exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 51 - 75 of 194 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2024-02-19
Android vold Unsafe Mounting
Posted Dec 2, 2021
Authored by Jann Horn, Google Security Research

Android's vold's incremental-fs APIs trust paths from system_server for mounting. There is supposed to be privilege separation between vold (TCB) and system_server (privileged process). However, vold's IPC handlers related to incremental-fs (mountIncFs, unmountIncFs, bindMount) allow system_server to specify semi-arbitrary paths, allowing system_server to trigger mounting on directories that shouldn't be under system_server control.

tags | exploit, arbitrary
advisories | CVE-2022-20002
SHA-256 | 6308f611ecd07bd987f8455171c29a25eff87e81ccf2cc8daeca7812645ea262
Linux SO_PEERCRED / SO_PEERGROUPS Race Condition / Use-After-Free
Posted Nov 18, 2021
Authored by Jann Horn, Google Security Research

Linux suffered from a use-after-free read vulnerability related to an SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()). This has been addressed in stable versions 5.14.10, 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.4.288, and 4.9.286.

tags | exploit
systems | linux
SHA-256 | e9d2577d94228c65d76a056d879671aaba39469ae3acffd647bebed060eeeb31
Linux SELinux PTRACE_TRACEME Handler Use-After-Free
Posted Oct 26, 2021
Authored by Jann Horn, Google Security Research

Linux suffers from a use-after-free read in the SELinux handler for PTRACE_TRACEME.

tags | exploit
systems | linux
SHA-256 | 796440de4a29bc2603d127196092fc9ccdd7e9044bbb208b4660cc96ceeb0dcd
Tor Half-Closed Connection Stream Confusion
Posted Jul 15, 2021
Authored by Jann Horn, Google Security Research

Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.

tags | exploit, spoof
advisories | CVE-2021-34548
SHA-256 | 0544acc1f8cb71eaae260f7d2c03e6b0c3ebabe6b8549cd83018b8757f7db64a
ChromeOS arc-obb-mounter Missing Path Restriction
Posted Jun 14, 2021
Authored by Jann Horn, Google Security Research

ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.

tags | exploit
SHA-256 | 5a39171dc660d2c47df5696635fea0f20a0814593c67d9aa4f2ca1cf665e8660
Linux TIOCSPGRP Broken Locking
Posted Dec 22, 2020
Authored by Jann Horn, Google Security Research

Linux suffers from broken locking in TIOCSPGRP that can lead to a corrupted refcount.

tags | exploit
systems | linux
advisories | CVE-2020-29661
SHA-256 | 3d16d56ff43c2ab3355f19116f22e1a94fc89347899d1d2c15556ab0e4b4191b
Linux io_uring SUID Boundary Access Violation
Posted Dec 7, 2020
Authored by Jann Horn, Google Security Research

Linux io_uring suffers from mm and files access across suid binaries.

tags | exploit
systems | linux
SHA-256 | 31c54d98daff1e1981a30c608516455dff4f229558f13e5503ad476e283c3e0f
udisks / Linux Kernel romfs Leakage
Posted Oct 2, 2020
Authored by Jann Horn, Google Security Research

udisks and the Linux kernel have an issue where udisks permits users to mount romfs and romfs leaks uninitialized memory to userspace.

tags | exploit, kernel
systems | linux
SHA-256 | 35a3fb65f205fc4d18eb799a00a5f48e0f59e4554d59a19758e3936768b1b633
Linux expand_downwards() / munmap() Race Condition
Posted Sep 14, 2020
Authored by Jann Horn, Google Security Research

A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.

tags | exploit, kernel
systems | linux
SHA-256 | 12c19d8bb64bc07c6c91f0dc616830116f9cf648c2c843890b7c779c318ceed4
Linux CoW Incorrect Access Grant
Posted Aug 25, 2020
Authored by Jann Horn, Google Security Research

A Linux copy-on-write issue can wrongly grant write access.

tags | exploit
systems | linux
SHA-256 | fb12dc1d9b3c3b8710974411c8e04357da6fc10cd0ae77c98600c7e8fdfa8813
Android App Zygotes Improper Guarding
Posted Aug 14, 2020
Authored by Jann Horn, Google Security Research

On Android, app zygotes do not properly guard against UID reuse attacks, leak AID_READPROC, and expose mlstrustedsubject.

tags | exploit
advisories | CVE-2020-0258
SHA-256 | 259e249f92035fcc7a0f05456a83799f739c985a9863269f49049822d3dfa37f
c-ares 1.16.0 Use-After-Free
Posted Aug 4, 2020
Authored by Jann Horn, Google Security Research

c-ares version 1.16.0 has an issue where ares_destroy() with pending ares_getaddrinfo() leads to a use-after-free condition.

