what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

Shannon Baseband SIP URI Decoder Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband in the SIP URI decoder. According to the debug strings present in the firmware image, this decoder corresponds to IMSPL_SipUri.c.

tags | exploit, overflow
advisories | CVE-2023-29091
SHA-256 | cef6065d95093542cb22a1a75544960827efff742ba806ef8e0db27ff1a75588

Related Files

Shannon Baseband SIP Min-SE Header Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Min-SE header in the SIP protocol decoder (IMSPL_SipMinSE.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29086
SHA-256 | e0cd48f57c8b65b8d3f033aad592c288cb156a5fc17e43743d268337dab80c20
Shannon Baseband SIP Session-Expires Header Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Session-Expires header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29088
SHA-256 | e11bd9abdf4b3c1c338a567873ee29ab281b3106b929fa8c9cb91119afcbc1f7
Shannon Baseband SIP Status Line Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the status line of a SIP message (this happens in IMSPL_SipStatusLine.c according to the debug strings in the firmware image).

tags | exploit, overflow
advisories | CVE-2023-29085
SHA-256 | 775cec97675cbb8c305fcd017b6eeee470cd0ac86f5bca8f85e29ef9c9c3e283
Shannon Baseband Via Header Decoder Stack Buffer Overflow
Posted May 11, 2023
Authored by Ivan Fratric, Google Security Research

There is a stack buffer overflow in Shannon Baseband when processing the Via header in the SIP protocol decoder (IMSPL_SipDecode.c according to the debug strings in the firmware image).

tags | exploit, overflow, protocol
advisories | CVE-2023-29090
SHA-256 | 0afa5f6ef5d703a73b0521ecca5d80bc302663f045296001e5c9f592b245d7f9
usrsctp Stack Buffer Overflow
Posted Jul 20, 2020
Authored by Google Security Research, natashenka

There is a stack buffer overflow in usrsctp when a server processes a skipped auth block from an incoming connection. Proof of concept exploit included.

tags | exploit, overflow, proof of concept
advisories | CVE-2020-6831
SHA-256 | b4818f86982c067d7cd9afcbfcee314e412f968d7d9b859927f8e3573839fad7
Asterisk Project Security Advisory - AST-2018-009
Posted Sep 20, 2018
Authored by Richard Mudgett | Site asterisk.org

Asterisk Project Security Advisory - There is a stack overflow vulnerability in the res_http_websocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attacker's request causes Asterisk to run out of stack space and crash.

tags | advisory, web, overflow
advisories | CVE-2018-17281
SHA-256 | 999593047c91cf17e94b5126542d0b61c193e900ccb49dfceb842eb260de225f
Linux ecryptfs Stack Overflow
Posted Jun 20, 2016
Authored by Jann Horn, Google Security Research

There is a stack overflow in Linux via ecryptfs and /proc/$pid/environ.

tags | exploit, overflow
systems | linux
advisories | CVE-2016-1583
SHA-256 | a2027cead72d77f935e2469af1185bf388665e08efd098affb8819e227a002a7
Samsung M2m1shot Kernel Driver Buffer Overflow
Posted Oct 28, 2015
Authored by Google Security Research, hawkes

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server. The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-7892
SHA-256 | b0c5900d4ce52a323271b9224cc5fd02fc37af255afea06a937e89a8d81fdecd
Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.

tags | exploit, arbitrary
systems | linux
advisories | CVE-2015-2525
SHA-256 | c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02e
Windows NtUserGetClipboardAccessToken Token Leak Redux
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.

tags | exploit
systems | linux
advisories | CVE-2015-2527
SHA-256 | 9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296
Windows CreateObjectTask TileUserBroker Privlege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2528
SHA-256 | 6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3
Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation
Posted Sep 18, 2015
Authored by Google Security Research, forshaw

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.

tags | exploit, shell, local
systems | linux, windows
advisories | CVE-2015-2524
SHA-256 | 6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554
OS X IOKit Kernel Memory Corruption
Posted Sep 18, 2015
Authored by Google Security Research, Ian Beer

An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.

