exploit the possibilities
Showing 76 - 100 of 104 RSS Feed

Files from Jann Horn

Email addressjannhorn at googlemail.com
First Active2013-03-14
Last Active2019-03-18
OpenSSH On Cygwin SFTP Client Directory Traversal
Posted Mar 22, 2017
Authored by Jann Horn, Google Security Research

Portable OpenSSH supports running on Cygwin. However, the SFTP client only filters out forward slashes (in do_lsreaddir()) and the directory names "." and ".." (in download_dir_internal()). On Windows, including in Cygwin, backslashes can a lso be used for directory traversal.

tags | exploit
systems | windows
MD5 | 2069de5aceb936104c15b6d7d812f974
QEMU User-To-Root Privilege Escalation
Posted Mar 21, 2017
Authored by Jann Horn, Google Security Research

QEMU suffers from a user-to-root privilege escalation vulnerability inside a VM due to bad translation caching.

tags | exploit, root
MD5 | d2fe6632aa725e7bac4947cf3b028786
VirtualBox VM Escape From Shared Folder
Posted Mar 13, 2017
Authored by Jann Horn, Google Security Research

There is a security issue in VirtualBox in the shared folder implementation that permits cooperating guests with write access to the same shared folder to gain access to the whole filesystem of the host, at least on Linux hosts.

tags | exploit
systems | linux
MD5 | 541c3c26ddce409486c3184fec42a9e9
QEMU Host Filesystem Arbitrary Access
Posted Feb 18, 2017
Authored by Jann Horn, Google Security Research

QEMU has an issue where virtfs permits a guest to access the entire host filesystem.

tags | advisory
advisories | CVE-2016-9602
MD5 | 44ce981c2743db060165adeb97c78a51
Google Chrome Download Filetype Blacklist Bypass
Posted Feb 18, 2017
Authored by Jann Horn, Google Security Research

Google Chrome suffers from a bypass vulnerability in the download filetype blacklist functionality. Versions 54.0.2840.100 stable is affected.

tags | exploit, bypass
MD5 | ae38a5ec06fe60eb345dfdafae27e295
NTFS-3G Illicit Modprobe Execution
Posted Feb 13, 2017
Authored by Jann Horn, Google Security Research

NTFS-3G has an issue where modprobe is executed with an unsanitized environment.

tags | exploit
advisories | CVE-2017-0358
MD5 | 56fe6a30594a1a204f56abe6c2028df9
Git Private Repository Theft
Posted Feb 7, 2017
Authored by Jann Horn, Google Security Research

Git suffers from a private repository theft by mixing repositories.

tags | exploit
MD5 | 7eb39687a169f4ad7c83db8c4826034e
CUPS DNS Rebinding Via Incorrect Whitelist
Posted Jan 24, 2017
Authored by Jann Horn, Google Security Research

CUPS suffers from an incorrect whitelist that permits DNS rebinding attacks.

tags | exploit
MD5 | 7df1d32ba8bccdc7acdb30f1aa7cd60d
OpenSSH Local Privilege Escalation
Posted Dec 23, 2016
Authored by Jann Horn, Google Security Research

OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation is disabled, then on the server side, the forwarding is handled by a child of sshd that has root privileges. For TCP server sockets, sshd explicitly checks whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if so, requires the client to authenticate as root. However, for UNIX domain sockets, no such security measures are implemented. This means that, using "ssh -L", an attacker who is permitted to log in as a normal user over SSH can effectively connect to non-abstract unix domain sockets with root privileges. On systems that run systemd, this can for example be exploited by asking systemd to add an LD_PRELOAD environment variable for all following daemon launches and then asking it to restart cron or so. The attached exploit demonstrates this - if it is executed on a system with systemd where the user is allowed to ssh to his own account and where privsep is disabled, it yields a root shell.

tags | exploit, shell, root, tcp
systems | unix
advisories | CVE-2016-10010
MD5 | b93e78906a304aa126934a6c44a6999b
OpenSSH Arbitrary Library Loading
Posted Dec 23, 2016
Authored by Jann Horn, Google Security Research

The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. Th e agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:s end_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs 11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_ad d_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.

tags | exploit
advisories | CVE-2016-10009
MD5 | ab582fb557accdc7aabfd60bc38dfed3
Google Chrome Privilege Escalation
Posted Dec 22, 2016
Authored by Jann Horn, Google Security Research

Google Chrome suffers from a renderer->extension privilege escalation vulnerability via sync.

tags | advisory
MD5 | 34af5609484d280241a49041f9bb0f64
apt Repository Signing Bypass
Posted Dec 14, 2016
Authored by Jann Horn, Google Security Research

apt suffers from a repository signing bypass via memory allocation failure.

tags | exploit
advisories | CVE-2016-1252
MD5 | 7fe09c2346b03237428e53e88de533f6
Linux BPF Local Privilege Escalation
Posted Nov 14, 2016
Authored by h00die, Jann Horn | Site metasploit.com

