2035 matches found
Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free
Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 When you create a new IOKit user client from userspace you call: kernreturnt IOServiceOpen ioservicet service, taskportt owningTask, uint32t type, ioconnectt connect ;...
Apple OS XiOS - mach_ports_register Multiple Memory Safety s
Apple OS XiOS - machportsregister Multiple Memory Safety s Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882 machportsregister is a kernel task port MIG method. It's defined in MIG like this: routine machportsregister targettask : taskt; initportset : machportarrayt = ^array o...
IE browser exploits technology evolution(II)-vulnerability warning-the black bar safety net
Foreword In a previous article, we talked about some of the early ie related exploits, from the most basic, the most simple stack overflow vulnerability of the use of speaking, to the relatively more complex UAF exploits. Through these exploits evolution, as if we can see the human society from t...
UAF vulnerability description-vulnerability warning-the black bar safety net
UAF Use After Freevulnerability is a memory corruption vulnerability,usually present in the browser. Recently,the browser's new version Added a series of controls,which also makes use of these vulnerabilities becomes more difficult. Nevertheless,they still seem to exist. This article mainly will ...
Adobe Flash - JXR Processing Double-Free
Adobe Flash - JXR Processing Double-Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=788 There is a heap overflow when loading the attacked JXR file in Adobe Flash. To reproduce, load the attached file using LoadImage.swf?img=12.atf. This issue can be a bit difficult to...
Adobe Flash - JXR Processing Double-Free
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=788 There is a heap overflow when loading the attacked JXR file in Adobe Flash. To reproduce, load the attached file using LoadImage.swf?img=12.atf. This issue can be a bit difficult to reproduce, as the crash occurs when the playe...
Apple Mac OSX iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient
Apple Mac OSX iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732 This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a...
Apple Mac OSX / iOS - Kernel UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOH
Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732 This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a path to getting free'd memory disclosed back to userspace. Although the...
Apple Mac OSX / iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732 This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a path to getting free'd memory disclosed back to userspace. Although the copyProperty macro used by...
Linux内核 Keyrings 引用计数溢出 UAF 漏洞
漏洞分析 Linux Kernel的这个漏洞会造成两个影响,第一个是造成信息泄露,可以bypass ASLR,另一个是UAF造成代码执行,利用的是KeyRing机制中的两个漏洞,一个是对Keyring操作控制不严谨,另一个是利用对Keyring计数变量控制不严谨,其中代码执行利用条件相对苛刻,下面对此漏洞进行详细分析。 Keyring信息泄露: Keyring和安全密钥有关,进程可以申请自己新的keyring,同时也可以通过申请新的keyring替换老的keyring,其中,调用到joinsessionkeyring函数。 long joinsessionkeyringconst cha...
Internet Bug Bounty: Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability
I. Summary There's a UAF Vulnerability in the PCRE engine version used in Flash that could lead to Remote Code Execution. II. Affected Adobe Flash Player 11.5.502.135 20.0.0.286 III. Reference Identified as CVE-2016-4121, and reported to Adobe directly...
Windows kernel Vulnerability CVE-2 0 1 6-0 1 4 3 analysis-vulnerability warning-the black bar safety net
4 on 2 0 March, Nils Sommer in the exploitdb on broke a new Windows kernel vulnerability PoC. The vulnerability affects all versions of Windows operating system, the attacker after the success of available privilege escalation, Microsoft in 4, on patch day fixes the vulnerability. 0×0 1...
Foxit Reader 7.3.0 UAF 漏洞
No description provided by source...
Microsoft Internet Explorer: UAF in MSHTML!CSVGHelpers::SetAttributeStringAndPointer
No description provided by source...
Microsoft Internet Explorer CButton 对象 UAF漏洞 任意代码执行漏洞
No description provided by source...
Adobe Flash - Uninitialized Stack Parameter Access in AsBroadcaster.broadcastMessage UaF Fix
Adobe Flash - Uninitialized Stack Parameter Access in AsBroadcaster.broadcastMessage UaF Fix Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=717 The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin...
Adobe Flash - Uninitialized Stack Parameter Access in Object.unwatch UaF Fix
Adobe Flash - Uninitialized Stack Parameter Access in Object.unwatch UaF Fix Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=716 The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin...
Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix
Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=715 The ActionScript parameter conversion in the fix for issue 403 https://code.google.com/p/google-security-research/issues/detail?id=403 can sometimes access a parameter on the...
Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=715 The ActionScript parameter conversion in the fix for issue 403 https://code.google.com/p/google-security-research/issues/detail?id=403 can sometimes access a parameter on the native stack that is uninitialized. If: mc.swapDepth...
Adobe Flash - Uninitialized Stack Parameter Access in Object.unwatch UaF Fix
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=716 The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin https://helpx.adobe.com/security/products/flash-player/apsb15-32.html, most likely one of the UaFs reported by Yuki Chen can sometimes...