what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 101 - 125 of 194 RSS Feed

Files from Jann Horn

Email addressjannh at google.com
First Active2013-03-14
Last Active2024-02-19
Polkit Temporary Authentication Hijacking
Posted Jan 8, 2019
Authored by Jann Horn, Google Security Research

Polkit suffers from a temporary auth hijacking vulnerability via PID reuse and a non-atomic fork.

tags | exploit
SHA-256 | cda12b6164dcf7cc8e7788d38b12813f0f957ff6db104d4bad25b01f47fe046b
CUPS Weak Session Cookie Generation
Posted Dec 12, 2018
Authored by Jann Horn, Google Security Research

CUPS generates session cookies srandom(time(NULL)) and random() on Linux.

tags | advisory
systems | linux
advisories | CVE-2018-4700
SHA-256 | 3b69505f07ce22a5883565aef22b4c6989365de343f9d6a0d32ff53d8c0cdb06
Linux userfaultfd tmpfs File Permission Bypass
Posted Dec 12, 2018
Authored by Jann Horn, Google Security Research

Linux userfaultfd bypasses tmpfs file permissions.

tags | exploit
systems | linux
advisories | CVE-2018-18397
SHA-256 | 1b8d3ce7875318cd21ad32bec57be7ed660168064accdd2e8a8b60fc13d6aadf
Google Chrome 70.0.3538.77 Cross Site Scripting / Man-In-The-Middle
Posted Dec 11, 2018
Authored by Jann Horn, Google Security Research

Google Chrome version 70.0.3538.77 stable suffers from cross site scripting and man-in-the-middle vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 686c99bbb6418cc295a5495417a100d2846c41c5d5fb214b782fedc9a5df70c9
XNU POSIX Shared Memory Mapping Issue
Posted Dec 11, 2018
Authored by Jann Horn, Google Security Research

XNU POSIX has an issue where shared memory mapping have an incorrect maximum protection.

tags | exploit
advisories | CVE-2018-4435
SHA-256 | 184646768496bcb8df3d6995ff94b42fcf57e71d6591dd588a4cb6bbb6906ef1
Linux Nested User Namespace idmap Limit Local Privilege Escalation
Posted Nov 28, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2018-18955
SHA-256 | c991b79ae898a222baf512ec75bc5ae786505466b71b6453fd873f6b5482343c
Linux Broken UID/GID Mapping
Posted Nov 16, 2018
Authored by Jann Horn, Google Security Research

Linux has a broken uid/gid mapping for nested user namespaces with greater than 5 ranges.

tags | exploit
systems | linux
advisories | CVE-2018-18955
SHA-256 | 53da54afe1913539df473ff36059802468d06980a436040ba7120c6c26f62627
gVisor runsc Guest -> Host Breakout Via Filesystem Cache Desync
Posted Oct 31, 2018
Authored by Jann Horn, Google Security Research

gVisor runsc suffers from a guest->host breakout via filsystem cache desync.

tags | advisory
SHA-256 | 84dc85244630be123fb4fe9e5458fa8f9c8b6b6f71755aa36a94074551a626e3
Linux mremap() TLB Flush Too Late
Posted Oct 29, 2018
Authored by Jann Horn, Google Security Research

Linux has an issue where mremap() performs a TLB flush too late with concurrent ftruncate().

tags | exploit
systems | linux
advisories | CVE-2018-18281
SHA-256 | 1d7a2b2f17f9389071731196edb3fe5f053e279a8809c199a21352f9cd90b984
Chrome OS Ancient unrar In CAP_SYS_ADMIN Context
Posted Oct 29, 2018
Authored by Jann Horn, Google Security Research

Chrome OS runs an ancient unrar in CAP_SYS_ADMIN context.

tags | advisory
SHA-256 | 6c47eeec17a92a7dddd947efe20d6c35cea27233a2be3ccff4e2ac591c94d089
Linux systemd Symlink Dereference Via chown_one()
Posted Oct 26, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from an issue with systemd where chown_one() can dereference symlinks.

tags | exploit
systems | linux
advisories | CVE-2018-15687
SHA-256 | d697c36e79f99a67f9cd338b7bd29e048c68c6bb76813a6a4825722f969d23a4
Linux systemd Line Splitting
Posted Oct 26, 2018
Authored by Jann Horn, Google Security Research

Linux has an issue with systemd where overlong input to fgets() during reexec state injection can lead to line splitting.

tags | exploit
systems | linux
advisories | CVE-2018-15686
SHA-256 | 440ee81db71b86c228b05c447f6dbf1f3757cd7acd272aee23964553ff0bf0b2
Chrome Debugger Extension API Is Too Powerful
Posted Oct 22, 2018
Authored by Jann Horn, Google Security Research

The Chrome debugger extension API appears to have more power than necessary, including the ability to bypass the check for disabled natives.

