what you don't know can hurt you
Showing 1 - 25 of 100 RSS Feed

Files

Samsung Android Skia Qmage Image Codec Heap Buffer Overflow
Posted Aug 17, 2020
Authored by Google Security Research, mjurczyk

Samsung Android suffers from a heap buffer overflow vulnerability and other issues in the Skia Qmage image codec.

tags | exploit, overflow
MD5 | 95361e7360e3cb6d869c21f91cad170e

Related Files

Samsung Android Remote Code Execution
Posted May 8, 2020
Authored by Google Security Research, mjurczyk

Samsung Android suffers from multiple interaction-less remote code execution vulnerabilities as well as other remote access issues in the Qmage image codec built into Skia.

tags | exploit, remote, vulnerability, code execution
advisories | CVE-2020-8899
MD5 | 3f9f4d5bfc619d4b462f0ef931e31a05
Android Binder Use-After-Free
Posted Oct 18, 2019
Authored by Marcin Kozlowski

These are notes on further exploitation of the Android Binder use-after-free vulnerability as noted in CVE-2019-2215 and leveraged against Kernel 3.4.x and 3.18.x on Samsung Devices using Samsung Android and LineageOS.

tags | exploit, kernel
advisories | CVE-2019-2215
MD5 | 615c42102bb321281534f993eefa6acb
Samsung Internet Browser SOP Bypass
Posted Dec 20, 2017
Authored by Tod Beardsley, Jeffrey Martin, Dhiraj Mishra

This Metasploit module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up.

tags | exploit, bypass
advisories | CVE-2017-17692
MD5 | 91bfa1cba09b3c4c4fa53ef3b84ecd59
Samsung Android JACK Privilege Escalation
Posted Jul 6, 2016
Authored by Google Security Research, Mark Brand

The usermode audio subsystem for the "Samsung Android Professional Audio" is based on JACK and appears to suffer from a privilege escalation vulnerability.

tags | advisory
systems | linux
MD5 | cb942ef82a22bd3ecbe7f271d98180f2
Samsung Android JACK ASLR Bypass
Posted Jul 6, 2016
Authored by Google Security Research, Mark Brand

The usermode audio subsystem for the "Samsung Android Professional Audio" is based on JACK, which appears to be designed for single-user usage. The common JACK configuration on Linux systems appears to be a JACK server running under the current user account, and interacting with JACK clients from the same user account; so with a minimal privilege difference; this is not the case with the configuration on Android, where the JACK service runs as a more privileged user in a less restrictive SELinux domain to the clients that can connect to it. The JACK shared memory implementation uses the struct jack_shm_info_t defined in /common/shm.h to do some bookkeeping. This struct is stored at the start of every JackShmAble object. This means that whenever the JACK server creates an object backed by shared memory, it also stores a pointer to that object (in the address space of the JACK server), allowing a malicious client to bypass ASLR in the JACK server process.

tags | advisory
systems | linux
MD5 | 8288db414362e6a728044ca93ad526bf
Flash DefineBitsLossless / DefineBitsLossless2 Uninitialized Memory
Posted Aug 21, 2015
Authored by Google Security Research, bilou

Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.

tags | exploit
systems | linux
advisories | CVE-2015-3093
MD5 | adb57940b26b85b045d7060227d0e3a7
Flash Uninitialized Stack Variable While Parsing An MPD File Memory Corruption
Posted Aug 21, 2015
Authored by Google Security Research, external

Loading a weird MPD file can corrupt flash player's memory.

tags | exploit
systems | linux
advisories | CVE-2015-3089
MD5 | d9a2e027d6f29cde2f6334afc2330080
Security Use After Free In Flash AVSS.setSubscribedTags Memory Corruption
Posted Aug 21, 2015
Authored by Google Security Research, bilou

Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.

tags | exploit
systems | linux
advisories | CVE-2015-3088
MD5 | 01ebd6a5cfc83e6220448dc7380d4fe3
Security Flash Player Integer Overflow In Function.apply
Posted Aug 21, 2015
Authored by Google Security Research, bilou

An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments. Chrome version 41.0.2272.101 stable with Flash version 17.0.0.134 is affected.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-3087
MD5 | ae3b92b7b81d5321e364dc9f2475a8b3
Flash Broker-Based Sandbox Escape Via Timing Attack Against File Moving
Posted Aug 21, 2015
Authored by keen, Google Security Research

Flash suffers from a broker-based sandbox escape.

tags | exploit
systems | linux
advisories | CVE-2015-3081
MD5 | fcf0457a764c09749ab9c504f282831a
Flash Broker-Based Sandbox Escape Via Unexpected Directory Lock
Posted Aug 21, 2015
Authored by keen, Google Security Research

Flash suffers from a broker-based sandbox escape.

tags | exploit
systems | linux
advisories | CVE-2015-3083
MD5 | bbdfa3d3758f087eeeb4baf393150b1e
Flash Broker-Based Sandbox Escape Via Forward Slash Instead Of Backslash
Posted Aug 21, 2015
Authored by keen, Google Security Research

Flash suffers from a broker-based sandbox escape.

tags | exploit
systems | linux
advisories | CVE-2015-3082
MD5 | de49c0fd4c2ddc561c79bf78a634ed83
Adobe Reader CoolType Use Of Uninitialized Memory In Transient Array
Posted Aug 21, 2015
Authored by Google Security Research, mjurczyk

