what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 1,755 RSS Feed

Files from Google Security Research

First Active2000-02-18
Last Active2023-01-18
Chrome JSNativeContextSpecialization::BuildElementAccess Bypass
Posted Jan 18, 2023
Authored by Google Security Research, Glazvunov

Chrome suffers from a copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess.

tags | exploit
SHA-256 | e557b72be711db4993d6e8b8912d3a2b8d46fe92a763b730da3097b4ad6eb837
XNU vm_map_copy_overwrite_unaligned Race Condition
Posted Jan 17, 2023
Authored by Google Security Research, Ian Beer

A XNU race condition in vm_map_copy_overwrite_unaligned allows writing to read-only mappings.

tags | exploit
advisories | CVE-2022-46689
SHA-256 | d28599b3adaf36ddb22cc63b493aedbe6d4bd9c80ab19441c0799cf163fd9d83
XNU VM Copy-On-Write Bypass
Posted Jan 17, 2023
Authored by Google Security Research, Ian Beer

XNU VM suffers from a copy-on-write bypass vulnerability due to incorrect shadow creation logic used during unaligned vm_map_copy operations.

tags | exploit, bypass
advisories | CVE-2022-46689
SHA-256 | 5a1b882267ecf571c7ea7314e620f51e45be202a17fa7c8a02fcea5a7a5b3641
libCoreEntitlements CEContextQuery Arbitrary Entitlement Returns
Posted Jan 13, 2023
Authored by Ivan Fratric, Google Security Research

On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.

tags | exploit, kernel
systems | apple, ios
advisories | CVE-2022-42855
SHA-256 | 9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8
WebKit CSSCrossfadeValue::crossfadeChanged Use-After-Free
Posted Jan 13, 2023
Authored by Google Security Research, Maddie Stone

WebKit suffers from a RenderMathMLToken use-after-free vulnerability in CSSCrossfadeValue::crossfadeChanged.

tags | exploit
SHA-256 | 2b3fca29e24705325c2e8f69792ec1fc6a23682a01cfd1f0ecc2b118ac3f4ef8
Windows Kernel NtNotifyChangeMultipleKeys Use-After-Free
Posted Jan 12, 2023
Authored by Google Security Research, mjurczyk

The Windows Kernel suffers from a use-after-free vulnerability due to bad handling of predefined keys in NtNotifyChangeMultipleKeys.

tags | exploit, kernel
systems | windows
advisories | CVE-2022-44683
SHA-256 | e31318a053707141296573a167ad796cc33514ff394bc3820404fedfd9233256
Linux khugepaged Race Conditions
Posted Jan 11, 2023
Authored by Jann Horn, Google Security Research

khugepaged on Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.

tags | exploit
systems | linux
SHA-256 | 4a7e3cd6f113b1a612bf06b09dde29c3da416e1312821de9fb2c055f4fb2c180
Linux 4.10 Use-After-Free
Posted Jan 10, 2023
Authored by Jann Horn, Google Security Research

Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.

tags | exploit, kernel
systems | linux
SHA-256 | 07d8df8e54828f8f33482f1bf22aa6ffd633c656b7301bc40395e4379d31e449
Arm Mali CSF KBASE_REG_NO_USER_FREE Unsafe Use Use-After-Free
Posted Jan 10, 2023
Authored by Jann Horn, Google Security Research

The Mali driver tries to use the KBASE_REG_NO_USER_FREE flag to ensure that the memory region referenced by kbase_csf_tiler_heap::buf_desc_reg cannot be freed by userspace. However, this flag is only a single bit, and there can be multiple tiler heaps referencing the same memory region. This can lead to a use-after-free condition.

tags | exploit
advisories | CVE-2022-42716
SHA-256 | b873567924105769f827e9318b7b58298191410905a58cc3d3192c6ce29f3225
Linux videobuf2 Use-After-Free
Posted Jan 9, 2023
Authored by Google Security Research, Seth Jenkins

A vb2_mmap race with vb2_core_reqbufs leads to a use-after-free vulnerability in the Linux videobuf2 system.

tags | exploit
systems | linux
SHA-256 | d61a2203442211de402e6420b838d2d46c53994de2af84b1f343bfe1d3ad0231
Linux videobuf2 Use-After-Free
Posted Jan 6, 2023
Authored by Google Security Research, Seth Jenkins

An unsafe use of follow_pfn in get_vaddr_frames in videobuf2 on Linux leads to use-after-free issues or writes to ro-pages.

tags | exploit
systems | linux
SHA-256 | f545295793aea2d033e2e1720bb35ac7db855bcaa8fafcd55848d3dffe8ce90b
Linux PT_SUSPEND_SECCOMP Permission Bypass / Ptracer Death Race
Posted Jan 3, 2023
Authored by Jann Horn, Google Security Research

Linux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.

tags | exploit
systems | linux
advisories | CVE-2022-30594
SHA-256 | 6d7f253f354c0c71a5692bbeb6bcd2a20b50e96fc05afeda0286131716d7b406
Chrome Synchronous Mojo Use-After-Free
Posted Jan 2, 2023
Authored by Google Security Research, Glazvunov