tags | exploit, kernel
systems | linux, apple, osx
advisories | CVE-2014-8836
SHA-256 | f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052c
Adobe Reader X And XI For Windows Out-of-bounds Write In CoolType.dll
Posted Sep 18, 2015
Authored by Google Security Research, mjurczyk

Adobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.

tags | exploit
systems | linux, windows
advisories | CVE-2014-9160
SHA-256 | 94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259f
Windows Type-Confusion / Memory Corruption
Posted Sep 14, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.

tags | advisory, kernel, vulnerability
systems | linux, windows
SHA-256 | 1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013ba
OS X Suid Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.

tags | exploit, shell, root
systems | linux, bsd
advisories | CVE-2015-5754
SHA-256 | 1fd4f2bf985f7460d71d17680841dc5c059fe7c05b9a7ac1a776291868ff74e3
OS X Privilege Escalation
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.

tags | exploit, root
systems | linux
advisories | CVE-2015-3704
SHA-256 | a34aa2485110ffeff9b63cf7063d71e3ac6548549f001e7517073b7f1ffaa5ca
OS X Install.framework Suid Root Binary
Posted Sep 14, 2015
Authored by Google Security Research, Ian Beer

Install.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.

tags | exploit, arbitrary, root
systems | linux
advisories | CVE-2015-5784
SHA-256 | 4b9ea14e8540ddbdec18fe305074224119369e420b4ed663a1f2bac393fa7f15
Windows win32k!NtUserSetInformationThread Type Confusion
Posted Sep 9, 2015
Authored by Google Security Research, matttait

The Windows Kernel is subject to a kernel-mode type-confusion vulnerability inside win32k!NtUserSetInformationThread due to referencing a user-mode handle via ObReferenceObjectByHandle with a "NULL" type specified (it should instead be using *LpcPortObjectType to protect against this vulnerability). This vulnerability can be triggered from inside CSRSS via the syscall win32k!NtUserSetInformationThread with ThreadInformationClass set to "UserThreadCsrApiPort" and the parameter of the syscall set to a HANDLE that is not an LPC object.

tags | advisory, kernel
systems | linux, windows
SHA-256 | f08ca467d2241babc70e51da65057abb65b9ecf85249b35405cfc513910c45d6
QEMU Programmable Interrupt Timer Controller Heap Overflow
Posted Aug 28, 2015
Authored by Google Security Research, matttait

The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and a heap overflow within the context of the host.

tags | exploit, overflow, info disclosure
systems | linux
SHA-256 | 13f86bfcab19e0b4b4a2b31f5267866e4f2e1bf60fa810d064d79e7a787b0c07
Microsoft Office 2007 RTF XML SmartTags Use-After-Free
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.

tags | advisory
systems | linux
advisories | CVE-2015-1651
SHA-256 | 9112fd06f8a9594124ac555685a4c390b42d8b36cbf029a9deca63894f80b49e
Microsoft Office 2007 OneTableDocumentStream Invalid Object
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.

tags | exploit
systems | linux
advisories | CVE-2015-0065
SHA-256 | 71aae25eeff40a890630b5def4b9a4c33395e8cd48b05b1af664a30be591e023
Microsoft Office 2007 Malformed Document Stack-Based Buffer Overflow
Posted Aug 25, 2015
Authored by Google Security Research, hawkes

Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-0064
SHA-256 | fc3f3a43acba1f2993d16df8be2f8af7217caf24ea88bc37b3ab71571b41e296
Security Flash Heap Use-After-Free In SurfaceFilterList::C​reateFromScriptAtom
Posted Aug 21, 2015
Authored by Google Security Research, bilou

Flash suffers from a use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.

tags | exploit
systems | linux
advisories | CVE-2015-5563
SHA-256 | f25272c8a1f372c28e643e729835debc9a97b7068e8da8e97a5a220acf1e5a89
Flash Bypass Of Length Vs. Cookie Validation
Posted Aug 21, 2015
Authored by Chris Evans, Google Security Research

Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector.<uint> (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length.

tags | exploit
systems | linux
advisories | CVE-2015-5125
SHA-256 | fcdf12cd364c0ea733d2eac6b27e7d2f9f878fe5206bb8c75cbfc449ce599745
Page 1 of 4
Back1234Next

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close