what you don't know can hurt you
Showing 1 - 25 of 1,614 RSS Feed

Files from Google Security Research

First Active2000-02-18
Last Active2021-07-29
Microsoft Exchange AD Schema Misconfiguration Privilege Escalation
Posted Jul 29, 2021
Authored by James Forshaw, Google Security Research

The msExchStorageGroup schema class added during Exchange installation can be used to create almost any AD object including users, groups or domain trusts leading to elevation of privilege.

tags | exploit
advisories | CVE-2021-34470
MD5 | 5f885a87a9be3f10bfe9e9e4c08c923c
Microsoft Windows WFP Default Rules AppContainer Capability Bypass Privilege Escalation
Posted Jul 20, 2021
Authored by James Forshaw, Google Security Research

The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.

tags | exploit, tcp
MD5 | 37069deaf47980f1a4c39f62bc13ce25
Tor Half-Closed Connection Stream Confusion
Posted Jul 15, 2021
Authored by Jann Horn, Google Security Research

Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.

tags | exploit, spoof
advisories | CVE-2021-34548
MD5 | e8e6c45ee71383e0832c1cb3f3a8c903
Microsoft Windows CreateProcessWithLogon Write Restricted Service Privilege Escalation
Posted Jul 14, 2021
Authored by James Forshaw, Google Security Research

Microsoft Windows has an issue where you can use the CreateProcessWithLogon API to escape a write restricted service and achieve full write access as the service user.

tags | exploit
systems | windows
MD5 | 00f7a019dea4bf3a1d19442fae579890
XNU Network Stack Kernel Heap Overflow
Posted Jul 14, 2021
Authored by Google Security Research, ianbeer

XNU suffers from a network stack kernel heap overflow due to an out-of-bounds memmove in 6lowpan. Proof of concept code included.

tags | exploit, overflow, kernel, proof of concept
advisories | CVE-2020-9967, CVE-2021-30736
MD5 | 9333b7751aa7686ac0ca4c62a49c3d4e
MpEngine ASProtect Embedded Runtime DLL Memory Corruption
Posted Jul 8, 2021
Authored by Tavis Ormandy, Google Security Research

ASProtect embeds a runtime DLL that is susceptible to memory corruption. Crash testcase provided.

tags | exploit
advisories | CVE-2021-31985
MD5 | c5dfe0f9444bf0d36677505f5db2acdc
KVM nested_svm_vmrun Double Fetch
Posted Jun 30, 2021
Authored by Google Security Research, Felix Wilhelm

A KVM guest on AMD can launch a L2 guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. Executing vmrun from the L2 guest, will then trigger a second call to nested_svm_vmrun and corrupt svm->nested.hsave with data copied out of the L2 vmcb. For kernel versions that include the commit "2fcf4876: KVM: nSVM: implement on demand allocation of the nested state" (>=5.10), the guest can free the MSR permission bit in svm->nested.msrpm, while it's still in use and gain unrestricted access to host MSRs.

tags | exploit, kernel
advisories | CVE-2021-29657
MD5 | 814987fd3e7902c83f77c7f4aa4a3585
Microsoft Windows Filtering Platform Token Access Check Privilege Escalation
Posted Jun 23, 2021
Authored by James Forshaw, Google Security Research

The Windows Filtering Platform does not verify the token impersonation level when checking filters allowing the bypass of firewall rules leading to elevation of privilege.

tags | exploit
systems | windows
advisories | CVE-2021-31970
MD5 | 982aa6db9c233f089f2999f0cd8711c3
Fedora / Gnome fscaps Issue
Posted Jun 22, 2021
Authored by Tavis Ormandy, Google Security Research

Fedora with Gnome has an issue where it is not using fscaps safely.

tags | exploit
systems | linux, fedora
MD5 | 137193ebd7236c05c0e162358341652e
Windows Kerberos AppContainer Enterprise Authentication Capability Bypass
Posted Jun 17, 2021
Authored by James Forshaw, Google Security Research

Kerberos supports a security buffer to set the target SPN of a ticket bypassing the SPN check in LSASS.

tags | exploit
advisories | CVE-2021-26414, CVE-2021-31962
MD5 | 3ff870010a0eb4e32567d271f6a816ba
Samsung NPU npu_session_format Out-Of-Bounds Write
Posted Jun 17, 2021
Authored by Google Security Research, hawkes

Samsung NPU (Neural Processing Unit) suffers from an out-of-bounds write vulnerability in npu_session_format.

tags | exploit
advisories | CVE-2021-25407
MD5 | 1d07a468d88f6847215bbd10504dbcf2
ChromeOS arc-obb-mounter Missing Path Restriction
Posted Jun 14, 2021
Authored by Jann Horn, Google Security Research

ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.

tags | exploit
MD5 | d37b7a8eceb81455f4119e17205b9635
Chrome SandboxedUnpacker Unsafe Shared Memory Use
Posted Jun 14, 2021
Authored by Google Security Research, Mark Brand

