1995 matches found
Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix
Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=715 The ActionScript parameter conversion in the fix for issue 403 https://code.google.com/p/google-security-research/issues/detail?id=403 can sometimes access a parameter on the...
Adobe Flash - Uninitialized Stack Parameter Access in AsBroadcaster.broadcastMessage UaF Fix
Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=717 The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin https://helpx.adobe.com/security/products/flash-player/apsb15-32.html, most likely...
Adobe Flash - Uninitialized Stack Parameter Access in Object.unwatch UaF Fix
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=716 The ActionScript parameter conversion in the fix for an issue in the December Flash bulletin https://helpx.adobe.com/security/products/flash-player/apsb15-32.html, most likely one of the UaFs reported by Yuki Chen can sometimes...
The use of the Linux kernel in Use-After-Free(UAF)vulnerability to mention the right-vulnerability warning-the black bar safety net
Last month broke the CVE-2 0 1 6-0 7 2 8 (local mention the right loopholes so everyone's attention once again focused on the linux kernel security. And CVE-2 0 1 5-3 6 3 6, The CVE-2 0 1 5-7 3 1 2, The CVE-2 0 1 4-2 8 5 1, CVE-2 0 1 6-0 7 2 8 is a Use-After-Free(UAF types of vulnerabilities. We...
Apple Mac OSX - io_service_close Use-After-Free
/ Source: https://code.google.com/p/google-security-research/issues/detail?id=597 It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. We can in fact do this very simply by calling...
Apple Mac OSX Kernel - no-more-senders Use-After-Free
Apple Mac OSX Kernel - no-more-senders Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / ...
Apple Mac OSX - io_service_close Use-After-Free
Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=597 It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel...
Apple Mac OSX - Kernel IOAccelDisplayPipeUserClient2 Use-After-Free
Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do ./iospoofig4; done Likely to crash in various ways; hav...
Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free
Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan...
Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free
/ Source: https://code.google.com/p/google-security-research/issues/detail?id=580 The hvspace lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the AppleHVClient::free method which calls lckrwfree on the lock group...
Apple Mac OSX / iOS Kernel - IOHDIXControllUserClient::clientClose Use-After-Free/Double-Free
/ Source: https://code.google.com/p/google-security-research/issues/detail?id=599 OS X and iOS kernel UaF/double free due to lack of locking in IOHDIXControllUserClient::clientClose Here's the clientClose method of IOHDIXControllUserClient on OS X 10.11.1: text:0000000000005B38 ; int64 fastcall...
Apple Mac OSX - io_service_close Use-After-Free
Apple Mac OSX - ioserviceclose Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=597 It turns out that the spoofed no-more-senders notification bug when applied to iokit objects was actually just a more complicated way to hit ::clientClose in parallel. W...
Apple Mac OSX - Kernel no-more-senders Use-After-Free
Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / //...
Apple Mac OSX Kernel - no-more-senders Use-After-Free
/ Source: https://code.google.com/p/google-security-research/issues/detail?id=567 Kernel UaF due to audit session port failing to correctly account for spoofed no-more-senders notifications Tested on ElCapitan 10.11 15a284 on MacBookAir 5,2 / // ianbeer / Kernel UaF due to audit session port...
Apple Mac OSX - Kernel IOAccelMemoryInfoUserClient Use-After-Free
Exploit for macOS platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=566 Kernel UaF with IOAccelMemoryInfoUserClient with spoofed no more senders notifications repro: while true; do ./iospoofig7; done Tested on ElCapitan 10.11 15a284 on...
Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free
/ Source: https://code.google.com/p/google-security-research/issues/detail?id=565 Kernel UaF with IOAccelDisplayPipeUserClient2 with spoofed no more senders notifications repro: while true; do ./iospoofig4; done Likely to crash in various ways; have observed NULL derefs and NX traps. Tested on...
Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free
Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=580 The hvspace lock group gets an extra ref dropped when you kill a process with an AppleHV userclient; one via IOService::terminateWorker calling the...
Apple Mac OSX / iOS - Kernel IOHDIXControllUserClient::clientClose Use-After-Free/Double-Free
Exploit for multiple platform in category dos / poc / Source: https://code.google.com/p/google-security-research/issues/detail?id=599 OS X and iOS kernel UaF/double free due to lack of locking in IOHDIXControllUserClient::clientClose Here's the clientClose method of IOHDIXControllUserClient on OS...
Apple Mac OSX iOS Kernel - IOHDIXControllUserClient::clientClose Use-After-FreeDouble-Free
Apple Mac OSX iOS Kernel - IOHDIXControllUserClient::clientClose Use-After-FreeDouble-Free / Source: https://code.google.com/p/google-security-research/issues/detail?id=599 OS X and iOS kernel UaF/double free due to lack of locking in IOHDIXControllUserClient::clientClose Here's the clientClose...
Internet Bug Bounty: UAF in xmlparser_setevents (2)
https://bugs.python.org/issue24104...