codecat007

166 exploits Active since May 2014
CVE-2017-0447 GITHUB HIGH c WORKING POC
Android Kernel 3.18 - Privilege Escalation
An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-32919560.
8 stars
CVSS 7.0
CVE-2017-0524 GITHUB HIGH c WORKING POC
Android Kernel <3.18 - Privilege Escalation
An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33002026.
8 stars
CVSS 7.0
CVE-2017-0536 GITHUB MEDIUM c WORKING POC
Linux Kernel - Information Disclosure in Synaptics Touchscreen Driver
An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33555878.
8 stars
CVSS 4.7
CVE-2017-0624 GITHUB MEDIUM c WORKING POC
Android Kernel 3.10/3.18 - Info Disclosure
An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34327795. References: QC-CR#2005832.
8 stars
CVSS 5.5
CVE-2017-0744 GITHUB MEDIUM c WRITEUP
Android - Elevation of Privilege in NVIDIA Firmware Processing Code
An elevation of privilege vulnerability in the NVIDIA firmware processing code. Product: Android. Versions: Android kernel. Android ID: A-34112726. References: N-CVE-2017-0744.
8 stars
CVSS 5.3
CVE-2017-10997 GITHUB HIGH c WORKING POC
Android < 8.0 - Memory Corruption via PCIe Register Debugfs Write
In all Qualcomm products with Android releases from CAF using the Linux kernel, using a debugfs node, a write to a PCIe register can cause corruption of kernel memory.
8 stars
CVSS 7.8
CVE-2017-6426 GITHUB LOW c WORKING POC
Android - Information Disclosure in Qualcomm SPMI Driver
An information disclosure vulnerability in the Qualcomm SPMI driver. Product: Android. Versions: Android kernel. Android ID: A-33644474. References: QC-CR#1106842.
8 stars
CVSS 3.3
CVE-2017-8243 GITHUB HIGH c WORKING POC
Qualcomm MSM and QRD Android - Buffer Overflow in Firmware Image Processing
A buffer overflow can occur in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android when processing a firmware image file.
8 stars
CVSS 7.8
CVE-2017-8244 GITHUB HIGH c WORKING POC
Android - Race Condition in MSMVIDC DebugFS Driver
In core_info_read and inst_info_read in all Android releases from CAF using the Linux kernel, variable "dbg_buf", "dbg_buf->curr" and "dbg_buf->filled_size" could be modified by different threads at the same time, but they are not protected with mutex or locks. Buffer overflow is possible on race conditions. "buffer->curr" itself could also be overwritten, which means that it may point to anywhere of kernel memory (for write).
8 stars
CVSS 7.0
CVE-2017-8266 GITHUB HIGH c WORKING POC
Qualcomm Android Video Driver - Use-After-Free via Race Condition
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a video driver potentially leading to a use-after-free condition.
8 stars
CVSS 7.0
CVE-2017-8270 GITHUB HIGH c WORKING POC
Qualcomm Android Driver - Use-After-Free via Race Condition
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in a driver potentially leading to a use-after-free condition.
8 stars
CVSS 7.0
CVE-2017-9691 GITHUB MEDIUM c WORKING POC
Android for MSM/Firefox OS for MSM/QRD Android - Memory Corruption
There is a race condition in Android for MSM, Firefox OS for MSM, and QRD Android that allows to access to already free'd memory in the debug message output functionality contained within the mobicore driver.
8 stars
CVSS 4.7
CVE-2018-18281 GITHUB HIGH c WORKING POC
Linux kernel <4.2 - Info Disclosure
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.
8 stars
CVSS 7.8
CVE-2016-2384 GITHUB MEDIUM c WORKING POC
Linux Kernel < 4.4.8 - Use-After-Free in USB MIDI Descriptor Handling
Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.
8 stars
CVSS 4.6
CVE-2016-2411 GITHUB MEDIUM c WORKING POC
Android 6.x - Privilege Escalation via Qualcomm Power Management Kernel Driver
A Qualcomm Power Management kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages root access, aka internal bug 26866053.
8 stars
CVSS 6.5
CVE-2016-2434 GITHUB HIGH c WORKING POC
Android < 6.0.1 - Privilege Escalation via NVIDIA Video Driver
The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 27251090.
8 stars
CVSS 7.8
CVE-2016-2435 GITHUB HIGH c WORKING POC
Android < 6.0.1 - Privilege Escalation via NVIDIA Video Driver
The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 27297988.
8 stars
CVSS 7.8
CVE-2016-3857 GITHUB HIGH c WORKING POC
Android <2016-08-05 - Privilege Escalation
The kernel in Android before 2016-08-05 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application, aka internal bug 28522518.
8 stars
CVSS 7.8
CVE-2016-3935 GITHUB HIGH c WORKING POC
Qualcomm cryptographic engine driver - Privilege Escalation
Multiple integer overflows in drivers/crypto/msm/qcedev.c in the Qualcomm cryptographic engine driver in Android before 2016-10-05 on Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allow attackers to gain privileges via a crafted application, aka Android internal bug 29999665 and Qualcomm internal bug CR 1046507.
8 stars
CVSS 7.8
CVE-2016-9793 GITHUB HIGH c WORKING POC
Linux Kernel 3.5-3.12.69 - Memory Corruption via Negative sk_sndbuf/sk_rcvbuf Values
The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.
8 stars
CVSS 7.8
CVE-2017-1000112 GITHUB HIGH c WORKING POC
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
8 stars
CVSS 7.0
CVE-2017-6074 GITHUB HIGH c WORKING POC
Linux Kernel < 3.2.86 - Double Free in DCCP Packet Processing
The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
8 stars
CVSS 7.8
CVE-2017-7308 GITHUB HIGH c WORKING POC
AF_PACKET packet_set_ring Privilege Escalation
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.
8 stars
CVSS 7.8
CVE-2018-17182 GITHUB HIGH c WORKING POC
Linux kernel <4.18.8 - Use After Free
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
8 stars
CVSS 7.8
CVE-2019-13272 GITHUB HIGH c WORKING POC
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
8 stars
CVSS 7.8