tags | advisory
SHA-256 | 7dac05abea704e153870ceb3821b9fcf3b37ca198add02caa774bdda39438cd9
Linux 5.6 IORING_OP_MADVISE Race Condition
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux 5.6 has an issue with IORING_OP_MADVISE racing with coredumping.

tags | exploit
systems | linux
SHA-256 | 3d4ed25c006b4d44e2fc925724eb8ef4c383a536453c0793e4b5aa7eb8d74965
Linux futex+VFS Use-After-Free
Posted May 8, 2020
Authored by Jann Horn, Google Security Research

Linux futex+VFS suffers from an improper inode reference in get_futex_key() that causes a use-after-free if the superblock goes away.

tags | exploit
systems | linux
SHA-256 | 1f2f71584b62477d5804bbbbde1135bf3a474ccf5086c8de8d354737d3f45ec5
Linux Omitted TID Increment
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux has an issue where the SLUB bulk allocation slowpath omits a required TID increment.

tags | exploit
systems | linux
SHA-256 | 14cca69626f7eaf7a068b4d1e29e645abe5f5066bfb2ea4db2fa373a5b4f17a5
Linux 5.3 Insecure Root Path Handling
Posted Apr 10, 2020
Authored by Jann Horn, Google Security Research

Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.

tags | exploit, root
systems | linux
SHA-256 | ed2dd2cbf35df24e9ba5bd981126270b47009603233e401d33e76fe529690153
Android Binder Use-After-Free
Posted Feb 24, 2020
Authored by Jann Horn, timwr, Maddie Stone, grant-h | Site metasploit.com

Android Binder use-after-free exploit.

tags | exploit
advisories | CVE-2019-2215
SHA-256 | 8311b9bec91595d2878834472570bf80e596b211d30a53cac581c4c7c5478c85
Samsung SEND_FILE_WITH_HEADER Use-After-Free
Posted Feb 12, 2020
Authored by Jann Horn, Google Security Research

Samsung suffers from a use-after-free vulnerability due to a missing lock in the SEND_FILE_WITH_HEADER handler in f_mtp_samsung.c.

tags | exploit
SHA-256 | ea573306aed9a22cf4e84307a09985e94b4983da700b10db9db6aea800e9e9aa
Samsung Kernel PROCA Use-After-Free / Double-Free
Posted Feb 12, 2020
Authored by Jann Horn, Google Security Research

The Samsung kernel has logic bug and locking issues in PROCA that can lead to use-after-free and double-free issues from an application's context.

tags | exploit, kernel
SHA-256 | a7e1e4d76f40e9e3e676716682ea5ddbdc59531377348afc082fea2a8f0e792a
Reliable Datagram Sockets (RDS) rds_atomic_free_op Privilege Escalation
Posted Jan 22, 2020
Authored by Brendan Coles, Jann Horn, Mohamed Ghannam, nstarke, wbowling | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.

tags | exploit, kernel, root
systems | linux, ubuntu
advisories | CVE-2018-5333, CVE-2019-9213
SHA-256 | 561f5de542c8d58118095440168a640aad5069622602f1d8eac2d963687098c9
Android ashmem Read-Only Bypasses
Posted Jan 10, 2020
Authored by Jann Horn, Google Security Research

Android suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.

tags | exploit, vulnerability
advisories | CVE-2020-0009
SHA-256 | 689f8071ae95d70db5dd1910063463a8d8fb46ef07c27f4a5369f3a1700ddf3f
Linux sendmsg() Privilege Escalation
Posted Dec 16, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.

tags | exploit, kernel
systems | linux
advisories | CVE-2019-19241
SHA-256 | a834b29ddf4d2217f0c133698262209db2f3b93925e28fd750acde84f14c06eb
macOS update_dyld_shared_cache Privilege Escalation
Posted Nov 21, 2019
Authored by Jann Horn, Google Security Research

macOS suffers from an update_dyld_shared_cache privilege escalation vulnerability.

tags | exploit
SHA-256 | 07e51301d8683d6e39251cf95eaee6c25ac3c5aa9945b3f9d48ce358af325a02
Ubuntu shiftfs refcount Underflow / Type Confusion
Posted Nov 14, 2019
Authored by Jann Horn, Google Security Research

Ubuntu suffers from refcount underflow and type confusion vulnerabilities in shiftfs.

tags | exploit, vulnerability
systems | linux, ubuntu
advisories | CVE-2019-15793
SHA-256 | fc083eb6624e5af7dd882d1267361f52f304c19c1c96a185b84a12e9f221811d
Ubuntu ubuntu-aufs-modified mmap_region() Refcounting Issue
Posted Nov 12, 2019
Authored by Jann Horn, Google Security Research

Ubuntu suffers from an issue where ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs error path.

tags | exploit
systems | linux, ubuntu
advisories | CVE-2019-15794
SHA-256 | 6fd8ea0bfd5005c0587ede33931bd50267efbc08f87c7a08b67be5dac56165f1
Page 3 of 8
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close