exploit the possibilities
Showing 1 - 25 of 1,667 RSS Feed

Files from Google Security Research

First Active2000-02-18
Last Active2022-05-24
Zoom XMPP Stanza Smuggling Remote Code Execution
Posted May 24, 2022
Authored by Ivan Fratric, Google Security Research

This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.

tags | exploit, arbitrary, code execution, protocol
systems | windows
advisories | CVE-2022-22787, CVE-2022-25236
SHA-256 | c5835f3651ef4f351fdd27038787c6bd633712398f3562132cf3224e2a0a5e16
Linux USB Use-After-Free
Posted May 20, 2022
Authored by Jann Horn, Google Security Research

Linux usbnet code tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.

tags | exploit
systems | linux
SHA-256 | 9cbdb1ccc149a355b2d267a848a75d3513d0e33cb89787801e49bf0110235f37
Chrome 100 extensions::ExtensionApiFrameIdMap::GetFrameId Heap Use-After-Free
Posted May 16, 2022
Authored by Google Security Research, Glazvunov

A use-after-free issue exists in Chrome 100 and earlier versions. A malicious extension can achieve arbitrary code execution in the browser process.

tags | exploit, arbitrary, code execution
advisories | CVE-2022-0972
SHA-256 | 595428413ed6af41648e85f12bfacfc4d3b4b659dea62dab16b66777c9ddb014
AppleVideoDecoder CreateHeaderBuffer Out-Of-Bounds Free
Posted May 12, 2022
Authored by Google Security Research, natashenka

AppleVideoDecoder suffers from an out-of-bounds free vulnerability. The attached video file contains a malformed HEVC Decoder Configuration Record that leads to an out-of-bounds free in CreateHeaderBuffer. When copying the VPS, PPS and SPS, the destination pointer is incremented, and if the copied data is larger than the length specified in the input file, it breaks and falls through to a condition that frees the destination pointer, even though it has been incremented. This could free the chunk allocated next to the destination memory.

tags | exploit
advisories | CVE-2022-22666
SHA-256 | a49f6411c8b8733ea1c031b562f4509169b737f83ae46d802b8cf4aed5bd1cb1
Linux PT_SUSPEND_SECCOMP Permission Bypass / Death Race
Posted May 9, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from two bugs in PT_SUSPEND_SECCOMP. One allows for permission bypass and the other relates to a ptracer death race.

tags | exploit
systems | linux
SHA-256 | 090e7e5a723be850497afe230306c956241cce0eb429877bf07e8c0f06eb2a40
Chrome content::DisplayCutoutHostImpl::SendSafeAreaToFrame Use-After-Free
Posted May 9, 2022
Authored by Google Security Research, Glazvunov

A use-after-free issue exists in Chrome 100 and earlier versions. Processing maliciously crafted web content may lead to arbitrary code execution in the browser process.

tags | exploit, web, arbitrary, code execution
advisories | CVE-2022-0971
SHA-256 | 84b488e3a4db5db9d8a3df99b628eaaf0e1c8d462ed33ed2d967d6a09c443252
BlueZ Key Theft / bluetoothd Double-Free
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

BlueZ suffers from a vulnerability where a malicious USB device can steal Bluetooth link keys over HCI using a fake BD_ADDR. It was also discovered that bluetoothd suffers from a double-free memory corruption flaw.

tags | exploit
SHA-256 | 8a1aa43e53f3253ec88afc78d193bedf1f90ff6d4fdbe4fc1be57e91906b1055
Linux FUSE Use-After-Free
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes.

tags | exploit
systems | linux
advisories | CVE-2022-1011
SHA-256 | 2013a523f6140f5f94778f15578c0f1d52f0a0bddd81e46cc48963fbe8fd4efb
Linux watch_queue Filter Out-Of-Bounds Write
Posted Apr 19, 2022
Authored by Jann Horn, Google Security Research

The Linux watch_queue filter suffers from an out of bounds write vulnerability.

tags | exploit
systems | linux
advisories | CVE-2022-0995
SHA-256 | 48bdbb27c736f9c5dd12453993d4bc23ee38e3c25b3e23faef205b92dcf36f51
cmark-gfm Integer overflow
Posted Apr 6, 2022
Authored by Google Security Research, Felix Wilhelm

cmark-gfm, Github's markdown parsing library, is vulnerable to an out-of-bounds write when parsing markdown tables with a high number of columns due to an overflow of the 16bit columns count.

tags | exploit, overflow
advisories | CVE-2022-24724
SHA-256 | 27a5460a6816fd26f0145be9abc1875edcaf581344dee907385de97828a29203
Chrome DeserializeFromMessage Validation Issue
Posted Mar 31, 2022
Authored by Google Security Research, Glazvunov

Chrome has an issue where a malformed message sent to DeserializeFromMessage may trigger deserialization of out-of-bounds data.

tags | exploit
advisories | CVE-2022-0797
SHA-256 | f016c2cc33607e475f4fb0feaf3b97c31f557eea1cb21d5c1b76fc4fa4ad9003
Chrome safe_browsing::ThreatDetails::OnReceivedThreatDOMDetails Use-After-Free
Posted Mar 30, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from a heap use-after-free vulnerability in safe_browsing::ThreatDetails::OnReceivedThreatDOMDetails. Versions affected include Google Chrome 96.0.4664.110 (Official Build) (64-bit) and Chromium 99.0.4807.0 (Developer Build) (64-bit).

