exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 76 - 100 of 194 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2024-02-19
XNU Missing Locking Race Condition
Posted Nov 5, 2019
Authored by Jann Horn, Google Security Research

XNU has an issue where missing locking in checkdirs_callback() enables a race condition with fchdir_common().

tags | exploit
SHA-256 | 95a3930fb861862d1fc4d07fbe47e96c19c11dc95352a6bd0f5aaec35a64ddf7
Linux Polkit pkexec Helper PTRACE_TRACEME Local Root
Posted Oct 23, 2019
Authored by Brendan Coles, Jann Horn, timwr | Site metasploit.com

This Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.

tags | exploit, kernel, local, root
systems | linux
advisories | CVE-2019-13272
SHA-256 | 072effef6153caac38d664913a4c85d900178cc8a6bc497726bd11fee5a2a0bc
XNU Data Race Remote Double-Free
Posted Oct 7, 2019
Authored by Jann Horn, Google Security Research

XNU suffers from a remote double-free vulnerability due to a data race in IPComp input path.

tags | exploit, remote
advisories | CVE-2019-8717
SHA-256 | d2fc78044e01a775c566e0e02db2a7c5884a244d49e01e4d99427a7661199c8b
Linux show_numa_stats() Use-After-Free
Posted Aug 8, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from use-after-free read vulnerabilities in show_numa_stats().

tags | exploit, vulnerability
systems | linux
SHA-256 | 7daf0340da4a54780b2816f43fc842a167e5ce5eecd0e0c90c87101a262a8f9e
Linux PTRACE_TRACEME Broken Permission / Object Lifetime Handling
Posted Jul 16, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from broken permission and object lifetime handling for PTRACE_TRACEME.

tags | exploit
systems | linux
advisories | CVE-2019-13272
SHA-256 | 30dafcd01fe3416a51e40e4a4f49ab60f981e89f93b9635b6199d3e4fa21fde9
Google ChromeOS SafeSetID LSM Transitive Trust
Posted Jul 3, 2019
Authored by Jann Horn, Google Security Research

Google ChromeOS SafeSetID LSM suffers from privilege escalation vulnerabilities.

tags | advisory, vulnerability
SHA-256 | d249d4de09d46c55a0307f0dc5339f1d018313709dc668eae4f4e4959313d6b0
Linux Race Condition Use-After-Free
Posted Jun 20, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a use-after-free via a race condition between modify_ldt() and #BR exception.

tags | exploit
systems | linux
SHA-256 | 1fcbfa390531a70742295db73f9e7ff8f089236459ea40c9adc0d8c41303b3d3
Qualcomm Android Kernel Use-After-Free
Posted May 29, 2019
Authored by Jann Horn, Google Security Research

The Qualcomm Android kernel suffers from a use-after-free vulnerability via an incorrect set_page_dirty() in KGSL.

tags | exploit, kernel
advisories | CVE-2019-10529
SHA-256 | d1eaf5eaeeac362ce563227b34a9b558decbd017fd35378e6adfac048ff8284f
Linux Missing Lockdown
Posted Apr 29, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a missing locking between ELF coredump code and userfaultfd VMA modification.

tags | exploit
systems | linux
advisories | CVE-2019-11599
SHA-256 | 673a7d5b5c8c34c1c31d9a3eff1b04dbcf78b701cc9cca3e53ef0c155170313f
systemd DynamicUser SetUID Binary Creation
Posted Apr 25, 2019
Authored by Jann Horn, Google Security Research

This bug report describes a bug in systemd that allows a service with DynamicUser in collaboration with another service or user to create a setuid binary that can be used to access its UID beyond the lifetime of the service. This bug probably has relatively low severity, given that there are not many services yet that use DynamicUser, and the requirement of collaboration with another process limits the circumstances in which it would be useful to an attacker further; but in a system that makes heavy use of DynamicUser, it would probably have impact.

tags | exploit
advisories | CVE-2019-3844
SHA-256 | 064bbdd76f48df03346ba02e71f7b8230c92792ac615692d64f9d04ec97b425c
Linux Siemens R3964 Line Discipline Missing Lock
Posted Apr 23, 2019
Authored by Jann Horn, Google Security Research

The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races around its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline is enabled in the kernel config; Ubuntu 18.04, for example, ships this line discipline as a module.

tags | exploit, kernel
systems | linux, ubuntu
SHA-256 | a396888582339ffe59796c61b8e3097b97ece3e13bcd1b03ad7f6bb0490ef36d
Linux Overflow Via FUSE
Posted Apr 23, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from a page->_refcount overflow via FUSE with ~140GiB RAM usage.

tags | exploit, overflow
systems | linux
SHA-256 | 8f223059c2e0c5c532eddc4777ac58f752854b9d67abeac1f06d8d9bf6855b94
systemd Seat Verification Active Session Spoofing
Posted Apr 23, 2019
Authored by Jann Horn, Google Security Research

systemd suffers from a lack of seat verification in the PAM module and in turn permits the spoofing of an active session to polkit.

