exploit the possibilities
Showing 76 - 100 of 118 RSS Feed

Files from ianbeer

Email addressianbeer at google.com
First Active2014-12-02
Last Active2020-02-13
OS X AppleMuxControl.kext NULL Pointer Dereference
Posted Jun 9, 2016
Authored by Google Security Research, ianbeer

There is an OS X exploitable kernel NULL pointer dereference in AppleMuxControl.kext.

tags | exploit, kernel
systems | apple
advisories | CVE-2016-1794
MD5 | 80d3bd172af83bec8656282b2a2ac45e
OS X Kernel Use-After-Free From IOAcceleratorFamily2 Bad Locking
Posted Jun 9, 2016
Authored by Google Security Research, ianbeer

The OS X kernel suffers from a use-after-free vulnerability due to bad locking in IOAcceleratorFamily2.

tags | exploit, kernel
systems | apple
advisories | CVE-2016-1819
MD5 | 08738b67d158362ec1b1b52f8a6a7aad
OS X IOAccelSharedUserClient2::page_off_resource NULL Pointer Dereference
Posted Jun 9, 2016
Authored by Google Security Research, ianbeer

There is an OS X exploitable kernel NULL dereference in IOAccelSharedUserClient2::page_off_resource.

tags | exploit, kernel
systems | apple
advisories | CVE-2016-1813
MD5 | f12afe474448c13073407ed01c8ee070
Linux perf_event_open() / execve() Race Condition
Posted May 3, 2016
Authored by Google Security Research, ianbeer

A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.

tags | exploit, local
systems | linux
MD5 | 8a00dfb29a5769d243754a1a99030296
OS X Kernel AppleUSBPipe::Abort Missing Bounds Checking
Posted Mar 22, 2016
Authored by Google Security Research, ianbeer

Mac OS X kernel suffers from a code execution vulnerability due to a lack of bounds checking in AppleUSBPipe::Abort.

tags | exploit, kernel, code execution
systems | linux, apple, osx
advisories | CVE-2016-1749
MD5 | bed149432923b940c127c1235d8bcd34
OS X Kernel AppleKeyStore Use-After-Free
Posted Mar 22, 2016
Authored by Google Security Research, ianbeer

The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.

tags | exploit
systems | linux
advisories | CVE-2016-1755
MD5 | 28d80c38ca1c4a122d94f26bd1b48d9e
OS X Kernel Nvidia Driver Unchecked Array Index
Posted Mar 22, 2016
Authored by Google Security Research, ianbeer

Mac OS X kernel has an issue where an unchecked array index can be used to read an object pointer then call a virtual method in the Nvidia GEForce driver.

tags | exploit, kernel
systems | linux, apple, osx
advisories | CVE-2016-1741
MD5 | a47e6c7658312f6b320a70c4c60eab37
OS X Kernel Use-After-Free / Double Delete
Posted Mar 22, 2016
Authored by Google Security Research, ianbeer

The Mac OS X kernel suffers from use-after-free and double delete issues due to incorrect locking in the Intel GPU driver.

tags | exploit, kernel
systems | linux, apple, osx
advisories | CVE-2016-1744
MD5 | 0fa2674827e519c2c3e1d71a56b5d833
OS X / iOS Suid Binary Logic Error Code Execution
Posted Mar 22, 2016
Authored by Google Security Research, ianbeer

The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vm_map into the old task object leaving a short race window where we can manipulate the memory of the euid(0) process before the old task port is destroyed.

tags | exploit
systems | linux
advisories | CVE-2016-1757
MD5 | 58c8a1c7d992ae37e0572d86f40f5412
Adobe Flash op_pushwith Incorrect Jit Optimization
Posted Mar 16, 2016
Authored by Google Security Research, ianbeer

The avmplus bytecode verifier misses a control-flow path via op_pushwith throwing an exception allowing crafted bytecode to be incorrectly optimized which can trivially be abused to get code execution.

tags | exploit, code execution
systems | linux
advisories | CVE-2014-0586
MD5 | 2c70ef02f129e446597e6ba7cb2c7bc0
Chrome GPU Process Sandbox Escape
Posted Mar 11, 2016
Authored by Google Security Research, ianbeer

The Chrome GPU process suffers from a sandbox escape vulnerability due to the use of an invalid iterator in its IPC handler.

