Twenty Year Anniversary
Showing 26 - 50 of 1,147 RSS Feed

Files from Google Security Research

First Active2000-02-18
Last Active2018-09-20
WebRTC VP8 Block Decoding Use-After-Free
Posted Jul 31, 2018
Authored by Google Security Research, natashenka

There is a use-after-free in VP8 block decoding in WebRTC. The contents of the freed block is then treated a pointer, leading to a crash in WebRTC.

tags | exploit
MD5 | fe84289b20deaaf1289d6b1fe162af01
WebRTC FEC Processing Overflow
Posted Jul 31, 2018
Authored by Google Security Research, natashenka

There are several calls to memcpy that can overflow the destination buffer in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket. The method takes a parameter incoming_rtp_packet, which is an RTP packet with a mac length that is defined by the transport (2048 bytes for DTLS in Chrome). This packet is then copied to the received_packet in several locations in the method, depending on packet properties, using the lenth of the incoming_rtp_packet as the copy length. The received_packet is a ForwardErrorCorrection::ReceivedPacket, which has a max size of 1500. Therefore, the memcpy calls in this method can overflow this buffer.

tags | exploit, overflow
MD5 | 066c20eaa37c60242f60e28957ecc367
WebRTC H264 NAL Packet Type Confusion
Posted Jul 31, 2018
Authored by Google Security Research, natashenka

WebRTC suffers from a type confusion vulnerability when processing an H264 NAL packet.

tags | exploit
MD5 | 0f13bebaacf8d1adb0041a3b46fa15e0
fusermount Restriction Bypass
Posted Jul 30, 2018
Authored by Jann Horn, Google Security Research

It is possible to bypass fusermount's restrictions on the use of the "allow_other" mount option as follows if SELinux is active.

tags | exploit
advisories | CVE-2018-10906
MD5 | 9e10d920caa48857046e580c577e1ff4
Skia SkScan::FillPath Heap Overflow
Posted Jul 26, 2018
Authored by Ivan Fratric, Google Security Research

There is a heap overflow in Skia when drawing paths with anti-aliasing turned off. This issue can be triggered in both Google Chrome and Mozilla Firefox by rendering a specially crafted SVG image. Proof of concepts included.

tags | exploit, overflow, proof of concept
advisories | CVE-2018-6126
MD5 | 189bd359ac88d1f7b3b45f86c7b34089
Microsoft Windows Kernel Malformed GPOS Table Buffer Overflow
Posted Jul 24, 2018
Authored by Google Security Research, mjurczyk

The Microsoft Windows kernel suffers from an OTF font processing pool-based buffer overflow via a malformed GPOS table in ATMFD.DLL.

tags | exploit, overflow, kernel
systems | windows
advisories | CVE-2015-2426
MD5 | 6b9f72a57dc4ca122f172caf45951a31
Chrome Swiftshader Blitting Floating-Point Precision Errors
Posted Jul 19, 2018
Authored by Google Security Research, Mark Brand

Chrome suffers from floating-point precision errors in Swiftshader blitting.

tags | exploit
MD5 | 7b98d22e3cda5e01a29a389816481305
Chrome SwiftShader OpenGL Texture Binding Reference Count Leak
Posted Jul 19, 2018
Authored by Google Security Research, Mark Brand

Chrome suffers from a reference count leak in SwiftShader OpenGL texture bindings.

tags | exploit
MD5 | 94c654dcb20a0856b832d97f6fed38a0
Chrome Swiftshader Texture Allocation Integer Overflow
Posted Jul 19, 2018
Authored by Google Security Research, Mark Brand

Chrome suffers from an integer overflow vulnerability in Swiftshader texture allocation.

tags | exploit, overflow
MD5 | b3eb960cb7d3278d871332f5993c7d6c
Linux/Ubuntu Coredump Reading Access Bypass
Posted Jul 13, 2018
Authored by Jann Horn, Google Security Research

Linux/Ubuntu suffers from a vulnerability where other users' coredumps can be read via a setgid directory and killpriv bypass.

tags | exploit
systems | linux, ubuntu
MD5 | 643a11ef1ca33c7ad1aef476e210c8b8
macOS / iOS OfficeImporter JavaScript Injection
Posted Jul 13, 2018
Authored by Google Security Research, lokihardt

macOS and iOS suffer from a javascript injection bug in OfficeImporter.

tags | exploit, javascript
systems | cisco, ios
MD5 | 8a77e3c5cc05866fe394bdbf6a928d1b
Microsoft Edge Chakra JIT SetConcatStrMultiItemBE Type Confusion
Posted Jul 12, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a type confusion vulnerability with hoisted SetConcatStrMultiItemBE instructions.