tags | exploit, spoof
advisories | CVE-2019-3842
SHA-256 | efa1f343df5f4bc0df38f6d33e7cbd58c47f076df86f9ef3d5559612c36b0a32
libseccomp Incorrect Compilation Of Arithmetic Comparisons
Posted Mar 18, 2019
Authored by Jann Horn, Google Security Research

libseccomp suffers from an issue where there are incorrect compilations of arithmetic comparisons.

tags | exploit
SHA-256 | dddc73c41f25c68017fa3018c96fe964b4326e43e6cabe8e18b658d2b9935a72
Linux Virtual Address 0 Mappable Via Privilege write()
Posted Mar 6, 2019
Authored by Jann Horn, Google Security Research

It was discovered that virtual address 0 is mappable via privileged write() to /proc/*/mem on Linux.

tags | exploit
systems | linux
advisories | CVE-2019-9213
SHA-256 | 304236f8a1050e3e16648cbdbb32b50ffb3020bab9e3c600151f688ea0e19fe3
Android getpidcon() ACL Bypass
Posted Mar 6, 2019
Authored by Jann Horn, Google Security Research

getpidcon() usage in hardware binder servicemanager on Android permits ACL bypass.

tags | exploit
advisories | CVE-2019-2023
SHA-256 | 08f452e1fd544b7af038c758a58f8c160ba8c63c0faeb7a4ea44ade0b02d4a65
Android Binder Use-After-Free
Posted Mar 6, 2019
Authored by Jann Horn, Google Security Research

Android suffer from a binder use-after-free via a racy initialization of ->allow_user_free.

tags | exploit
advisories | CVE-2019-2025
SHA-256 | 6742e2b4193d7750763a8c792e031aa30b53a3561c2c1e363288b3e13e7e73af
XNU Copy-On-Write Behavior Bypass
Posted Mar 1, 2019
Authored by Jann Horn, Google Security Research

XNU suffers from a copy-on-write behavior bypass via mount of user-owned filesystem image.

tags | exploit
SHA-256 | 1cbe8d9b00a17be65ba28a162ea9cc8b19a0075c2fd69b22351c86753940b808
Linux SNMP NAT Module Out-Of-Bounds Read/Write
Posted Feb 25, 2019
Authored by Jann Horn, Google Security Research

Linux suffers from out-of-bounds read and write vulnerabilities in the SNMP NAT module.

tags | exploit, vulnerability
systems | linux
SHA-256 | 7bd49b3bb3d086c38ebc75bb8575f700166986bda831d3c8b3ef390d3ddb262f
Android seccomp Filter Ptrace Hole
Posted Feb 19, 2019
Authored by Jann Horn, Google Security Research

On Android, a ptrace hold makes the seccomp filter useless on devices with a kernel with a version lower than 4.8.

tags | exploit, kernel
SHA-256 | 3e453d8a0b66eabf3fb14496e3b956eb35595602fa7cd46eabc06f12c2f17e88
Linux kvm_ioctl_create_device() Reference Flow Failure
Posted Feb 15, 2019
Authored by Jann Horn, Google Security Research

Linux kvm_ioctl_create_device() installs fd before taking reference.

tags | exploit
systems | linux
advisories | CVE-2019-6974
SHA-256 | 6033e3d8087f707cca80ae2b210063193f8832909919ef387c2905dae1a56a0d
Android Binder VMA Use-After-Free
Posted Feb 12, 2019
Authored by Jann Horn, Google Security Research

Android binder suffers from a use-after-free vulnerability in VMA via a race between reclaim and munmap.

tags | exploit
advisories | CVE-2019-1999
SHA-256 | 30e7b19cade88138c58960f0d7e5f5b18ba1d4a346ffb29b3faf11ceb745b600
Android Binder fdget() Optimization Use-After-Free
Posted Feb 12, 2019
Authored by Jann Horn, Google Security Research

Android binder suffers from a use-after-free vulnerability via fdget() optimization.

tags | exploit
advisories | CVE-2019-2000
SHA-256 | e1809748df02c9d09d6f4feddfb033fdc2a0eee3d38b0c8d9099f338a04d4eed
Linux Insufficient eBPF Spectre V1 Mitigation
Posted Feb 2, 2019
Authored by Jann Horn, Google Security Research

It has been discovered that the Linux eBPF Spectre v1 mitigation is insufficient.

tags | exploit
systems | linux
advisories | CVE-2019-7308
SHA-256 | 65b55f81ae1e297c2fa073eefef20c50eb4ccfe96285d46d743eed5b9ac99c78
XNU copy-on-write Behavior Bypass
Posted Jan 31, 2019
Authored by Jann Horn, Google Security Research

XNU suffers from a copy-on-write behavior bypass via partial-page truncation of file.

tags | exploit
advisories | CVE-2019-6208
SHA-256 | ce2ac26d2111768bdd27f895202eac13116d1f30581d7892e8a671a7f8ac55db
Page 4 of 8
Back23456Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close