tags | advisory
SHA-256 | d16b876453d1e286e57dd44173ed43d091358a3d10ac1b0c64b89737298f389e
Linux BPF Verifier Failed Truncation
Posted Oct 18, 2018
Authored by Jann Horn, Google Security Research

The Linux BPF verifier has an issue where 32-bit RSH verification does not truncate input before the ALU op.

tags | advisory
systems | linux
advisories | CVE-2018-18445
SHA-256 | bd63997ae2acb84be7a1e8de8677be40bfb12f314579a9e60ee98b321c11a3a0
Linux Semi-Arbitrary Task Stack Read On ARM64 / x86
Posted Oct 18, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from a semi-arbitrary task stack read on ARM64 (and x86) via /proc/$pid/stack.

tags | advisory, arbitrary, x86
systems | linux
SHA-256 | aa57cf6a492d7f45505fa3498cb8e656f5d02f443b0cde3a3cb505708affcfc3
Android current-fs Improper Locking
Posted Oct 8, 2018
Authored by Jann Horn, Google Security Research

Android sdcardfs changes current->fs without proper locking.

tags | exploit
advisories | CVE-2018-9515
SHA-256 | 8d214a2b630981750d5c1762a10ef86a2a4ae621726bba9e014147f488f9c0f2
Linux Kernel PTR Leak Via BPF
Posted Oct 5, 2018
Authored by Jann Horn, Google Security Research

The Linux kernel suffers from a ptr leak via BPF due to a broken subtraction check.

tags | exploit, kernel
systems | linux
SHA-256 | d4223122e1ab1a77d32acc8af4e3ea5de0baa00f18f85d466df55a31d545bf23
Chrome OS /sbin/crash_reporter Symlink Traversal
Posted Oct 5, 2018
Authored by Jann Horn, Google Security Research

Chrome OS suffers from a /sbin/crash_reporter symlink traversal vulnerability.

tags | exploit
SHA-256 | 41e32bd294ce06037cae654ccff52add6f9d2e7cd27c6acfc1cf1da49939a2e6
Debian/Ubuntu AppArmor evince Policy Bypass
Posted Oct 1, 2018
Authored by Jann Horn, Google Security Research

The Debian/Ubuntu AppArmor policy for evince in bypassable.

tags | exploit
systems | linux, debian, ubuntu
SHA-256 | ff472c98cc21174fede936caa3bc63c6a799eee6f6a780c628bab6a7a80777c1
AppArmor Filesystem Blacklisting Bypass
Posted Sep 27, 2018
Authored by Jann Horn, Google Security Research

AppArmor has an issue where filesystem blacklisting can be bypassed by moving parents.

tags | exploit
SHA-256 | b2024aa06da618d87af0a264562f40bcd8ebfa1535eb007f2251a6df21367000
gVisor Pagetables Reuse
Posted Sep 27, 2018
Authored by Jann Horn, Google Security Research

gVisor reuses pagetables across levels without paging-structure invalidation.

tags | exploit
SHA-256 | 193fccefc5c977b91f16570534ba06f19e07ed6de291fdd9b2d2eeba79b56a70
Linux VMA Use-After-Free
Posted Sep 26, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from a VMA use-after-free vulnerability via a buggy vmacache_flush_all() fastpath.

tags | exploit
systems | linux
advisories | CVE-2018-17182
SHA-256 | e61f826cfebf3e7bf6eb9726e31779f1707a0644cc3e2a4e3c0865759d272ace
Linux dmesg Arbitrary Kernel Read
Posted Sep 13, 2018
Authored by Jann Horn, Google Security Research

Linux suffers from an arbitrary kernel read into dmesg via a missing address check in the segfault handler.

tags | advisory, arbitrary, kernel
systems | linux
SHA-256 | d3543609cf07f5bc3c6ff63fec8e66a77587ae2ca18d384c4afa15317c5fc42f
Chrome OS gRPC garcon Command Execution
Posted Sep 13, 2018
Authored by Jann Horn, Google Security Research

There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889, which is used by the "garcon" service. garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock, but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is initiated by the host; for others, it is initiated by the guest. Both guest and host are listening on [::]:8889; however, the iptables rules of the host prevent an outside host from simply connecting to those sockets. However, apps running on the host are not affected by such restrictions.

tags | exploit, web, tcp, protocol
SHA-256 | 9263536fa5f7e9451ac5165732e05e723c9b21083c0ec421bcbc98dfed2d7d49
Android Privilege Escalation
Posted Sep 11, 2018
Authored by Jann Horn, Google Security Research

Android suffers from a privilege escalation vulnerability in zygote that can be leveraged by CVE-2018-9445.

tags | exploit
advisories | CVE-2018-9445, CVE-2018-9488
SHA-256 | 07e2c94cf5dbc0bdc093f47b38ee2d8af3fbfc550336946724f110edbbd2295f
Page 5 of 8
Back34567Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close