Android One - mt_wifi IOCTL_GET_STRUCT Privilege Escalation

Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678 The wireless driver for the Android One sprout devices has a bad copyfromuser in the handling for the wireless driver socket private read ioctl IOCTLGETSTRUCT with subcommand...

Android One - mt_wifi IOCTL_GET_STRUCT Privilege Escalation

Android One - mtwifi IOCTLGETSTRUCT Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678 The wireless driver for the Android One sprout devices has a bad copyfromuser in the handling for the wireless driver socket private read ioctl IOCTLGETSTRUCT with...

Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676 tl;dr The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vmmap into the old task object leaving a short race window where we can manipula...

Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution

Exploit for multiple platform in category local exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676 tl;dr The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vmmap into the old task...

Apple iOS Kernel Competitive Conditions Vulnerability

iOS is an operating system developed by Apple for mobile devices, and supported devices include iPhone, iPod touch, iPad, and Apple TV. A competitive condition vulnerability exists in the Kernel implementation in versions prior to iOS 9.3, which can lead to the execution of arbitrary code with...

Apple Mac OSX Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=728 External Method 36 of IOUSBInterfaceUserClient is AbortStreamPipe. It takes two scalar inputs and uses the second one as an array index to read a pointer to a C++ object without checking the bounds then calls a virtual method...

Apple Mac OSX iOS - SUID Binary Logic Error Kernel Code Execution

Apple Mac OSX iOS - SUID Binary Logic Error Kernel Code Execution Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676 tl;dr The code responsible for loading a suid-binary following a call to the execve syscall invalidates the task port after first swapping the new vmmap into the...

Apple Mac OSX - Kernel Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=728 External Method 36 of IOUSBInterfaceUserClient is AbortStreamPipe. It takes two scalar inputs and uses the second one as an array index to read a pointer to a C++ object withou...

Race you to the kernel!

Posted by Ian Beer of Google Project Zero The OS X and iOS kernel code responsible for loading a setuid root binary invalidates the old task port after first swapping the new virtual memory map pointer into the old task object, leaving a short race window where you can manipulate the memory of an...

Google Nexus Qualcomm Performance Component Mobilization Vulnerability

Google Nexus is a series of smart devices based on the Android operating system, including a cell phone and tablet. The smart device is manufactured by Google by providing technology and authorizing partner hardware manufacturers, Qualcomm performance is one of the Qualcomm performance components...

Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient NULL Dereference

Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient NULL Dereference / Source: https://code.google.com/p/google-security-research/issues/detail?id=512 IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to "Inform a connection...

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution / Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as...

Apple Mac OSX - IOBluetoothHCIUserClient Arbitrary Kernel Code Execution

Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and...

Apple Mac OSX - 'IOBluetoothHCIUserClient' Arbitrary Kernel Code Execution

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=569 IOBluetoothHCIUserClient uses an IOCommandGate to dispatch external methods; it passes a pointer to the structInput of the external method as arg0 and ::SimpleDispatchWL as the Action. It neither passes nor checks t...

Apple Mac OSX / iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overfl

Exploit for multiple platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here: https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html By default ther...

Apple Mac OSX iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overflow

Apple Mac OSX iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overflow / Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here:...

Apple Mac OSX / iOS - NECP System Control Socket Packet Parsing Kernel Code Execution Integer Overflow

/ Source: https://code.google.com/p/google-security-research/issues/detail?id=543 NKE control sockets are documented here: https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html By default there are actually a bunch of these providers; they are...

Apple OS X Disk Image Memory Corruption Vulnerability

Apple OS X is an operating system developed by Apple Inc. Apple OS X suffers from a memory corruption vulnerability in the handling of disk image files, which allows attackers to exploit the vulnerability to construct malicious files that can be induced to be parsed by an application, which can b...

Microsoft Windows Core Memory Privilege Elevation Vulnerability (CNVD-2015-08020)

Microsoft Windows is a series of operating systems released by the American company Microsoft. An elevation of privilege vulnerability exists in the Microsoft Windows kernel that arises from a program's failure to properly handle objects in memory. An attacker could exploit the vulnerability to r...

Apple OS X MB Kernel Memory Corruption Vulnerability

Apple OS X is an operating system developed by Apple Inc. A kernel corruption vulnerability exists in Apple OS X SMB processing, which allows local users to exploit the vulnerability to execute arbitrary code in a kernel context...