header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

OS X Kernel use-after-free in AppleKeyStore

The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods. However, by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call, we can cause a use-after-free of the IOCommandGate.

OS X Kernel code execution due to lack of bounds checking in AppleUSBPipe::Abort

External Method 36 of IOUSBInterfaceUserClient is _AbortStreamPipe. It takes two scalar inputs and uses the second one as an array index to read a pointer to a C++ object without checking the bounds then calls a virtual method on it. Furthermore there's no check that the array pointer is non-null; if it is then we can get a controlled offset-from-zero read; since our controlled dword will be multiplied by 8 to index the array this means we can easily get the kernel to dereference a controllable userspace address. In this case a value of 0xf0f0f0f0 leads to the kernel reading an IOKit object pointer from 0x787878780. This poc maps that page to demonstrate control of a kernel object pointer.

Integer Overflow in Comodo Antivirus x86 Emulator

The x86 emulator component of Comodo Antivirus is vulnerable to a heap overflow due to an integer overflow in the MSVBVM60!rtcLowerCaseVar emulated routine. By providing a maliciously crafted length parameter, an attacker can overwrite the trusted heap buffer and potentially execute arbitrary code.

Unvalidated Compression Parameters in Packman

The Comodo Antivirus attempts to unpack the Packman executable packer. If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. This leads to various crashes and allows an attacker to free an arbitrary pointer, leading to code execution as NT AUTHORITYSYSTEM.

Recent Exploits: