!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1082 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the latest nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac. P
!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1080 There is a use-after-free security vulnerability related to how the HTMLInputElement is handled in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The Po
!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1074 When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframes(iframe tag, object tag, etc.). Here is a snippet of |disconnec
!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1063 The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool jsDOMWindowPropertiesGetOwnProp
!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1068 Here is the definition of |JSCallbackData| class. This class is used to call a javascript function from a DOM object. class JSCallbackDataStrong : public JSCallbackData { publ
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsf_ioctl handles ioctls on fsevent fds acquired via FSEVENTS_CLONE_64 on /dev/fsevents Heres the code for the FSEVENTS_DEVICE_FILTER_64 ioctl: case FSEVENTS_DEVICE_FILTE
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1069 MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability Selector 0x710 of IntelFBClientControl ends up in AppleInte
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126 MacOS kernel memory corruption due to off-by-one in audit_pipe_open audit_pipe_open is the special file open handler for the auditpipe device (major number 10.) Here's the code
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necp_open is a syscall used to obtain a new necp file descriptor The necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap. Here's the relevant code fr
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111 SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the ifnet_ordered_head linked list of interfaces. SIOCSIFORDER clears the existing list and allows
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1108 SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox. it falls through to calling: ifnet_reset_order(ordered_i
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn. It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1071 Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig This method takes a structure input and output buffer. It reads an attacker controlle
# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS # Date: April 3, 2017 # Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd # Contact: chrisdhebert[at]gmail.com # Vendor Security Advisory: https://bto.bluecoat.com
# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS # Date: April 3, 2017 # Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd # Contact: chrisdhebert[at]gmail.com # Vendor Security Advisory: https://bto.bluecoat.com
