35 matches found
Linux Kernel 5.4 - (BleedingTooth) Bluetooth Zero-Click Remote Code Execution Exploit
Exploit Title: Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution Exploit Author: Google Security Research Andy Nguyen Tested on: 5.4.0-48-generic 52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x8664 x8664 x8664 GNU/Linux CVE : CVE-2020-12351, CVE-2020-12352 / BleedingTooth...
Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution
Exploit Title: Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution Date: 06/04/2020 Exploit Author: Google Security Research Andy Nguyen Tested on: 5.4.0-48-generic 52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x8664 x8664 x8664 GNU/Linux CVE : CVE-2020-12351, CVE-2020-1235...
Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix
Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=715 The ActionScript parameter conversion in the fix for issue 403 https://code.google.com/p/google-security-research/issues/detail?id=403 can...
Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption (MdConvertLine)
Exploit for Android platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=616 The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process F/libc 4134: Fatal signal 11 SIGSEGV, code 1,...
pdfium - opj_t2_read_packet_header libopenjpeg Heap Use-After-Free
pdfium - opjt2readpacketheader libopenjpeg Heap Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=613 The following crash was encountered in pdfium the Chrome PDF renderer during PDF fuzzing: --- cut --- $ ./pdfiumtest...
pdfium - opj_j2k_read_mcc (libopenjpeg) Heap Based Out-of-Bounds Read
Exploit for multiple platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=624 The following crash was encountered in pdfium the Chrome PDF renderer during PDF fuzzing: --- cut --- $ ./pdfiumtest...
pdfium - opj_jp2_apply_pclr 'libopenjpeg' Heap Out-of-Bounds Read
Source: https://code.google.com/p/google-security-research/issues/detail?id=626 The following crash was encountered in pdfium the Chrome PDF renderer during PDF fuzzing: --- cut --- ==9326==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250001bf680 at pc 0x000000892375 bp...
pdfium - opj_jp2_apply_pclr libopenjpeg Heap Out-of-Bounds Read
pdfium - opjjp2applypclr libopenjpeg Heap Out-of-Bounds Read Source: https://code.google.com/p/google-security-research/issues/detail?id=626 The following crash was encountered in pdfium the Chrome PDF renderer during PDF fuzzing: --- cut --- ==9326==ERROR: AddressSanitizer: heap-buffer-overflow ...
pdfium - CPDF_Function::Call Stack Buffer Overflow
pdfium - CPDFFunction::Call Stack Buffer Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=612 The following crash was encountered in pdfium the Chrome PDF renderer during PDF fuzzing: --- cut --- $ ./pdfiumtest...
pdfium - CPDF_TextObject::CalcPositionData Heap Out-of-Bounds Read
pdfium - CPDFTextObject::CalcPositionData Heap Out-of-Bounds Read Source: https://code.google.com/p/google-security-research/issues/detail?id=623 The following crash was encountered in pdfium the Chrome PDF renderer during PDF fuzzing: --- cut --- $ ./pdfiumtest...
pdfium IsFlagSet (v8 memory management) - SIGSEGV
Source: https://code.google.com/p/google-security-research/issues/detail?id=622 The following crash was encountered in pdfium the Chrome PDF renderer during PDF fuzzing: --- cut --- ==31710==ERROR: AddressSanitizer: SEGV on unknown address 0x7f53cc100009 pc 0x0000016fafe2 bp 0x7ffee170d730 sp...
Adobe Flash Sound.setTransform - Use-After-Free
Exploit for windows platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=568 There is a use-after-free in Sound.setTransform. If a transform value is set to an object with valueOf defined, it can free the transform before the values are set. A...
Adobe Flash TextField.setFormat - Use-After-Free
Adobe Flash TextField.setFormat - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=586 The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can...
Adobe Flash MovieClip.localToGlobal - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=570 There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get...
Adobe Flash TextField.setFormat - Use-After-Free
Exploit for windows platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=586 The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method ca...
Adobe Flash MovieClip.attachBitmap - Use-After-Free
Adobe Flash MovieClip.attachBitmap - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=593 There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used...
Adobe Flash MovieClip.startDrag - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=592 There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used. A minimal POC follows: this.createEmptyMovieClip"mc", 1;...
Adobe Flash MovieClip.duplicateMovieClip - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=591 There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used. A minimal...
Adobe Flash TextField.text Setter - Use-After-Free
Adobe Flash TextField.text Setter - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=576 There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's...
Adobe Flash TextField.antiAliasType Setter - Use-After-Free
Adobe Flash TextField.antiAliasType Setter - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=560 There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will...