tags | advisory
systems | linux
advisories | CVE-2016-1642
MD5 | b19f27dd942724a40b8a331bec005ec1
OS X Sysmond XPC Type Confusion Privilege Escalation
Posted Feb 10, 2016
Authored by Google Security Research, ianbeer

OS X suffers from a privilege escalation vulnerability due to XPC type confusion in sysmond.

tags | exploit
systems | linux, apple, osx
advisories | CVE-2014-8835
MD5 | 3ac26a15ec16701e2fb2e821afc62436
iOS Kernel IOHIDEventService Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The iOS kernel suffers from a use-after-free vulnerability in IOHIDEventService.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
MD5 | 17fd1039e481d24448d676071d0469a3
IOSCSIPeripheralDeviceType00 Kernel Null Dereference
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

Opening userclient type 12 of IOSCSIPeripheralDeviceType00 leads to an exploitable kernel NULL dereference.

tags | exploit, kernel
systems | linux
advisories | CVE-2015-7068
MD5 | 6ccc02e76c6f74c7a0a94ab6c4685056
iOS Kernel AppleOscarCompass Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCompass.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
MD5 | dd4489055ce445b6df7ffea87cee6e52
iOS / OS X Kernel Uninitialized Variable Code Execution
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The _ool variations of the IOKit device.defs functions all incorrectly deal with error conditions. If you run the mig tool on device.defs you can see the source of the kernel-side MIG handling code.

tags | exploit, kernel
systems | linux
advisories | CVE-2016-1721
MD5 | 170d947b064b72c03f13952426b22864
iOS Kernel AppleOscarAccelerometer Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The iOS kernel suffers from a use-after-free vulnerability in AppleOscarAccelerometer.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
MD5 | dd48bed8e0e9e332145dc0ac5e571f13
iOS / OS X Kernel IOHDIXControllUserClient:clientClose UAF / Double Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

iOS / OS X kernels suffer from a use-after-free / double free vulnerability due to lack of locking in IOHDIXControllUserClient:clientClose.

tags | exploit, kernel
systems | cisco, linux, apple, osx, ios
advisories | CVE-2015-7110
MD5 | 4ca3511924adc3aa52a467b0ddf5ed87
IOBluetoothHCIUserClient Lack Of Bounds Checking
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks the size of that structInput, and SimpleDispatchWL goes on to read the field at +0x70 of the structInput.

tags | exploit
systems | linux
advisories | CVE-2015-7108
MD5 | e6f2ca666856de127e63494985d8e064
OS X Kernel Hypervisor Driver Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The hv_space lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method (which calls lck_rw_free on the lock group using the pointer hanging off the global _hv variable) and secondly via the hypervisor machine_thread_destroy callback (hv_callback_thread_destroy) which also calls lck_rw_free with a lock group pointer taken from _hv.

tags | exploit
systems | linux
advisories | CVE-2015-7078
MD5 | bff06cf19e4771a653e2b05f210d42d4
Gst_configure Lack Of Bounds Checking / Toctou Buffer Overflow
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The external method 0x206 of IGAccelGLContext is gst_configure. This method takes an arbitrary sized input structure (passed in rsi) but doesn't check the size of that structure (passed in rcx).

tags | exploit, arbitrary
systems | linux
advisories | CVE-2015-7077
MD5 | b2d1d2f8506f127202b22df1210e27cb
iOS / OS X Iokit Registry Iterator Double Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

iOS / OS X suffer from a kernel double free due to lack of locking in Iokit registry iterator manipulation.

tags | exploit, kernel, registry
systems | cisco, linux, apple, osx, ios
advisories | CVE-2015-7084
MD5 | c9357d0e4d6e5c18a2ac1368f7f6da8e
iOS Kernel IOReportHub Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The iOS kernel suffers from a use-after-free vulnerability in IOReportHub.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
MD5 | 2504ff241f02dbb9191e188e0456809f
iOS Kernel AppleOscarCMA Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The iOS kernel suffers from a use-after-free vulnerability in AppleOscarCMA.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
MD5 | 362ceedf70c3bb9f09328d222d270b3c
IntelAccelerator:gstqConfigure Kernel NULL Dereference
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206) calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling this external method before calling any others which allocate the GSTContextKernel we can cause a kernel NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.

tags | exploit, kernel
systems | linux
advisories | CVE-2015-7106
MD5 | 6c77f15f18e2332b1161e77f0ac900a9
Page 4 of 5
Back12345Next

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close