what you don't know can hurt you
Showing 101 - 119 of 119 RSS Feed

Files from ianbeer

Email addressianbeer at google.com
First Active2014-12-02
Last Active2020-03-09
IntelAccelerator:gstqConfigure Kernel NULL Dereference
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The field at IntelAccelerator+0xe60 is a pointer to a GSTContextKernel allocated in the ::gstqCreateInfoMethod. In the ::start method this field is initialized to NULL. The IGAccelDevice external method gst_configure (0x206) calls gstqConfigure which doesn't check whether the GSTContextKernel pointer is NULL, therefore by calling this external method before calling any others which allocate the GSTContextKernel we can cause a kernel NULL pointer dereference. The GSTContextKernel structure contains pointers, one of which eventually leads to control of a kernel virtual method call. This PoC will kernel panic calling 0xffff800041414141.

tags | exploit, kernel
systems | linux
advisories | CVE-2015-7106
MD5 | 6c77f15f18e2332b1161e77f0ac900a9
IOKit Methods Being Called Without Locks From IOServiceClose
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. You can in fact do this very simply by calling IOServiceClose on two threads. Like the spoofed notifications this leads to many bugs in many userclients, the exact nature of which depends on the semantics of the clientClose implementation.

tags | exploit, spoof
systems | linux
advisories | CVE-2016-1720
MD5 | e994715ca79002c392401ecf2840bc78
iOS / OS X NECP System Control Integer Overflow
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

iOS and OS X suffers from a kernel code execution vulnerability due to an integer overflow in NECP system control socket packet parsing.

tags | exploit, overflow, kernel, code execution
systems | cisco, linux, apple, osx, ios
advisories | CVE-2015-7083
MD5 | d2d590a1897674eee90f0e0ceadb0af8
iOS / OS X IOHIDEventQueue:start Code Execution
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

iOS and OS X suffer from a kernel code execution vulnerability via double-delete in IOHIDEventQueue:start due to incorrect error handling.

tags | exploit, kernel, code execution
systems | cisco, linux, apple, osx, ios
advisories | CVE-2015-7112
MD5 | b346e5d7b4ab0305590a11f0d0ad7091
iOS / OS X Unsandboxable Kernel Use-After-Free In Mach Vouchers
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages. ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports. If the msgh_id of the message can't be found in the mig_buckets hash table then this function calls ipc_kobject_notify. Note that this is the same code path which would be taken for a real no-more-senders notification message but there's nothing stopping user-space from also just sending one.

tags | exploit, kernel, spoof
systems | linux
advisories | CVE-2015-7047
MD5 | f73aa665165c84bf8cb4ba7932b541b6
OS X Kernel Panic Due To Bad Patch For CVE-2015-3712
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

A bad patch for CVE-2015-3712 allows for code execution due to insufficient bounds checking in nvidia GeForce command buffer processing.

tags | exploit, code execution
systems | linux
advisories | CVE-2015-7019
MD5 | d8b6245b664f3747697aa70fff41cfe0
OSMetaClassBase:safeMetaCast Return Value Check Fail
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection of a second connection." In fact IOKit provides no default implementation and only a handful of userclients actually implement it, and it's pretty much up to them to define the semantics of what "informing the connection of a second connection" actually means. One of the userclients which implements connectClient is IOAccelContext2 which is the parent of the IGAccelContext userclient family (which are the intel GPU accelerator userclients.) IOUserClient::connectClient is exposed to userspace as IOConnectAddClient.

tags | exploit
systems | linux
advisories | CVE-2015-6996
MD5 | 6d732f2c11b51c1932abfb4ea03e7011
iOS Kernel AppleOscarGyro Use-After-Free
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

The iOS kernel suffers from a use-after-free vulnerability in AppleOscarGyro.

tags | exploit, kernel
systems | cisco, linux, ios
advisories | CVE-2016-1719
MD5 | d8afffb5b8bbd75b3dac4853cc27cba8
IOHDIXControllerUserClient:convertClientBuffer Integer Overflow
Posted Jan 27, 2016
Authored by Google Security Research, ianbeer

