In the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.
6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592
Proof of concept exploit for a memory corruption vulnerability in the Arm Mali GPU kernel driver that was reported in January of 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6 and supports patch levels from November 2021 to February 2022. It is easy to add support for other firmware by changing a few image offsets.
66eea2398301c881c76dc1359392bb4e7585bacb1998c8e4de619ba964588857
The Microsoft Windows kernel suffers from a brush object use-after-free vulnerability.
ac1c9bbd47bafbca773cb80340ef700f905cab76f26f62766346947479e35793
The Microsoft Windows kernel suffers from a NULL pointer dereference with window station and clipboard.
9f32e011ab66422b9eb1d0b4cb638eddddc956ca54dbeb3f19ad2f6d022e0f60
The Microsoft Windows kernel suffers from a use-after-free vulnerability in WindowStation.
aa3efde61185dc1eb0cb8968c6c591a89fd27959b2d48dd4fabbf0770e09ec6e
Pdfium suffers from a heap-based out-of-bounds read vulnerability in Opj_dwt_decode_1 (libopenjpeg).
d20c039518c40f0e159c48830e1d0f707213086eb513383b2e55a5136f0ce263
Pdfium suffers from an unmapped memory read (SIGSEGV) crash in CPDF_SampledFunc:v_Call.
bcea2e10f4a34c9f72f86396283659a515a7b1802c1e85445c9e56df7078cd48
The Microsoft Windows kernel may suffer from a NULL pointer dereference vulnerability.
d1f43b6047662ac0572f8e52b2d49d1b8975a8e50330286cb80ba2d1809962ef
The Microsoft Windows kernel suffers from a use-after-free vulnerability in bitmap handling.
42a9706efcbff35685e37dd9c3a82c7ad193672a2463d2614d211e7e27a8f41c
The Microsoft Windows kernel suffers from a use-after-free vulnerability in the bitmap handling code.
f6216ef039b9fe229af00a9dbb5b21966f586b28c32b15cad36ba45f7e468271
The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.
c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02e
The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.
9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296
A bounds check crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
05a60e7019067851141f1787a5bbda75454773b40b9acf97e8b754f2fad758fd
Microsoft Excel 2007 running on Windows 2003 suffers from a use-after-free vulnerability.
460bd27af88f7165a795d698b85d2e4cd8c83732200f70dc5c84e7b8e4818f79
The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It's possible execute arbitrary code within the context of the process because it's possible to access the processes threads leading to local EoP.
f0ec77ee8811de8feb9edad30b69fae9734672773f9e5a37d08fdba2317cebd5
A use-after-free crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
3b2e620089c3777eb2d36942713f33cf68f9865e894dbaee83bdbdb3af57385c
A type confusion crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
247823ed9395d266e8674965a149848a04a5b7380aa2bf3723839d71d6ca65a6
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.
6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554
An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.
f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052c
Adobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.
94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259f
The Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.
1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013ba
The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.
1fd4f2bf985f7460d71d17680841dc5c059fe7c05b9a7ac1a776291868ff74e3
The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.
a34aa2485110ffeff9b63cf7063d71e3ac6548549f001e7517073b7f1ffaa5ca
Install.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.
4b9ea14e8540ddbdec18fe305074224119369e420b4ed663a1f2bac393fa7f15
The Windows Kernel is subject to a kernel-mode type-confusion vulnerability inside win32k!NtUserSetInformationThread due to referencing a user-mode handle via ObReferenceObjectByHandle with a "NULL" type specified (it should instead be using *LpcPortObjectType to protect against this vulnerability). This vulnerability can be triggered from inside CSRSS via the syscall win32k!NtUserSetInformationThread with ThreadInformationClass set to "UserThreadCsrApiPort" and the parameter of the syscall set to a HANDLE that is not an LPC object.
f08ca467d2241babc70e51da65057abb65b9ecf85249b35405cfc513910c45d6