Vulnerabilities (Page 50)

Editing a User to Add Sensitive Scopes to a JWT

Had a JWT, and noticed functionality to invite a user to a group and then change their privileges, these privileges were reflected in the JWT scopes.Though modification of this edit user request additional scopes that were not displayed could be added, such as the company:operations and company:support scopes…

 

Parallels Desktop Guest to Host Escape

Straight forward version is two Out-Of-Bounds accesses in reading and writing the Driver feature set. A guest provided value is stored, and then used as an array index without any validation both in PciVirtIOWriteMM and in PciVirtIOReadMM giving relative read/write primitives.

 

Kernel Vmalloc Use-After-Free in the ION Allocator

A Use-After-Free in Android’s ION Allocator used by the kernel for DMA buffers that can be shared across user/kernel/device boundaries.The issue starts from the DMA_BUF_IOCTL_SYNC that is exposed by the buffer’s file descriptor, this IOCTL can arbitrarily increment or decrement the reference counter for the shared buffer…