2027 matches found
Privilege escalation
The Madapt Driver of some Huawei smart phones with software Earlier than Vicky-AL00AC00B172 versions,Vicky-AL00CC768B122,Vicky-TL00AC01B167,Earlier than Victoria-AL00AC00B172 versions,Victoria-TL00AC00B123,Victoria-TL00AC01B167 has a use after free UAF vulnerability. An attacker can trick a user ...
CVE-2017-8142
CVE-2017-8142 affects Huawei Mate 9 and Mate 9 Pro devices, where the TEE module driver is vulnerable to a Use-After-Free (UAF). The issue occurs on software versions earlier than MHA-AL00BC00B221 and LON-AL00BC00B221. An attacker can entice a user to install a malicious app that spawns multiple ...
CVE-2017-8142
The Trusted Execution Environment TEE module driver of Mate 9 and Mate 9 Pro smart phones with software versions earlier than MHA-AL00BC00B221 and versions earlier than LON-AL00BC00B221 has a use after free UAF vulnerability. An attacker tricks a user into installing a malicious application, and...
CVE-2017-8203
The Bastet Driver of Nova 2 Plus,Nova 2 Huawei smart phones with software of Versions earlier than BAC-AL00C00B173,Versions earlier than PIC-AL00C00B173 has a use after free UAF vulnerability. An attacker can convince a user to install a malicious application which has a high privilege to exploit...
CVE-2017-8160
The CVE-2017-8160 entry concerns Huawei devices with the Madapt driver. The vulnerability is described as a use-after-free (UAF) in the Madapt driver on specific Huawei smartphone models (pre-versions of several Vicky/Victoria builds). Impact stated: arbitrary code execution if a user is tricked ...
CVE-2017-8203
CVE-2017-8203 concerns a Use-After-Free in the Bastet driver on Huawei Nova 2 and Nova 2 Plus devices. Affected software versions are those earlier than BAC-AL00C00B173 and PIC-AL00C00B173. The vulnerability allows an attacker—via tricking a user into installing a malicious app with high privileg...
Security Advisory - Use After Free Vulnerability in Bastet Driver of Some Huawei Smart Phones
The Bastet Driver of some Huawei smart phones has a use after free UAF vulnerability. An attacker can convince a user to install a malicious application which has a high privilege to exploit this vulnerability, Successful exploitation may cause arbitrary code execution. Vulnerability ID:...
Internet Bug Bounty: CVE-2017-12858: Heap UAF in _zip_buffer_free() / Double free in _zip_dirent_read()
libzip is a C library for reading, creating, and modifying zip archives. A partial list of projects using libzip include: Plex Home Theater, MySQL Workbench, ckmame, fuse-zip, lua-zip, php zip extension, zipruby, Endeavour2, FreeDink, DeaDBeeF vfszip plugin, OpenLierox, ebook-tools, PDF Expert,...
Analysis Firefox the shared array buffer of the UAF exploit-vulnerability warning-the black bar safety net
This article explores the structured cloning algorithm to handle the shared array buffer occurs when a reference leakage problems. While the lack of overflow checking, can be exploited to execute arbitrary code. Is divided into the following sections: Background, vulnerability, summary We exploit...
Security Advisory - Use After Free Vulnerability in TEE Module of Some Huawei Smart Phones
The Trusted Execution Environment TEE module driver of some Huawei smart phones has a use after free UAF vulnerability. An attacker tricks a user into installing a malicious application, and the application can start multiple threads and try to create and free specific memory, which could trigger...
WebKit: Element::setAttributeNodeNS UAF
WebKit: Element::setAttributeNodeNS UAF Here's a snippet of Element::setAttributeNodeNS. ExceptionOr Element::setAttributeNodeNSAttr& attrNode ... setAttributeInternalindex, attrNode.qualifiedName, attrNode.value, NotInSynchronizationOfLazyAttribute; attrNode.attachToElementthis;...
Microsoft MsMpEng - Use-After-Free via Saved Callers
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259 In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState objectrcx+158h in 64-bit. But the garbage collector doesn't mark this saved value. So it results in a UAF. Unlike in our test environmentLinux, it...
Microsoft MsMpEng - Use-After-Free via Saved Callers
Microsoft MsMpEng - Use-After-Free via Saved Callers Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259 In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState objectrcx+158h in 64-bit. But the garbage collector doesn't mark this saved value. So it...
Apple iOS / MacOS Domain Socket Kernel Use-After-Free(CVE-2017-2501)
iOS/MacOS kernel uaf due to bad locking in unix domain socket file descriptor externalization unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver and recreating a file which...
WebKit: UXSS via Editor::Command::execute(CVE-2017-2504)
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS UXSS attacks via a crafted web site that improperly...
WebKit Editor::Command::execute Universal Cross Site Scripting
WebKit: UXSS via Editor::Command::execute CVE-2017-2504 Here's a snippet of Editor::Command::execute used to handle |document.execCommand|. bool Editor::Command::executeconst String& parameter, Event triggeringEvent const if !isEnabledtriggeringEvent // Let certain commands be executed when...
Apple WebKit Safari 10.0.3(12602.4.8) - Editor::Command::execute Universal Cross-Site Scripting
Apple WebKit Safari 10.0.312602.4.8 - Editor::Command::execute Universal Cross-Site Scripting document-updateLayoutIgnorePendingStylesheets; return mcommand-executemframe, triggeringEvent, msource, parameter; This method is invoked under an |EventQueueScope|. But...
Apple iOS / macOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor E
Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message. That means allocating new fd table entries in the receiver...
MS16-145: Edge browser the TypedArray. sort UAF vulnerability analysis-vulnerability warning-the black bar safety net
In this article, we will provide the reader detailed analysis of how to use the MS Edge browser in the UAF vulnerability to remote code execution. This article will provide readers in-depth analysis of the impact of MS Edge CVE-2016-7288 UAF vulnerability root causes, and how to reliably trigger...
XNU kernel UaF due to lack of locking in set_dp_control_port (CVE-2016-7644)
setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv == HOSTPRIVNULL return KERNINVALIDHOST; if IPVALIDdynamicpagercontrolport ipcportreleasesenddynamicpagercontrolport;...