Exploit the possiblities
Showing 76 - 100 of 983 RSS Feed

Files from Google Security Research

First Active2000-02-18
Last Active2018-01-18
Microsoft Windows win32k!xxxSendMenuSelect Memory Disclosure
Posted Nov 21, 2017
Authored by Google Security Research, mjurczyk

There is a Microsoft Windows kernel stack memory disclosure vulnerability in win32k!xxxSendMenuSelect via fnHkINLPMSG user-mode callback.

tags | advisory, kernel
systems | windows
advisories | CVE-2017-11853
MD5 | df47cad4c0563e46c4d01e39c825ee89
Microsoft Windows nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry) Disclosure
Posted Nov 21, 2017
Authored by Google Security Research, mjurczyk

It was discovered that the nt!NtQueryDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients on Windows 10, due to uninitialized fields in the output structure being copied to the application.

tags | exploit
systems | windows
advisories | CVE-2017-11831
MD5 | 819fa28825ba821d4b6515b916dd256a
Microsoft Windows CI CiSetFileCache TOCTOU Security Feature Bypass
Posted Nov 21, 2017
Authored by James Forshaw, Google Security Research

It is possible to add a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumvention of Device Guard policies and possibly PPL signing levels.

tags | exploit
advisories | CVE-2017-11830
MD5 | 8ebc146325ec05100a1d36b627380a7b
Microsoft Windows NTFS File System Metadata Disclosures
Posted Nov 21, 2017
Authored by Google Security Research, mjurczyk

The Microsoft Windows Kernel suffers from multiple stack and pool memory disclosures into NTFS file system metadata.

tags | advisory, kernel
systems | windows
advisories | CVE-2017-11880
MD5 | 82f8fc385cb8e1d9907a4dbdb347c2e4
Microsoft Edge Chakra JIT Bailout Generation
Posted Nov 16, 2017
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from a JIT issue where bailouts must be generated for OP_Memset.

tags | exploit
advisories | CVE-2017-11873
MD5 | c404973e6b026871d91a362e59d73a57
Microsoft Edge Charka JIT Incorrect Check
Posted Nov 16, 2017
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from a Jit related incorrect integer overflow check in Lowerer::LowerBoundCheck.

tags | exploit, overflow
advisories | CVE-2017-11861
MD5 | f57dbe49f45b04c0077db21db1563088
Microsoft Edge Chakra JIT Type Confusion
Posted Nov 16, 2017
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from a JIT related type confusion vulnerability with switch statements.

tags | exploit
advisories | CVE-2017-11811
MD5 | 8f8c70e8979dd42b0451c66d98b096e6
Microsoft Edge Object.setPrototypeOf Memory Corruption
Posted Nov 16, 2017
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a memory corruption vulnerability in Object.setPrototypeOf.

tags | exploit
advisories | CVE-2017-8751
MD5 | 92759ead0f53bf182fa98170e0d5a064
Microsoft Windows Kernel Pool Address Derivation
Posted Nov 15, 2017
Authored by Google Security Research, mjurczyk

The OpenType ATMFD.DLL kernel-mode font driver on Windows has an undocumented "escape" interface, handled by the standard DrvEscape and DrvFontManagement functions implemented by the module. The interface is very similar to Buffered IOCTL in nature, and handles 13 different operation codes in the numerical range of 0x2502 to 0x2514. It is accessible to user-mode applications through an exported (but not documented) gdi32!NamedEscape function, which internally invokes the NtGdiExtEscape syscall.

tags | exploit, kernel
systems | windows
MD5 | ac8c580a68213846a36f69940bc63b44
Microsoft Windows Kernel Pool GetFontData Address Leak
Posted Nov 15, 2017
Authored by Google Security Research, mjurczyk

The Microsoft Windows kernel pool address is leaked via an undocumented GetFontData feature in ATMFD.

tags | exploit, kernel
systems | windows
MD5 | 0fc9e0391632fca8d511a3b229bca0a1
Microsoft Windows WLDP/Scriptlet CLSID UMCI Bypass
Posted Nov 15, 2017
Authored by James Forshaw, Google Security Research

The enlightened lockdown policy check for COM Class instantiation can be bypassed in Scriptlet hosts leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard).

tags | exploit, arbitrary, code execution
MD5 | 9f26a70091ba091d126dd62e22de0746
Microsoft Internet Explorer 11 jscript!JsErrorToString Use-After-Free
Posted Nov 10, 2017
Authored by Ivan Fratric, Google Security Research

Microsoft Internet Explorer 11 suffers from a use-after-free vulnerability in jscript!JsErrorToString.

tags | exploit
advisories | CVE-2017-11810
MD5 | e509659ea4762273ceb30f9caec7db44
Microsoft Windows 10 Creators Update 32-bit Ring-0 Code Execution
Posted Oct 30, 2017
Authored by Google Security Research, mjurczyk