Linux kernel versions 4.4 and above where CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled sysctl is not set to 1 allow for BPF to be abused for privilege escalation. Ubuntu 16.04 has all of these conditions met.

tags | exploit, kernel
systems | linux, ubuntu
advisories | CVE-2016-4557
MD5 | d6af6e643c3718f34bc403063f434ec1
Android Pointer Leak
Posted Oct 2, 2016
Authored by Jann Horn, Google Security Research

Android suffers from a pointer leak via insufficient binder message verification.

tags | exploit
MD5 | 2c65be36bddd12222ba4e9453022a4f4
Linux SELinux W+X AIO Protection Bypass
Posted Sep 23, 2016
Authored by Jann Horn, Google Security Research

SELinux suffers from a protection bypass that allows for a memory mapping that is both readable and writable.

tags | exploit
MD5 | 7504ac6a9c7f0acee4894caa1c5941fd
Android getpidcon Binder Service Replacement
Posted Sep 13, 2016
Authored by Jann Horn, Google Security Research

Android has an issue where racy getpidcon usage permits binder service replacement.

tags | exploit
MD5 | 1d342b5ad8073d0dbdff59d89b2162db
Android debuggerd Mitigation Bypass / Information Leak
Posted Sep 8, 2016
Authored by Jann Horn, Google Security Research

Android debuggerd was recently changed to drop privileges between attaching to a crashed process and dumping it to reduce its attack surface. The following issue allows that mitigation to be bypassed and also allows a privileged attacker (logcat access) to bypass userland ASLR.

tags | advisory
MD5 | 67683a60a52e3f5071f06ffcb5c74cda
Linux ARM/ARM64 perf_event_open() Arbitrary Memory Read
Posted Jul 28, 2016
Authored by Jann Horn, Google Security Research

Linux ARM/ARM64 architectures suffer from an arbitrary memory read vulnerability in perf_event_open().

tags | exploit, arbitrary
systems | linux
MD5 | 564d5867a559ec5e02a7022695aae0c1
PaX Reference Count Overflow Mitigation Bypass
Posted Jul 8, 2016
Authored by Jann Horn, Google Security Research

PaX contains a mitigation for reference count overflows that is intended to prevent atomic_t variables from reaching 0x80000000 and, more importantly, wrapping around to zero. A documented special case on x86 is that, because "atomically increment unless current value is X" cannot be implemented without a cmpxchg loop, the code instead increments the counter, checks for an overflow and, if an overflow happened, immediately decrements the counter back.

tags | exploit, overflow, x86
systems | linux
MD5 | e880c7eff8d7b6a8064df89a254883a5
Linux ecryptfs Stack Overflow
Posted Jun 20, 2016
Authored by Jann Horn, Google Security Research

There is a stack overflow in Linux via ecryptfs and /proc/$pid/environ.

tags | exploit, overflow
systems | linux
advisories | CVE-2016-1583
MD5 | b34d12184e35e91b435e7e57cffa274b
Linux double-fdput() Use-After-Free
Posted May 3, 2016
Authored by Jann Horn, Google Security Research

Linux 4.4 suffers from a use-after-free vulnerability in double-fdput().

tags | exploit
systems | linux
advisories | CVE-2016-4557
MD5 | dfd0a1c5e8fc8b444a14c6a1a6f6c484
Linux BPF Maps Reference Count Overflow
Posted May 3, 2016
Authored by Jann Horn, Google Security Research

Linux suffers from a reference count overflow using BPF maps.

tags | exploit, overflow
systems | linux
MD5 | e910d3a25817a9fb6a4cfca080ea791a
OpenSSH 6.8 X11 Security Bypass
Posted Jul 9, 2015
Authored by Jann Horn

OpenSSH versions 6.8 and below suffer from an issue where malicious servers, if a client connected to them using ssh -X, could connect to the SSH client's X server without being subject to X11 SECURITY restrictions.

tags | advisory
advisories | CVE-2015-5352
MD5 | 4c60e90b0d8c7b2007a46035bf95f83f
Flash Timing Side-Channel Data Exfiltration
Posted May 29, 2015
Authored by Jann Horn

Flash by design allows local SWF files to read arbitrary local files, but prevents communication with remote servers. By smuggling data through a timing side-channel, this can be circumvented, allowing local SWF files to exfiltrate the contents of arbitrary local files to the internet.

tags | exploit, remote, arbitrary, local
systems | linux
MD5 | bf466e892df822f79e5d6bdb528cc1cf
Android Privilege Escalation
Posted Nov 19, 2014
Authored by Jann Horn

In Android versions prior to 5.0, java.io.ObjectInputStream did not check whether the Object that is being deserialized is actually serializable. This means that when ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created. All fields of that instance can be set to arbitrary values. The malicious object will then typically either be ignored or cast to a type to which it doesn't fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object's finalize method. Proof of concept code included.

tags | exploit, java, arbitrary, proof of concept
MD5 | a10b87e74671949b21111b5b65291122
Page 4 of 5

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    2 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By