exploit the possibilities
Showing 1 - 25 of 145 RSS Feed

Files from lokihardt

First Active2017-02-24
Last Active2019-02-21
WebKit JSC reifyStaticProperty Attribute Flag Issue
Posted Feb 21, 2019
Authored by Google Security Research, lokihardt

WebKit JSC has an issue where reifyStaticProperty needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter.

tags | exploit
advisories | CVE-2019-6215
MD5 | f76ec921b78dcbb720528b54c5ba83f3
Microsoft Edge Chakra InlineArrayPush Type Confusion
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra related type confusion vulnerability in InlineArrayPush.

tags | exploit
advisories | CVE-2018-8617
MD5 | 43954049af42d6f9760693a7a6a692de
Microsoft Edge Chakra JIT Use-After-Free / Flag Issue
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.

tags | exploit, javascript
advisories | CVE-2019-0568
MD5 | 5c28c1a80c423bfe8ef6de5aa3f1170b
Microsoft Edge Chakra JIT InitClass Type Confusion
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a type confusion vulnerability in InitClass.

tags | advisory
advisories | CVE-2019-0539
MD5 | 11b7cf6d3cee1b1b355fa3be30470188
Microsoft Edge Chakra JIT NewScObjectNoCtor / InitProto Type Confusion
Posted Jan 17, 2019
Authored by Google Security Research, lokihardt

Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.

tags | exploit
advisories | CVE-2019-0567
MD5 | 46eb78a54630f51f57be7bcdca2fa397
WebKit JSC JIT Use-After-Free
Posted Jan 16, 2019
Authored by Google Security Research, lokihardt

The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings. As a result, it can lead to a use-after-free condition.

tags | exploit
advisories | CVE-2018-4442
MD5 | 6c7e9c82cba28e3a0216c2258377389d
WebKit JSC AbstractValue::set Use-After-Free
Posted Dec 27, 2018
Authored by Google Security Research, lokihardt

WebKit JSC suffers from a use-after-free vulnerability that can be used to bypass write barriers.

tags | exploit
advisories | CVE-2018-4443
MD5 | f6e693ef692196881715a01dcdc39b91
WebKit JSC JSArray::shiftCountWithArrayStorage Out-Of-Band Read / Write
Posted Dec 27, 2018
Authored by Google Security Research, lokihardt

WebKit JSC suffers from out-of-bounds read and write vulnerabilities in JSArray::shiftCountWithArrayStorage.

tags | exploit, vulnerability
advisories | CVE-2018-4441
MD5 | 75dbb70a739e6c66466398a40ffdab49
WebKit JIT Proxy Object Issue
Posted Dec 12, 2018
Authored by Google Security Research, lokihardt

WebKit JIT int32/double arrays can have proxy objects in the prototype chains.

tags | exploit
advisories | CVE-2018-4438
MD5 | 06865c2504867e5e78ec061c65753733
WebKit JSC ForInContext Invalidation
Posted Nov 30, 2018
Authored by Google Security Research, lokihardt

WebKit JSC has an issue where BytecodeGenerator::hoistSloppyModeFunctionIfNecessary does not invalidate the ForInContext object.

tags | exploit
advisories | CVE-2018-4386
MD5 | 126233d8e8253771dcaf7662c0e08a03
WebKit JIT ByteCodeParser::handleIntrinsicCall Type Confusion
Posted Nov 30, 2018
Authored by Google Security Research, lokihardt

WebKit JIT has type confusion bugs in ByteCodeParser::handleIntrinsicCall.

tags | exploit
advisories | CVE-2018-4382
MD5 | 872dd200e93696ff2906aeea62a0ced9
WebKit JSC JIT JSPropertyNameEnumerator Type Confusion
Posted Nov 30, 2018
Authored by Google Security Research, lokihardt