Microsoft Windows 10 Creators Update suffers from a 32-bit execution of ring-0 code from NULL page via NtQuerySystemInformation (class 185, Warbird functionality).

tags | advisory
systems | windows
MD5 | 3b1777f8309fb6e91148a1b542d501ef
Xen Unbounded Recursion In Pagetable De-Typing
Posted Oct 19, 2017
Authored by Jann Horn, Google Security Research

Xen allows pagetables of the same level to map each other as readonly in PV domains. This is useful if a guest wants to use the self-referential pagetable trick for easy access to pagetables by mapped virtual address.

tags | exploit
MD5 | 7b0613bdfa02a772faa0631e1daf6f95
Windows Kernel Pool Ntfs!LfsRestartLogFile Memory Disclosure
Posted Oct 16, 2017
Authored by Google Security Research, mjurczyk

This advisory discusses a Microsoft Windows kernel pool memory disclosure into NTFS metadata ($LogFile) in Ntfs!LfsRestartLogFile.

tags | advisory, kernel
systems | windows
advisories | CVE-2017-11817
MD5 | f4472007f780b633aa086c20fa3c9ee8
Windows Kernel Pool nt!RtlpCopyLegacyContextX86 Memory Disclosure
Posted Oct 16, 2017
Authored by Google Security Research, mjurczyk

The Microsoft Windows kernel pool suffers from a nt!RtlpCopyLegacyContextX86 related memory disclosure vulnerability.

tags | advisory, kernel
systems | windows
advisories | CVE-2017-11784
MD5 | e7fc69388cdf09d854702265504b52eb
Windows Kernel Pool nt!NtQueryObject Memory Disclosure
Posted Oct 16, 2017
Authored by Google Security Research, mjurczyk

It was discovered that the nt!NtQueryObject syscall handler discloses portions of uninitialized pool memory to user-mode clients when certain conditions are met.

tags | exploit
advisories | CVE-2017-11785
MD5 | f4f91d01df5144f04444581ce5fe7b80
Microsoft Edge Chakra StackScriptFunction::BoxState::Box Uninitialized Pointers
Posted Oct 14, 2017
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra accesses uninitialized pointers in StackScriptFunction::BoxState::Box.

tags | exploit
advisories | CVE-2017-11809
MD5 | 18e6e8dec6b5f143ccd448fce096def8
Microsoft Edge Chakra JIT Failed RegexHelper::StringReplace Call
Posted Oct 14, 2017
Authored by Google Security Research, lokihardt

The "String.prototype.replace" method can be inlined in the JIT process. So in the method, all the calls which may break the JIT assumptions must be invoked with updating "ImplicitCallFlags". But "RegexHelper::StringReplace" calls the replace function without updating the flag. Therefore it fails to detect if a user function was called.

tags | exploit
advisories | CVE-2017-11802
MD5 | 59bdc94ef54bad4cc587d3c9269d17cb
Microsoft Edge Chakra JIT Incorrect GenerateBailOut Calling Patterns
Posted Oct 14, 2017
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT compiler creates incorrect GenerateBailOut calling patterns.

tags | exploit
advisories | CVE-2017-11799
MD5 | 11f1ed6218c70a607f5e232014a97289
Microsoft Windows WLDP/MSHTML CLSID UMCI Bypass
Posted Oct 14, 2017
Authored by James Forshaw, Google Security Research

The enlightened lockdown policy check for COM Class instantiation can be bypassed in MSHTML hosts leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard).

tags | exploit, arbitrary, code execution
advisories | CVE-2017-11823
MD5 | 1b2d4d07eba9dc0ac29034a6908021a0
WebKit JSC Incorrect Optimization
Posted Oct 3, 2017
Authored by Google Security Research, lokihardt

A proof of concept has been released that bypasses the fix for the original finding regarding an incorrect optimization in BytecodeGenerator::emitGetByVal in WebKit JSC.

tags | exploit, proof of concept
advisories | CVE-2017-7117
MD5 | c93b1f362e5c29a309a5639c5750833c
Dnsmasq 2-Byte Heap-Based Overflow
Posted Oct 2, 2017
Authored by Google Security Research

Dnsmasq versions prior to 2.78 suffer from a 2-byte heap-based overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2017-14491
MD5 | 7f7b30c40ec43e2c6088f3634ef820da
Dnsmasq Heap-Based Overflow
Posted Oct 2, 2017
Authored by Google Security Research

Dnsmasq versions prior to 2.78 suffers from a heap-based overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2017-14492
MD5 | 46a85c167631a1d3b5493ddac07f46f9
Dnsmasq Stack-Based Overflow
Posted Oct 2, 2017
Authored by Google Security Research

Dnsmasq versions prior to 2.78 suffer from a stack-based overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2017-14493
MD5 | 138a60587b925ad21496085365fbf1f5
Page 4 of 40
Back23456Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    8 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close