Google Android - RKP EL1 Code Loading Bypass Exploit

Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=981 As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP Real-time Kernel Protection, running in EL2. This hypervisor is meant to ensure that the HLOS...

Google Android - cfp_ropp_new_key_reenc cfp_ropp_new_key RKP Memory Corruption

Google Android - cfproppnewkeyreenc cfproppnewkey RKP Memory Corruption Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=979 As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP Real-time Kernel Protection, running in EL2. This hypervisor is meant to...

Google Android - RKP Information Disclosure via s2-remapping Physical Ranges Exploit

Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=982 As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP Real-time Kernel Protection, running in EL2. This hypervisor is meant to ensure that the HLOS...

Google Android - RKP Information Disclosure via s2-remapping Physical Ranges

Google Android - RKP Information Disclosure via s2-remapping Physical Ranges Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=982 As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP Real-time Kernel Protection, running in EL2. This hypervisor is meant...

Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=980 As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP Real-time Kernel Protection, running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploit...

Google Android - 'cfp_ropp_new_key_reenc' / 'cfp_ropp_new_key' RKP Memory Corruption

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=979 As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP Real-time Kernel Protection, running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploit...

Null pointer dereference

VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions aka SVM allows local HVM guest OS users to cause a denial of service hypervisor crash by leveraging a missing NULL pointer check...

DEBIAN-CVE-2016-9932

CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix...

ALPINE-CVE-2016-10013

Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation...

DEBIAN-CVE-2016-10025

VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions aka SVM allows local HVM guest OS users to cause a denial of service hypervisor crash by leveraging a missing NULL pointer check...

CVE-2016-10025

VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions aka SVM allows local HVM guest OS users to cause a denial of service hypervisor crash by leveraging a missing NULL pointer check...

UBUNTU-CVE-2016-10025

VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions aka SVM allows local HVM guest OS users to cause a denial of service hypervisor crash by leveraging a missing NULL pointer check...

CVE-2016-10024

Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service host hang or crash by modifying the instruction stream asynchronously while performing certain kernel operations...

ALPINE-CVE-2016-10025

VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions aka SVM allows local HVM guest OS users to cause a denial of service hypervisor crash by leveraging a missing NULL pointer check...

CVE-2016-10025

CVE-2016-10025 affects the Xen hypervisor when running on x86 with AMD SVM (VMFUNC emulation) and allows local HVM guests to crash the hypervisor due to a missing NULL pointer check in hvmemul_vmfunc(). Public references in the connected data show Xen versions 4.6.x–4.8.x as vulnerable and descri...

CVE-2016-10025

VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions aka SVM allows local HVM guest OS users to cause a denial of service hypervisor crash by leveraging a missing NULL pointer check...

DEBIAN-CVE-2016-9382

Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service guest OS crash by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode...

DEBIAN-CVE-2016-9383

Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service host crash, or execute arbitrary code on the host by leveraging broken emulation of bit test instructions...

ALPINE-CVE-2016-9381

Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability...

DEBIAN-CVE-2016-9380

The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file...