Lucene search
+L

99 matches found

0day.today
0day.today
added 2016/06/10 12:0 a.m.49 views

Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeF

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=784 The method nvCommandQueue::GetHandleIndex doesn't check whether this+0x5b8 is non-null before using it. We can race a call to this method this with another thread calling...

9.3CVSS8.2AI score0.04839EPSS
Exploits1
exploitpack
exploitpack
added 2016/06/10 12:0 a.m.14 views

Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext

Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=783 The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway : We...

0.8AI score
Exploits0
exploitpack
exploitpack
added 2016/06/10 12:0 a.m.16 views

Apple Mac OSX iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient

Apple Mac OSX iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732 This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a...

1.2AI score
Exploits0
0day.today
0day.today
added 2016/06/10 12:0 a.m.52 views

Apple Mac OSX - Kernel Use-After-Free Due to Bad Locking in IOAcceleratorFamily2

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=772 In IOAccelContext2::clientMemoryForType the lockbusy/unlockbusy should be extended to cover all the code setting up shared memory type 2. At the moment the lock doesn't protect...

9.3CVSS8.2AI score0.04789EPSS
Exploits2
0day.today
0day.today
added 2016/06/10 12:0 a.m.37 views

Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleGraphicsDeviceControl

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. We can set this pointer to NU...

9.3CVSS8.6AI score0.04661EPSS
Exploits2
0day.today
0day.today
added 2016/06/10 12:0 a.m.31 views

Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleMuxControl.kext

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=783 The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway : We can race external metho...

9.3CVSS8.6AI score0.04661EPSS
Exploits2
Exploit DB
Exploit DB
added 2016/06/10 12:0 a.m.45 views

Apple Mac OSX Kernel - Null Pointer Dereference in IOAudioEngine

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=776 IOAudioEngineUserClient::closeClient sets the audioEngine member pointer to NULL IOReturn IOAudioEngineUserClient::closeClient audioDebugIOLog3, "+ IOAudioEngineUserClient%p::closeClient\n", this; if audioEngine && !isInactiv...

7.4AI score
Exploits0
Exploit DB
Exploit DB
added 2016/06/10 12:0 a.m.44 views

Apple Mac OSX / iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=732 This is perhaps a more interesting UaF than just racing testNetBootMethod calls as there looks to be a path to getting free'd memory disclosed back to userspace. Although the copyProperty macro used by...

7.4AI score
Exploits0
Exploit DB
Exploit DB
added 2016/06/10 12:0 a.m.26 views

Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=782 AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService at this+0xd8 is non-null before using it in all external methods. We can set this pointer to NULL by racing two threads, one of which calls...

7.4AI score
Exploits0
0day.today
0day.today
added 2016/03/23 12:0 a.m.81 views

Apple Mac OSX - Kernel AppleKeyStore Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=710 The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however by racing two threads, one of which closes the userclient which frees...

9.3CVSS8.7AI score0.05136EPSS
Exploits1
exploitpack
exploitpack
added 2016/03/23 12:0 a.m.17 views

Apple Mac OSX Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort

Apple Mac OSX Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=728 External Method 36 of IOUSBInterfaceUserClient is AbortStreamPipe. It takes two scalar inputs and uses the second one as an array ind...

0.5AI score
Exploits0
Exploit DB
Exploit DB
added 2016/03/23 12:0 a.m.38 views

Apple Mac OSX Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=728 External Method 36 of IOUSBInterfaceUserClient is AbortStreamPipe. It takes two scalar inputs and uses the second one as an array index to read a pointer to a C++ object without checking the bounds then calls a virtual method...

7.4AI score
Exploits0
Exploit DB
Exploit DB
added 2016/03/23 12:0 a.m.77 views

Apple Mac OSX Kernel - AppleKeyStore Use-After-Free

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=710 The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however by racing two threads, one of which closes the userclient which frees the IOCommandGate and one of which tries to make ...

7.4AI score
Exploits0
0day.today
0day.today
added 2016/01/28 12:0 a.m.96 views

Apple Mac OSX / iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overfl

Exploit for multiple platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here: https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html By default ther...

7.2CVSS8.3AI score0.00731EPSS
Exploits1
0day.today
0day.today
added 2016/01/28 12:0 a.m.37 views

Apple Mac OSX - Kernel Hypervisor Driver Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=580 The hvspace lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::fre...

7.2CVSS9.1AI score0.01057EPSS
Exploits1
0day.today
0day.today
added 2016/01/28 12:0 a.m.38 views

Apple Mac OSX - Kernel IOAccelDisplayPipeUserClient2 Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do ./iospoofig4; done Likely to crash in various ways; hav...

7.2CVSS8.2AI score0.00996EPSS
Exploits5
0day.today
0day.today
added 2016/01/28 12:0 a.m.57 views

Apple Mac OSX - Kernel IOAccelMemoryInfoUserClient Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan 10.11 15a284 on...

7.2CVSS8.6AI score0.00996EPSS
Exploits5
exploitpack
exploitpack
added 2016/01/28 12:0 a.m.11 views

Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free

Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do ./iospoofig4; done Likely to crash i...

Exploits0
0day.today
0day.today
added 2016/01/28 12:0 a.m.75 views

Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient Exploitable NULL Der

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=512 IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection of a second connection." In fact IOKit provides...

6.8CVSS9.1AI score0.067EPSS
Exploits1
0day.today
0day.today
added 2016/01/28 12:0 a.m.55 views

Apple Mac OSX - io_service_close Use-After-Free

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=597 It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel...

7.2CVSS8AI score0.01044EPSS
Exploits2
Rows per page
Query Builder