io_uring Vulnerability Resulting in Freeing Wrong Kernel Buffer
An interesting primitive in io_uring
resulting in the ability to free adjacent kernel buffers.
An interesting primitive in io_uring
resulting in the ability to free adjacent kernel buffers.
Four vulnerabilities related to XPC services either not sufficiently checking application entitlements leading to disclosure of sensitive information
Thirteen distinct vulnerabilities in Apache Dubbo related to insecure deserialization, and an excellent look at using CodeQL to assist manual vulnerability research and attack surface discovery. A lot of the interesting points in this post are more about the discovery of new attack surface rather than in the vulnerabilities themselves.
A malicious inetloc
file can be used to execute arbitrary applications that already exist on the system.Normally inetloc
files are usually shortcuts to an internet location…
These are five issues that enabled file writes outside of the expected directory when NPM was unpacking an archive using the node-tar
library.
The AWS WorkSpaces desktop application registers a custom URI on the host system and does not properly sanitize the parameters leading to argument injection. As the WorkSpaces client is based on Chromium Embeded Framework the debugging argument --gpu-launcher
can be used to issue arbitrary commands.
This Talos report covers a non-trivial issue where a stack pointer is used after it went out of scope when invoking JS bindings, which are provided to document creators by Nitro Pro PDF for automating aspects of the document.When one of these bindings needs to be executed by the SpiderMonkey library, the js32u.dll!js_Invoke
function is used to create stack space and push a JSStackFrame
object to be used by the invoked binding…
This post covers an infoleak in Microsoft’s Azure Sphere Security Monitor, which is a linux-based operating system for IOT devices.They focus on the SMSyscallPeripheralAcquire
system call, which is used for switching the mux mode on a given pin, and change the layout of how the pins are configured…
Its hard to even call this one a vulnerability, the driver developers simply expose some kernel primitives directly to userland, nothing crazy needed.The driver supporting HP OMEN Gaming Hub software directly exposes several privileged instructions through IOCTLs…
The CoreGraphics framework for decoding JBIG2-encoded data in a PDF has an out of bounds write. This vulnerabilities originates in its attempt to calculate the number of symbols.