When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every get_by_id expression taking the loop variable as the index is compared to the cached structure ID from the JSPropertyNameEnumerator object. If it's the same, the "this" object of the get_by_id expression will be considered having the same structure as the input object to the for-in loop has. The problem is, it doesn't have anything to prevent the structure from which the cached structure ID from being freed. As structure IDs can be reused after their owners get freed, this can lead to type confusion.

tags | exploit
advisories | CVE-2018-4416
MD5 | 95ae698b9165e165c3e55b9abdf5a015
Microsoft Edge Chakra OP_Memset Type Confusion
Posted Nov 19, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra OP_Memset type confusion vulnerability.

tags | exploit
MD5 | 7b04b630ed5e30e643f82ceeb6a803d3
Microsoft Edge Chakra JIT Type Confusion Bug
Posted Oct 11, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra JIT type confusion bug.

tags | exploit
advisories | CVE-2018-8467
MD5 | 6fbef805082788dae5a43414514f7830
Microsoft Edge Chakra JIT BailOutOnInvalidatedArrayHeadSegment Check Bypass
Posted Oct 11, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a Chakra JIT BailOutOnInvalidatedArrayHeadSegment check bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2018-8466
MD5 | 7f812f298d3183ada0ed61bc7dbd7d82
Microsoft Edge Sandbox Escape
Posted Sep 27, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge suffers from a sandbox escape vulnerability.

tags | exploit
advisories | CVE-2018-8463, CVE-2018-8468, CVE-2018-8469
MD5 | 69c1c3d9c1a1bb35469e2efa12885373
Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion
Posted Sep 18, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from a type confusion vulnerability with PathTypeHandlerBase::SetAttributesHelper.

tags | exploit
advisories | CVE-2018-8384
MD5 | 5bdea5cae9762e60edfaa8a268f78dbb
Microsoft Edge Chakra JIT localeCompare Type Confusion
Posted Sep 18, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a type confusion vulnerability in localeCompare.

tags | exploit
advisories | CVE-2018-8355
MD5 | f4b3619f1626d973adb28bf93ce037e3
Microsoft Edge Chakra InitializeNumberFormat / InitializeDateTimeFormat Type Confusion
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.

tags | exploit
advisories | CVE-2018-8298
MD5 | 1b3261f5867fe61b3069b230e5d96d54
Microsoft Edge Chakra JIT InlineArrayPush Type Confusion
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a type confusion vulnerability with InlineArrayPush.

tags | exploit
MD5 | 10eb2bef76e9e5e5df10028a6b00b0b7
Microsoft Edge Chakra DictionaryPropertyDescriptor::CopyFrom Failed Copy
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra has an issue where DictionaryPropertyDescriptor::CopyFrom does not copy all fields.

tags | exploit
advisories | CVE-2018-8291
MD5 | 58ac89a215bdcc730aeb2f04f26ab26d
Microsoft Edge Chakra Parameter Scope Parsing Bug
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from a parameter scope parsing bug.

tags | exploit
advisories | CVE-2018-8279
MD5 | 8b8b33096fd8de5b5ebbe8619cff7a64
Microsoft Edge Chakra JIT ImplicitCallFlags Check Bypass
Posted Aug 17, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from an ImplicitCallFlags check bypass vulnerability with Intl.

tags | exploit, bypass
advisories | CVE-2018-8288
MD5 | b06d81dae646fb997c8078d09c0343ba
macOS / iOS OfficeImporter JavaScript Injection
Posted Jul 13, 2018
Authored by Google Security Research, lokihardt

macOS and iOS suffer from a javascript injection bug in OfficeImporter.

tags | exploit, javascript
systems | cisco, ios
MD5 | 8a77e3c5cc05866fe394bdbf6a928d1b
Microsoft Edge Chakra JIT SetConcatStrMultiItemBE Type Confusion
Posted Jul 12, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a type confusion vulnerability with hoisted SetConcatStrMultiItemBE instructions.

tags | exploit
advisories | CVE-2018-8229
MD5 | 9b384b361e8b141c4703603f10a6db28
Page 1 of 6
Back12345Next

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    15 Files
  • 21
    Feb 21st
    17 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close