tags | exploit
advisories | CVE-2018-8229
MD5 | 9b384b361e8b141c4703603f10a6db28
Microsoft Edge Chakra JIT BoundFunction::NewInstance Bug
Posted Jul 12, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a bug. BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_NewTarget flag which indicates that there's an extra argument (new.target) at the end of the argument array. So the size of the new argument array created with the CallFlags_NewTarget flag will be always 1 less then required, this leads to an out-of-bounds read.

tags | exploit
advisories | CVE-2018-8139
MD5 | 2e11fd2e309888dfb033653d982fdc23
Microsoft Edge Chakra JIT Out-Of-Bounds Reads/Writes
Posted Jul 12, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from multiple out of bounds reads and writes.

tags | exploit
advisories | CVE-2018-8145
MD5 | b73c99e652b5ab40ccfdf43c9715573b
Chrome V8 KeyAccumulator Bug
Posted Jul 12, 2018
Authored by Google Security Research, lokihardt

Chrome V8 suffers from a bug in KeyAccumulator that can cause a crash.

tags | exploit
MD5 | 9fee601d9a1d2470bc41cfa501ef0dbc
Android media.metrics Service Race Condition
Posted Jun 28, 2018
Authored by Google Security Research, laginimaineb

Android suffers from multiple race condition vulnerabilities in the media.metrics service.

tags | exploit, vulnerability
MD5 | 06121632506dfafd6c92c75072b912b0
KVM Nest Virtualization L1 Guest Privilege Escalation
Posted Jun 25, 2018
Authored by Felix Wilhelm, Google Security Research

When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.

tags | exploit
MD5 | 52237ddbf09d9e8e93706408732deecf
Microsoft Windows Desktop Bridge Virtual Registry Incomplete Fix
Posted Jun 20, 2018
Authored by James Forshaw, Google Security Research

The handling of the virtual registry for desktop bridge applications can allow an application to create arbitrary files as system resulting in privilege escalation. This is because the fix for CVE-2018-0880 (MSRC case 42755) did not cover all similar cases which were reported at the same time in the issue.

tags | exploit, arbitrary, registry
MD5 | 0c6e9aac6eb44da88353cc69fbad521f
Microsoft Windows Desktop Bridge Activation Arbitrary Directory Creation
Posted Jun 19, 2018
Authored by James Forshaw, Google Security Research

The activator for Desktop Bridge applications calls CreateAppContainerToken while running as a privileged account leading to creation of arbitrary object directories leading to privilege escalation.

tags | exploit, arbitrary
advisories | CVE-2018-8208
MD5 | 832f197845675cc7fc23e2136754692c
Microsoft Windows 10 1709 Child Process Restriction Mitigation Bypass
Posted Jun 13, 2018
Authored by James Forshaw, Google Security Research

Microsoft Windows 10 version 1709 suffers from a child process restriction mitigation bypass vulnerability.

tags | exploit, bypass
systems | windows
advisories | CVE-2018-0982
MD5 | 14320128fadf9ab6d9bdc495b2999b56
Google Chrome Integer Overflow When Processing WebAssembly Locals
Posted Jun 7, 2018
Authored by Google Security Research, natashenka

Google Chrome suffers from an integer overflow vulnerability when processing WebAssembly Locals.

tags | exploit, overflow, local
advisories | CVE-2018-6092
MD5 | aeb83fd88c3d4231411f5990050f821c
WebKit WebAssembly Compilation Information Leak
Posted Jun 7, 2018
Authored by Google Security Research, natashenka

WebKit suffers from an information leak vulnerability in WebAssembly Compilation.

tags | exploit
advisories | CVE-2018-4222
MD5 | 8a7060e2844a92fb8c612af806907919
Chrome V8 PromiseAllResolveElementClosure Element Confusion
Posted Jun 7, 2018
Authored by Google Security Research, lokihardt

Chrome V8 has an element confusion issue with PromiseAllResolveElementClosure.

tags | exploit
MD5 | e846e2172648f118d3f2ff6689c37c64
WebKit Generator Use-After-Free
Posted Jun 7, 2018
Authored by Google Security Research, natashenka

WebKit suffers from a use-after-free vulnerability when resuming generator.

tags | exploit
advisories | CVE-2018-4218
MD5 | bbd278c835aea19f068ff64534828d6b
WebRTC VP9 Missing Frame Processing Out-Of-Bounds Memory Access
Posted Jun 7, 2018
Authored by Google Security Research, natashenka

WebRTC VP9 missing frame processing suffers from an out-of-bounds memory access vulnerability.

tags | exploit
advisories | CVE-2018-6129
MD5 | 00cc61e87f0625b4254896a0155f9fc3
Page 2 of 46
Back12345Next

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    5 Files
  • 22
    Sep 22nd
    2 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close