1351 matches found
Information Disclosure
qt is vulnerable to information disclosure attacks. The vulnerability exists as the QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions world-readable and world-writable for shared memory segments, which allows local...
Insecure Authorization
openjdk is vulnerable to insecure authorization. The 2D component created shared memory segments with insecure permissions, allowing a local attacker to exploit the vulnerability to read or write to the shared memory segment...
Virtuozzo 7 : readykernel-patch (VZA-2018-080)
According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - Use-after-free in the implementation of the shared memory. A flaw was found in the implementation of the shared memory...
Linux: Check options for /dev/shm directory
/dev/shm implements traditional shared memory concept. It is an efficient means of passing data between programs. This script tests options set on /dev/shm filesystem. Copyright C 2019 Greenbone Networks GmbH SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
XNU POSIX Shared Memory Mapping Issue
XNU: POSIX shared memory mappings have incorrect maximum protection CVE-2018-4435 When the mmap syscall is invoked on a POSIX shared memory segment DTYPEPSXSHM, pshmmmap maps the shared memory segment's pages into the address space of the calling process. It does this with the following code: int...
XNU POSIX Shared Memory Mapping Issue Exploit
Exploit for multiple platform in category local exploits XNU: POSIX shared memory mappings have incorrect maximum protection CVE-2018-4435 When the mmap syscall is invoked on a POSIX shared memory segment DTYPEPSXSHM, pshmmmap maps the shared memory segment's pages into the address space of the...
XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection
XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection When the mmap syscall is invoked on a POSIX shared memory segment DTYPEPSXSHM, pshmmmap maps the shared memory segment's pages into the address space of the calling process. It does this with the following code: int prot =...
XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection
When the mmap syscall is invoked on a POSIX shared memory segment DTYPEPSXSHM, pshmmmap maps the shared memory segment's pages into the address space of the calling process. It does this with the following code: int prot = uap-prot; ... if prot & PROTWRITE && fp-fflag & FWRITE == 0 returnEPERM;...
Apple macOS shm Uninitialized Data Information Disclosure Vulnerability
This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handlin...
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege Master Platform: Windows 10 1803 not tested earlier, although code looks similar on Win8+ Class: Elevation of Privilege Note, this is the master issue report for th...
Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation Exploit
Exploit for windows platform in category local exploits Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege Master Platform: Windows 10 1803 not tested earlier, although code looks similar on Win8+ Class: Elevation of Privilege Note, this is the master issue report for the DfMarshal...
Important kernel security update: Virtuozzo ReadyKernel patch 65.0 for Virtuozzo 7.0.7 HF3 to 7.0.8 HF1
The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.21.1.vz7.48.2 7.0.7 HF3, 3.10.0-862.9.1.vz7.63.3 7.0.8, and 3.10.0-862.11.6.vz7.64.7 7.0.8 HF1. Vulnerability id: PSBM-89717 Use-after-free in the...
Apple iOSmacOS - Sandbox Escape due to mach Message sent from Shared Memory
Apple iOSmacOS - Sandbox Escape due to mach Message sent from Shared Memory iohideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts a mach message which it sends whenever it wants to notify a client that there's data available in the queue. As a clien...
Apple iOSmacOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem
Apple iOSmacOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem iohideventsystem is a MIG service which provides proxy access to various HID devices for untrusted clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual implementation is ...
Apple iOS / macOS - Sandbox Escape due to mach Message sent from Shared Memory Exploit
Exploit for multiple platform in category dos / poc Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory iohideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts a mach message which it sends whenever it wants to notify a client...
Apple iOS / macOS - Sandbox Escape due to Trusted Length Field in Shared Memory Exploit
Exploit for multiple platform in category dos / poc Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem iohideventsystem is a MIG service which provides proxy access to various HID devices for untrusted clients. On iOS it's hosted by backboard...
Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory
iohideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it puts a mach message which it sends whenever it wants to notify a client that there's data available in the queue. As a client we can modify this mach message such that the server hidd on MacOS,...
Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem
iohideventsystem is a MIG service which provides proxy access to various HID devices for untrusted clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual implementation is in IOKit.framework. I, and also pangu jailbreak team, had previously found a few bugs in the kernel...
Deja-XNU
Posted by Ian Beer, Google Project Zero This blog post revisits an old bug found by Pangu Team and combines it with a new, albeit very similar issue I recently found to try to build a "perfect" exploit for iOS 7.1.2. State of the art An idea I've wanted to play with for a while is to revisit old...
VirtualBox 5.2.6.r120293 - VM Escape
VirtualBox 5.2.6.r120293 - VM Escape Oracle fixed some of the issues I reported in VirtualBox during the Oracle Critical Patch Update - April 2018. CVE-2018-2844 was an interesting double fetch vulnerability in VirtualBox Video Acceleration VBVA feature affecting Linux hosts. VBVA feature works o...