The "transient array" specified in the "Type 2 Charstring format" specs but also available in Type1 fonts (originally for the purpose of facilitating Multiple Master fonts) is allocated dynamically only if the CoolType interpreter encounters an instruction which requires the presence of the array, such as "get" or "store". While allocating the array, however, the routine does not automatically clear the contents of the newly created buffer.

tags | advisory
systems | linux
advisories | CVE-2015-3049
MD5 | c5635db0998da538780ccc1b2df3b331
Flash PCRE Regex Compilation Zero-length Assertion Arbitrary Bytecode Execution
Posted Aug 21, 2015
Authored by Google Security Research, markbrand

There is an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and remote code execution.

tags | exploit, remote, arbitrary, code execution
systems | linux
advisories | CVE-2015-3042
MD5 | 263b173055757ddeee5316dc851ce253
Windows Kernel ATMFD.DLL Off-By-X OOB Reads/Writes Relative To Operand Stack
Posted Aug 21, 2015
Authored by Google Security Research, mjurczyk

The Type1/CFF CharString interpreter code in the Adobe Type Manager Font Driver (ATMFD.DLL) Windows kernel module does not perform nearly any verification that the operand stack is large enough to contain the required instruction operands, which can lead to up to "off-by-three" overreads and overwrites on the interpreter function stack.

tags | exploit, kernel
systems | linux, windows
advisories | CVE-2015-0088
MD5 | fd84729970a1d3710fa3cae955d9bb63
Windows 7 Admin Check Bypass
Posted Aug 21, 2015
Authored by Google Security Research, forshaw

The system call NtPowerInformation performs a check that the caller is an administrator before performing some specific power functions. The check is done in the PopUserIsAdmin function. On Windows 7 this check is bypassable because the SeTokenIsAdmin function doesn't take into account the impersonation level of the token and the rest of the code also doesn't take it into account.

tags | exploit
systems | linux, windows
MD5 | 24d9b5b76d079c599d33e4de0e0a9c90
GSTOOL 4.7 Insecure Encryption
Posted Sep 11, 2013
Authored by Jan Schejbal

GSTOOL versions 3.0 through 4.7 contain an insecure encryption feature using the non-public CHIASMUS block cipher.

tags | advisory
MD5 | e7a74491e2bb61e4163e19c7f9bab188
GNU SASL 1.8.0
Posted May 29, 2012
Authored by Simon Josefsson

GNU SASL is an implementation of the Simple Authentication and Security Layer framework and a few common SASL mechanisms. SASL is used by network servers such as IMAP and SMTP to request authentication from clients, and in clients to authenticate against servers. The library includes support for the SASL framework (with authentication functions and application data privacy and integrity functions) and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, NTLM, and KERBEROS_V5 mechanisms.

Changes: This is a new major stable release. SAML20 support following RFC 6595. OPENID20 support following RFC 6616. SMTP server examples (e.g. for SCRAM, SAML20, and OPENID20). Various cleanups, portability fixes, and other bugfixes. The API and ABI are fully backwards compatible with version 1.6.x.
tags | imap, library
systems | unix
MD5 | 982fe54a20016aa46a871c084c990c36
GSM SIM Editor 5.15 Buffer Overflow
Posted Apr 18, 2012
Authored by Ruben Alejandro | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code.

tags | exploit, overflow, arbitrary
MD5 | b607d4a63d0250d0e1f386df5bb3cafb
Trustwave Global Security Report
Posted Feb 18, 2012
Authored by Charles Henderson | Site trustwave.com

These slides are from the Trustwave Global Security Report as presented at the OWASP AppSec USA 2011 conference.

tags | paper
MD5 | 031dbd61e5b28d76d75b184b9a5442a9
Gsonline WebNDesign SQL Injection
Posted Dec 10, 2011
Authored by tempe_mendoan

Gsonline WebNDesign suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | cbbbb8d6cd0ca974cb88190bdbe4cef2
Game Servers Client 2.00 Build 3017 Denial Of Service
Posted Sep 29, 2011
Authored by Michael Gray

Game Servers Client version 2.00 Build 3017 suffers from a denial of service vulnerability.

tags | advisory, denial of service
MD5 | 1c9002bef34833a3228ab05a4050df1c
Game Servers Client 2.00 Build 3017 Bypass
Posted Sep 29, 2011
Authored by Michael Gray

Game Servers Client version 2.00 Build 3017 uses IRC as the backend but failed to validate changes to a nickname.

tags | advisory, bypass
MD5 | fd6a8ff6ff4184618a15fba9e20a6ca3
GSPlayer 1.83a Win32 Buffer Overflow
Posted Nov 5, 2010
Authored by moigai

GSPlayer version 1.83a Win32 release buffer overflow exploit that spawns calc.exe.

tags | exploit, overflow
systems | windows
MD5 | e6030552f918949e4f5e43754d4a77f2
GSM SIM Utility Direct Local Buffer Overflow
Posted Jul 8, 2010
Authored by chap0

GSM SIM Utility Direct RET local buffer overflow exploit. Affects version 5.15.

tags | exploit, overflow, local
MD5 | 055a6049a48a76b62d4168f558b26e50
Page 1 of 4
Back1234Next

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close