tags | exploit
advisories | CVE-2022-0289
SHA-256 | abc96b3ccb6e22768b4210d82c4a8f2e4acb93ed93b406ea11be905b7b11fd03
containerd Image Volume Insecure Handling
Posted Mar 24, 2022
Authored by Google Security Research, Felix Wilhelm

containerd suffers from an insecure handling vulnerability related to image volumes.

tags | exploit
advisories | CVE-2022-23648
SHA-256 | b48bfd4366814227d48303e9535b5ccfe89e805d02c9e299e3b73f9fe15bbda5
Linux ax88179_rx_fixup() Out-Of-Bounds Access
Posted Mar 21, 2022
Authored by Jann Horn, Google Security Research

In Linux, drivers/net/usb/ax88179_178a.c contains multiple out-of-bounds accesses in ax88179_rx_fixup(), the function responsible for taking a buffer received over USB and splitting it up into ethernet packets.

tags | advisory
systems | linux
SHA-256 | d31f6a101db6dc5fd85ff3bf16404acb26c0969c2cd57cc1adc10f3d4419cf21
Chrome chrome_pdf::PDFiumEngine::RequestThumbnail Heap Buffer Overflow
Posted Mar 18, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from a heap buffer overflow vulnerability in chrome_pdf::PDFiumEngine::RequestThumbnail.

tags | exploit, overflow
advisories | CVE-2022-0306
SHA-256 | bd3fa3d2b549b50b402df051a6cd94824b4d90a629f0814051f738170796b1e5
Chrome HandleTable::AddDispatchersFromTransit Integer Overflow
Posted Mar 16, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from an integer overflow vulnerability in HandleTable::AddDispatchersFromTransit that can lead to memory corruption.

tags | exploit, overflow
advisories | CVE-2022-0608
SHA-256 | 0ef0d4da3c4dc9fb06483f95973add0c92d39c6c630ce2e22e5798641135e44a
Chrome RenderFrameHostImpl Use-After-Free
Posted Feb 21, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from a state tracking issue in RenderFrameHostImpl that leads to a use-after-free vulnerability.

tags | exploit
advisories | CVE-2022-0290
SHA-256 | d581673d0c71222578b61244ffc597f2d89dd9ee51ee889782cd5588f7d54bf9
Chrome storage::BlobBuilderFromStream Uninitializaed On-Stack Pointer
Posted Feb 7, 2022
Authored by Google Security Research, Mark Brand

Chrome suffers from making use of an uninitialized on-stack pointer in storage::BlobBuilderFromStream.

tags | exploit
advisories | CVE-2022-0115
SHA-256 | 7508021fc3ad459f9d4a21d3d34a8201df4467cbbf9015fe49fb42a0ad822203
XNU Kernel mach_msg Use-After-Free
Posted Jan 24, 2022
Authored by Google Security Research, ianbeer

The XNU kernel suffers from a use-after-free vulnerability in mach_msg.

tags | exploit, kernel
advisories | CVE-2021-30949
SHA-256 | 2f6301f083bee339053850c19d2a821eb5bf15e94079651382aba5531646e6f1
Chrome IPC::ChannelAssociatedGroupController Memory Corruption
Posted Jan 13, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from a memory corruption vulnerability in IPC::ChannelAssociatedGroupController due to interface ID reuse.

tags | exploit
advisories | CVE-2021-4098
SHA-256 | 23b2104d82495d408d6c49e60967e71884e4e77854a1cebb576ccad92a937b92
Microsoft Windows EFSRPC Arbitrary File Upload / Privilege Escalation
Posted Jan 13, 2022
Authored by James Forshaw, Google Security Research

The EFSRPC service on Microsoft Windows Server versions 2019 and 2022 does not prevent a caller specifying a local device path allowing any authenticated user to upload arbitrary files to a server.

tags | exploit, arbitrary, local
systems | windows
advisories | CVE-2021-43893
SHA-256 | 69dcaa165fe62179a42fd16409e133c7034c05be0577fdf672a5a01f4c88b8f8
Apple ColorSync Out-Of-Bounds Read
Posted Jan 13, 2022
Authored by Google Security Research, mjurczyk

Apple ColorSync suffers from out-of-bounds read vulnerabilities due to integer overflows in curve table initialization.

tags | exploit, overflow, vulnerability
systems | apple
advisories | CVE-2021-30942
SHA-256 | 55736f35713879a403e9db74f555530baf0f44d465185f687162ed25742170f4
Linux Garbage Collection Memory Corruption
Posted Jan 10, 2022
Authored by Jann Horn, Google Security Research

Linux suffers from a garbage collection memory corruption vulnerability by resurrecting a file reference through RCU.

tags | exploit
systems | linux
advisories | CVE-2021-4083
SHA-256 | 638d1db3f45bcd59a8ce424b7eb6551bbe0ff49ecd4eb9c767f096560f4687de
Chrome storage::BlobURLStoreImpl::Revoke Heap Use-After-Free
Posted Jan 7, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from a heap use-after-free vulnerability in storage::BlobURLStoreImpl::Revoke.

tags | exploit
advisories | CVE-2021-4057
SHA-256 | 08933f6422b86ae33f009b22a331db75fb1ea7da60743243cb0e1fc0c82a0af2
XNU inm_merge Heap Use-After-Free
Posted Jan 6, 2022
Authored by Google Security Research, Glazvunov

XNU suffers from a heap use-after-free vulnerability in inm_merge.

tags | exploit
advisories | CVE-2021-30937
SHA-256 | 7157a72995dfa18e7979cab877bfb5645e4f20d9554478a6b0c26d6daae56123
Page 1 of 67
Back12345Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close