SandboxedUnpacker in Chrome uses shared memory in an unsafe fashion.

tags | advisory
MD5 | c1b37408c40a92f21b1c5a084fa55b6c
Internet Explorer jscript9.dll Memory Corruption
Posted Jun 9, 2021
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in jscript9 that could potentially be exploited to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2020-1380, CVE-2021-31959
MD5 | 7bf1477df1aec690e996f9ebbce9b10c
Chrome Legacy ipc::Message Passed Via Shared Memory
Posted Jun 4, 2021
Authored by Google Security Research, Mark Brand

Looking at the Mojo implementation of Chrome's legacy IPC, the legacy ipc::Message type is transferred inside a BigBuffer.

tags | exploit
advisories | CVE-2021-21198
MD5 | 1875fce290dce6b3abaf92746666dafa
QT TIFF Processing Heap Overflow
Posted Jun 4, 2021
Authored by Google Security Research, natashenka

There is a heap corruption bug that can occur when QT processes a malformed TIFF image. It happens because the size of the QImageData backing the image is calculated is calculated using the format of the image, meanwhile TIFFReadScanline calculates the length to be read based on TIFFScanlineSize, which determines the size base on three tags in the TIFF file, width, samples per pixel and bits per sample.

tags | exploit
MD5 | 1a0ad550a77bf87e59f4c4f358cae2f2
Gstreamer Matroska Demuxing Use-After-Free
Posted Jun 3, 2021
Authored by Google Security Research, natashenka

Gstreamer suffers from a use-after-free vulnerability in Matroska demuxing.

tags | exploit
advisories | CVE-2021-3498
MD5 | 8295d83b0f5ff21a0ba7ec7f666eeee2
QT PNG ICC Processing Out-Of-Bounds Read
Posted May 27, 2021
Authored by Google Security Research, natashenka

The QImage class can read out-of-bounds when reading a specially-crafted PNG file, where a tag byte offset goes out of bounds. This could potentially allow an attacker to determine values in memory based on the QImage pixels, if QT is used to process untrusted images.

tags | exploit
MD5 | 26119d4fbb3aaf3d523b1a23162d477b
QT TIFF Processing Out-Of-Bounds Read
Posted May 25, 2021
Authored by Google Security Research, natashenka

The QImageReader class can read out-of-bounds when converting a specially-crafted TIFF file into a QImage, where the TIFF tile length is inconsistent with the tile size. This could potentially allow an attacker to determine values in memory based of the QImage pixels, if QT is used to process untrusted images.

tags | exploit
MD5 | 5ab17349daeac6651bf3ab6ee0c7fee9
Chrome Array Transfer Bypass
Posted May 14, 2021
Authored by Google Security Research, Glazvunov

The fix for CVE-2021-21148 has added a check in |ValueSerializer::WriteJSArrayBuffer| to make sure non-detachable array buffers cannot be transferred. The check can be bypassed with the help of asm.js and property getters.

tags | exploit
advisories | CVE-2021-21148, CVE-2021-21156
MD5 | 2c54899cf0b5cf9ab027a5329061b62e
Internet Explorer jscript9.dll Memory Corruption
Posted May 13, 2021
Authored by Ivan Fratric, Google Security Research

There is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2021-26419
MD5 | 50dcfd05a094914cf819e98d3f2de507
Windows Container Manager Service CmsRpcSrv_MapNamedPipeToContainer Privilege Escalation
Posted May 12, 2021
Authored by James Forshaw, Google Security Research

The Container Manager Service does not configure STORVSP correctly when opening mapped named pipes leading to privilege escalation.

tags | exploit
advisories | CVE-2021-31167
MD5 | 970b0826e9c53e62fb981f362a8095f7
Windows Container Manager Service Arbitrary Object Directory Creation Privilege Escalation
Posted May 12, 2021
Authored by James Forshaw, Google Security Research

The Container Manager Service creates an AppContainer process without impersonating the access token leading to privilege escalation.

tags | exploit
advisories | CVE-2021-31169
MD5 | ad4654c8ed7054c3225224811ba94b15
Windows Container Manager Service CmsRpcSrv_MapVirtualDiskToContainer Privilege Escalation
Posted May 12, 2021
Authored by James Forshaw, Google Security Research

The Container Manager Service does not impersonate the caller when granting access to virtual disk images leading to privilege escalation.

tags | exploit
advisories | CVE-2021-31168
MD5 | ae8247dda745d9d8d6c85bfb03878028
Windows Container Manager Service CmsRpcSrv_CreateContainer Privilege Escalation
Posted May 12, 2021
Authored by James Forshaw, Google Security Research

The Container Manager Service accepts an access token provided by the user without verification allowing an arbitrary process to be created with another user identity leading to privilege escalation.

tags | exploit, arbitrary
advisories | CVE-2021-31165
MD5 | 12c1abb8e71fc62e306c9bc1dea254d3
Page 1 of 65
Back12345Next

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    5 Files
  • 4
    Aug 4th
    7 Files
  • 5
    Aug 5th
    7 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close