Method 5 of the IOHDIXController user client is createDrive64. This takes a 0x10 0 byte structure input from which it reads a userspace pointer and a size which it passes to IOHDIXController::convertClientBuffer. This wraps the memory pointed to by the userspace pointer in an IOMemoryDescriptor then takes the user-provided size, casts it to a 32-bit type and adds one. It passes that value to IOMalloc. By passing a size of 0xffffffff we can cause an integer overflow and IOMalloc will be passed a size of 0. IOMalloc falls through to kalloc which will quite happily make a 0-sized allocation for us and return a valid, writable kernel heap pointer.

tags | exploit, overflow, kernel
systems | linux
advisories | CVE-2015-6995
MD5 | c459652bb2133feed93cf32e220c8921
Mac OS X Networkd XPC Type Confusion Sandbox Escape
Posted Nov 17, 2015
Authored by Google Security Research, ianbeer

networkd is the system daemon which implements the com.apple.networkd XPC service. It's unsandboxed but runs as its own user. com.apple.networkd is reachable from many sandboxes including the Safari WebProcess and ntpd (plus all those which allow system-network). networkd parses quite complicated XPC messages and there are many cases where xpc_dictionary_get_value and xpc_array_get_value are used without subsequent checking of the type of the returned value.

tags | exploit
systems | linux, apple
advisories | CVE-2014-4492
MD5 | 8735745305c64f5827fe6f8e813c215f
Samsung Seiren Kernel Driver Buffer Overflow
Posted Oct 28, 2015
Authored by Google Security Research, ianbeer

The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflows a static global buffer.

tags | advisory, overflow
systems | linux
advisories | CVE-2015-7890
MD5 | cb74e5dd1c0a55e64f1526ff4e0aecad
OS X Regex Engine Integer Signedness / Overflow
Posted Sep 23, 2015
Authored by Google Security Research, ianbeer

OS X Regex Engine (TRE) suffers from integer signedness and overflow issues.

tags | exploit, overflow
systems | linux, apple, osx
advisories | CVE-2015-3798
MD5 | b3e63f40edf650e945be050b95cee62d
OS X Regex Engine Stack Buffer Overflow
Posted Sep 23, 2015
Authored by Google Security Research, ianbeer

OS X Regex Engine (TRE) suffers from a stack buffer overflow vulnerability.

tags | advisory, overflow
systems | linux, apple, osx
advisories | CVE-2015-3796
MD5 | f85a0765d88cae33afc0a1351323e720
OS X Regex Engine Bad Alloca
Posted Sep 22, 2015
Authored by Google Security Research, ianbeer

The OS X regex engine (TRE) uses the alloca function in a few places, sometimes where an attacker can partially control the size.

tags | exploit
systems | linux, apple, osx
advisories | CVE-2015-3797
MD5 | 37f4dcb64834686e35367244c95a0809
OS X IOKit Kernel Memory Corruption
Posted Sep 18, 2015
Authored by Google Security Research, ianbeer

An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.

tags | exploit, kernel
systems | linux, apple, osx
advisories | CVE-2014-8836
MD5 | be89e142f6fbb107f137d490b98a4d33
OS X Suid Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, ianbeer

The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.

tags | exploit, shell, root
systems | linux, bsd
advisories | CVE-2015-5754
MD5 | 56bffdab05f4e18e4e17316125e04b4e
OS X Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, ianbeer

The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.

tags | exploit, root
systems | linux
advisories | CVE-2015-3704
MD5 | 4b90becda3fbac25e7bb0e5e93b2ac74
OS X Install.framework Suid Root Binary
Posted Sep 14, 2015
Authored by Google Security Research, ianbeer

Install.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2015-5784
MD5 | 1dcaf53141a4b96120590efddce2dd04
Mac OS X IOKit Keyboard Driver Root Privilege Escalation
Posted Dec 2, 2014
Authored by joev, ianbeer | Site metasploit.com

A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue has been patched silently in Yosemite.

tags | exploit, overflow, kernel
systems | apple, osx
advisories | CVE-2014-4404
MD5 | 456a9ca66b1cb8d70b22b73cb2510cf9
Page 5 of 5
Back12345Next

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close