A design flaw in the Chrome Synchronous Mojo message handling introduces unexpected reentrancy and allows for multiple use-after-free vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2022-4178
SHA-256 | 8a4497a8ccb25f14e2dfe008e25cc2f2541b2d1e30345fff6f3169f4cac5313d
crewjam/saml Signature Bypass
Posted Jan 2, 2023
Authored by Google Security Research, Felix Wilhelm

The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.

tags | exploit
advisories | CVE-2022-41912
SHA-256 | b98f26482dd59c89089a43c62936c2461318247bab55a7aaca8bb5e77ff8ba10
Windows HTTP.SYS Kerberos PAC Verification Bypass / Privilege Escalation
Posted Dec 8, 2022
Authored by James Forshaw, Google Security Research

The HTTP server implemented in HTTP.SYS on Windows handles authentication in a system thread which bypasses PAC verification leading to escalation of privilege.

tags | exploit, web
systems | windows
advisories | CVE-2022-35756, CVE-2022-41057
SHA-256 | 73ffca14ecbbd49fef40fa8d7691f553f1cd6ed289aaa1f61656fcd866416f5a
pixman pixman_sample_floor_y Integer Overflow
Posted Dec 7, 2022
Authored by Google Security Research

pixman versions prior to 0.42.2 suffer from an out-of-bounds write vulnerability in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.

tags | exploit, overflow
advisories | CVE-2022-44638
SHA-256 | e8d1ce418867fdf8b59910f6c8d388ea1ee007702037ba0202790a597b53fd71
Evernote Web Clipper Same-Origin Policy Bypass
Posted Dec 6, 2022
Authored by Tavis Ormandy, Google Security Research

Evernote Web Clipper suffered from a same-origin policy bypass vulnerability. The link to the demo exploit was a 403 at the time of addition and has not been included in this post.

tags | advisory, web, bypass
SHA-256 | edeb6d56c9d50dfe6a6599592c18c494c4d5dc6ad6ea545586270e0e19511589
Chrome blink::LocalFrameView::PerformLayout Use-After-Free
Posted Nov 25, 2022
Authored by Google Security Research, Glazvunov

Chrome suffers from a heap use-after-free vulnerability in blink::LocalFrameView::PerformLayout due to an incomplete fix for CVE-2022-3199.

tags | exploit
advisories | CVE-2022-3199, CVE-2022-3654
SHA-256 | ede5dbd6ee9c5895a1b02c8bc6cefd5dfe9adef84fd2fceb45bd3140cd0fa16b
XNU vm_object Use-After-Free
Posted Nov 25, 2022
Authored by Google Security Research, Ian Beer

XNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.

tags | exploit
advisories | CVE-2022-42801
SHA-256 | 5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87df
XNU Dangling PTE Entry
Posted Nov 25, 2022
Authored by Google Security Research, Ian Beer

XNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.

tags | exploit
advisories | CVE-2022-32924
SHA-256 | 29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698
AppleAVD AppleAVDUserClient::decodeFrameFig Memory Corruption
Posted Nov 18, 2022
Authored by Google Security Research, natashenka

In the function AppleAVDUserClient::decodeFrameFig, a location in the decoder's IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface's allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.

tags | exploit, kernel, local
advisories | CVE-2022-32907
SHA-256 | a9f971c8dcec3381b92b6bafb61fc99c1b1da326eec460ede2682c51580f3f3e
AppleAVD deallocateKernelMemoryInternal Missing Surface Lock
Posted Nov 18, 2022
Authored by Google Security Research, natashenka

In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.

tags | exploit, kernel, local
advisories | CVE-2022-32827
SHA-256 | fa06dd34c9fcfaf9f03c6a70c7fd7fc078ff6872d40e76e3295731e58256ce8a
Node-saml Root Element Signature Bypass
Posted Nov 14, 2022
Authored by Google Security Research, Felix Wilhelm

Node-saml and its partner project passport-saml are vulnerable to an authentication bypass due to lax parsing of SAML responses.

tags | exploit
advisories | CVE-2022-39299
SHA-256 | 1409b388d1ff3591b0f738957b81678639bad9a730829cf9d04b2f5f4e2e8a40
libxml2 xmlParseNameComplex Integer Overflow
Posted Nov 14, 2022
Authored by Google Security Research

libxml2 suffers from an integer overflow vulnerability in xmlParseNameComplex.

tags | exploit, overflow
advisories | CVE-2022-29824, CVE-2022-40303
SHA-256 | 460eceed9569ffcdce27d0a183f57f2e49ab67429e91901bbb4e3224a94ee5b0
libxml2 Attribute Parsing Double-Free
Posted Nov 14, 2022
Authored by Google Security Research

libxml2 suffers from a double-free vulnerability when parsing default attributes.

tags | exploit
advisories | CVE-2022-40304
SHA-256 | 1a8d29ae40a3deaa9cedd289845638ea24b570780c91b8644c9fbebb133eb6ae
Page 1 of 71
Back12345Next

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close