Jann Horn

70 exploits Active since May 2015

CVE-2019-2215 VULNCHECK_XDB HIGH WORKING POC

Android Binder Use-After-Free Exploit

A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095

CVSS 7.8

View Code

CVE-2021-33624 INTHEWILD MEDIUM WORKING POC

Linux kernel <5.12.13 - Memory Corruption

In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.

CVSS 4.7

View Code

CVE-2021-29155 INTHEWILD MEDIUM WORKING POC

Linux Kernel < 5.11.16 - Out-of-Bounds Read

An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.

CVSS 5.5

View Code

CVE-2018-5333 EXPLOITDB MEDIUM ruby WORKING POC

Linux kernel <4.14.13 - Memory Corruption

In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.

CVSS 5.5

View Code

CVE-2015-3339 WRITEUP WRITEUP

Linux kernel <3.19.6 - Privilege Escalation

Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.

View Code

CVE-2017-16996 WRITEUP HIGH WRITEUP

Linux kernel <4.14.8 - Memory Corruption

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.

CVSS 7.8

View Code

CVE-2017-17852 WRITEUP HIGH WRITEUP

Linux Kernel < 4.14.9 - Memory Corruption

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops.

CVSS 7.8

View Code

CVE-2017-17853 WRITEUP HIGH WRITEUP

Linux Kernel < 4.14.9 - Memory Corruption

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations.

CVSS 7.8

View Code

CVE-2017-17855 WRITEUP HIGH WRITEUP

Linux Kernel < 4.14.9 - Memory Corruption

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars.

CVSS 7.8

View Code

CVE-2017-17856 WRITEUP HIGH WRITEUP

Linux Kernel < 4.14.9 - Memory Corruption

kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement.

CVSS 7.8

View Code

CVE-2017-17857 WRITEUP HIGH WRITEUP

Linux Kernel < 4.14.9 - Memory Corruption

The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations.

CVSS 7.8

View Code

CVE-2018-16276 WRITEUP HIGH WRITEUP

Linux Kernel < 3.16.58 - Out-of-Bounds Write

An issue was discovered in yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7. Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges.

CVSS 7.8

View Code

CVE-2018-18445 WRITEUP HIGH WRITEUP

Canonical Ubuntu Linux < 4.14.75 - Out-of-Bounds Read

In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandles 32-bit right shifts.

CVSS 7.8

View Code

CVE-2019-13233 WRITEUP HIGH WRITEUP

Linux Kernel < 5.1.9 - Race Condition

In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.

CVSS 7.0

View Code

CVE-2019-2215 METASPLOIT HIGH ruby WORKING POC

Android Binder Use-After-Free Exploit

A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095

CVSS 7.8

View Code

CVE-2022-0995 METASPLOIT HIGH ruby WORKING POC

Watch Queue Out of Bounds Write

An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.

CVSS 7.8

View Code

CVE-2019-13272 METASPLOIT HIGH ruby WORKING POC

Linux Polkit pkexec helper PTRACE_TRACEME local root exploit

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

CVSS 7.8

View Code

CVE-2018-18955 METASPLOIT HIGH ruby WORKING POC

Linux Nested User Namespace idmap Limit Local Privilege Escalation

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

CVSS 7.0

View Code

CVE-2019-9213 METASPLOIT MEDIUM ruby WORKING POC

Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation

In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.

CVSS 5.5

View Code

CVE-2017-4915 METASPLOIT HIGH ruby WORKING POC

VMware Workstation Pro/Player - Privilege Escalation

VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

CVSS 7.8

View Code

CVE-2017-16995 METASPLOIT HIGH ruby WORKING POC

Linux BPF Sign Extension Local Privilege Escalation

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.

CVSS 7.8

View Code

EIP-2026-103357 EXPLOITDB c WORKING POC

OpenSSH < 6.6 SFTP (x64) - Command Execution

View Code

EIP-2026-103480 EXPLOITDB html WORKING POC

Google Chrome - 'layout' Out-of-Bounds Read

View Code

CVE-2018-18955 EXPLOITDB HIGH bash WORKING POC

Linux Nested User Namespace idmap Limit Local Privilege Escalation

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

CVSS 7.0

View Code

EIP-2026-103038 EXPLOITDB text WORKING POC

Xen 64bit PV Guest - pagetable use-after-type-change Breakout

View Code