Apple Mac OSX - Kernel Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=728 External Method 36 of IOUSBInterfaceUserClient is AbortStreamPipe. It takes two scalar inputs and uses the second one as an array index to read a pointer to a C++ object withou...

Apple Mac OSX iOS - SUID Binary Logic Error Kernel Code Execution

Apple Mac OSX iOS - SUID Binary Logic Error Kernel Code Execution Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676 tl;dr The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vmmap into the...

Race you to the kernel!

Posted by Ian Beer of Google Project Zero The OS X and iOS kernel code responsible for loading a setuid root binary invalidates the old task port after first swapping the new virtual memory map pointer into the old task object, leaving a short race window where you can manipulate the memory of an...

Google Nexus Qualcomm Performance Component Mobilization Vulnerability

Google Nexus is a series of smart devices based on the Android operating system, including a cell phone and tablet. The smart device is manufactured by Google by providing technology and authorizing partner hardware manufacturers, Qualcomm performance is one of the Qualcomm performance components...

Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient NULL Dereference

Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient NULL Dereference / Source: https://code.google.com/p/google-security-research/issues/detail?id=512 IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection...

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution / Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as...

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and...

Apple Mac OSX - 'IOBluetoothHCIUserClient' Arbitrary Kernel Code Execution

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks t...

Apple Mac OSX / iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overfl

Exploit for multiple platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here: https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html By default ther...

Apple Mac OSX iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overflow

Apple Mac OSX iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overflow / Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here:...

Apple Mac OSX / iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overflow

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here: https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html By default there are actually a bunch of these providers; they are...

Apple OS X Disk Image Memory Corruption Vulnerability

Apple OS X is an operating system developed by Apple Inc. Apple OS X suffers from a memory corruption vulnerability in the handling of disk image files, which allows attackers to exploit the vulnerability to construct malicious files that can be induced to be parsed by an application, which can b...

Microsoft Windows Core Memory Privilege Elevation Vulnerability (CNVD-2015-08020)

Microsoft Windows is a series of operating systems released by the American company Microsoft. An elevation of privilege vulnerability exists in the Microsoft Windows kernel that arises from a program's failure to properly handle objects in memory. An attacker could exploit the vulnerability to r...

Apple OS X MB Kernel Memory Corruption Vulnerability

Apple OS X is an operating system developed by Apple Inc. A kernel corruption vulnerability exists in Apple OS X SMB processing, which allows local users to exploit the vulnerability to execute arbitrary code in a kernel context...

Microsoft Windows Elevation of Privilege Vulnerability (CNVD-2015-04691)

Microsoft Windows is a series of operating systems designed for personal computer and server users by the American company Microsoft. An elevation of privilege vulnerability exists in the Microsoft Windows kernel mode driver due to a failure of the program to properly handle processing memory...

One class to rule them all

This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. There is a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged systemserver process, and then...

Microsoft Windows Kernel 'Win32k.sys' local elevation of privilege vulnerability (CNVD-2015-01097)

Microsoft Windows is a popular operating system. A security vulnerability in Microsoft Windows 'Win32k.sys' handling windows cursor objects allows local attackers to exploit the vulnerability to elevate privileges and execute arbitrary code in kernel context...

Microsoft Windows KTM Invalid Free with Reused Transaction GUID (MS10-047)

No description provided by source. Microsoft Windows KTM Invalid Free with reused transaction GUID ---------------------------------------------------------------------------- CVE-2010-1889 The Kernel Transaction Manager ktm was introduced in Windows Vista and has been included in subsequent...

Microsoft Windows win32k!GreStretchBltInternal() Does Not Handle src == dest

No description provided by source. Microsoft Windows win32k!GreStretchBltInternal does not handle src == dest ---------------------------------------------------------------------------- A bitblt bit block transfer is used to copy one rectangular region of screen to another, often performing a...

PT-2013-4718 · Microsoft · Windows Server 2008 +5

Name of the Vulnerable Software and Affected Versions: Microsoft Windows Vista SP2 Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 R2 SP1 Microsoft Windows 7 SP1 Description: An elevation of privilege issue exists due to improper handling of objects in memory by the Microsoft...