5 | 420bee1dc1be795e79cb3c03b5f47731
Linux mincore() Kernel Heap Page Disclosure
Posted Nov 25, 2017
Authored by Jann Horn, Google Security Research

Linux mincore() discloses uninitialized kernel heap pages. When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.

tags | exploit, kernel
systems | linux
MD5 | bd34c6c3fcf525c4eeb4d8210cfb768c
Xen Unbounded Recursion In Pagetable De-Typing
Posted Oct 19, 2017
Authored by Jann Horn, Google Security Research

Xen allows pagetables of the same level to map each other as readonly in PV domains. This is useful if a guest wants to use the self-referential pagetable trick for easy access to pagetables by mapped virtual address.

tags | exploit
MD5 | 7b0613bdfa02a772faa0631e1daf6f95
Tor Linux Sandbox Breakout Via X11
Posted Sep 7, 2017
Authored by Jann Horn, Google Security Research

It appears that you can still talk to X11 outside of the Tor sandbox.

tags | exploit
MD5 | 21d81cf14e7577ac16e4401020dd33e8
Linux eBPF Verify Log Leak
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

On Linux, the eBPF verifier log leaks the lower half of a map pointer.

tags | advisory
systems | linux
MD5 | 4dc6117fdf8c57334009b5e438357d7d
MacOS Raw Frame Pointers In Stackshot
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

This is an issue on MacOS that allows un-entitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug.

tags | exploit, kernel, root
advisories | CVE-2017-2516
MD5 | 5681e6a07ccbf5cc21fde6f5e3fa61b7
MacOS 32-Bit Syscall Exit Kernel Register Leak
Posted May 23, 2017
Authored by Jann Horn, Google Security Research

MacOS suffers from a kernel register leak via 32-bit syscall exit.

tags | exploit, kernel
advisories | CVE-2017-2509
MD5 | 843234a6ae86bbe1332e22a54aaa96c1
VMWare Workstation On Linux Privilege Escalation
Posted May 22, 2017
Authored by Jann Horn, Google Security Research

This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at ~/.asoundrc. libasound is not designed to run in a setuid context and deliberately permits loading arbitrary shared libraries via dlopen().

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2017-4915
MD5 | 6cd7c22bba1395ea99fb53bce68676a2
Xen 64bit PV Guest Breakout Via Pagetable Use-After-Type-Change
Posted May 8, 2017
Authored by Jann Horn, Google Security Research

This is a bug in Xen that permits an attacker with control over the kernel of a 64bit X86 PV guest to write arbitrary entries into a live top-level pagetable.

tags | exploit, arbitrary, x86, kernel
MD5 | 5a144654a1b03c1ef898b305457a091d
VirtualBox Unprivilege Host User To Host Kernel Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from an unprivileged host user to host kernel privilege escalation via ALSA config.

tags | exploit, kernel
advisories | CVE-2017-3576
MD5 | dca9d69e8a8c16f4ac99724d454653cf
VirtualBox Guest-To-Host Out-Of-Bounds Write
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from a guest-to-host out-of-bounds write via virtio-net.

tags | advisory
advisories | CVE-2017-3575
MD5 | 0748ee091b775b94daca046bf551edc0
VirtualBox Host User To Host Kernel Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from an unprivileged host user to host kernel privilege escalation vulnerability via environment and ioctl.

tags | exploit, kernel
advisories | CVE-2017-3561
MD5 | 5f5257c0521f76504084b603e8ef11c6
VirtualBox Guest-To-Host Local Privilege Escalation
Posted Apr 19, 2017
Authored by Jann Horn, Google Security Research

VirtualBox suffers from a guest-to-host local privilege escalation vulnerability via broken length handling in slirp copy.

tags | exploit, local
advisories | CVE-2017-3558
MD5 | a88ca7fea026237f49504743f2ebd524
Xen memory_exchange() Guest Breakout
Posted Apr 10, 2017
Authored by Jann Horn, Google Security Research

Xen suffers from a broken check in memory_exchange() that permits a PV guest breakout.

tags | exploit
advisories | CVE-2017-7228
MD5 | aa31f251ac964d32a781e52a20d3824f
Samba Symlink Race Permits Opening Files
Posted Mar 27, 2017
Authored by Jann Horn, Google Security Research

Samba suffers from a symlink race that permits opening files outside of the share directory.

tags | exploit
advisories | CVE-2017-2619
MD5 | 25450779e8fb998831d9a67d898707d0
OpenSSH On Cygwin SFTP Client Directory Traversal
Posted Mar 22, 2017
Authored by Jann Horn, Google Security Research

Portable OpenSSH supports running on Cygwin. However, the SFTP client only filters out forward slashes (in do_lsreaddir()) and the directory names "." and ".." (in download_dir_internal()). On Windows, including in Cygwin, backslashes can a lso be used for directory traversal.

tags | exploit
systems | windows
MD5 | 2069de5aceb936104c15b6d7d812f974
QEMU User-To-Root Privilege Escalation
Posted Mar 21, 2017
Authored by Jann Horn, Google Security Research

QEMU suffers from a user-to-root privilege escalation vulnerability inside a VM due to bad translation caching.

tags | exploit, root
MD5 | d2fe6632aa725e7bac4947cf3b028786
VirtualBox VM Escape From Shared Folder
Posted Mar 13, 2017
Authored by Jann Horn, Google Security Research

There is a security issue in VirtualBox in the shared folder implementation that permits cooperating guests with write access to the same shared folder to gain access to the whole filesystem of the host, at least on Linux hosts.

tags | exploit
systems | linux
MD5 | 541c3c26ddce409486c3184fec42a9e9
QEMU Host Filesystem Arbitrary Access
Posted Feb 18, 2017
Authored by Jann Horn, Google Security Research

QEMU has an issue where virtfs permits a guest to access the entire host filesystem.

tags | advisory
advisories | CVE-2016-9602
MD5 | 44ce981c2743db060165adeb97c78a51
Google Chrome Download Filetype Blacklist Bypass
Posted Feb 18, 2017
Authored by Jann Horn, Google Security Research

Google Chrome suffers from a bypass vulnerability in the download filetype blacklist functionality. Versions 54.0.2840.100 stable is affected.

tags | exploit, bypass
MD5 | ae38a5ec06fe60eb345dfdafae27e295
NTFS-3G Illicit Modprobe Execution
Posted Feb 13, 2017
Authored by Jann Horn, Google Security Research

NTFS-3G has an issue where modprobe is executed with an unsanitized environment.

tags | exploit
advisories | CVE-2017-0358
MD5 | 56fe6a30594a1a204f56abe6c2028df9
Git Private Repository Theft
Posted Feb 7, 2017
Authored by Jann Horn, Google Security Research

Git suffers from a private repository theft by mixing repositories.

tags | exploit
MD5 | 7eb39687a169f4ad7c83db8c4826034e
Page 3 of 4
Back1234Next

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close