├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # awesome-bugs 2 | A collection of software bug types and articles showcasing the hunt for and exploitation of them. 3 | 4 | [![Awesome](https://awesome.re/badge.svg)](https://awesome.re) 5 | 6 | 7 | # Bug Types 8 | * [Command Injection](#command-injection) 9 | * [Double Free](#double-free) 10 | * [NULL Pointer Dereference](#null-pointer-dereference) 11 | * [Type Confusion](#type-confusion) 12 | * [Unexpected Sign Extension](#unexpected-sign-extension) 13 | * [Use After Free](#use-after-free) 14 | * [Use of Externally-Controlled Format String](#use-of-externally-controlled-format-string) 15 | * [Write-What-Where](#write-what-where) 16 | 17 | 18 | ## Command Injection 19 | [CWE-78](https://cwe.mitre.org/data/definitions/78.html): Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 20 | 21 | > *"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."* 22 | 23 | | Author(s) | Source | Article | 24 | | --- | --- | --- | 25 | | Pedro Ribeiro, Radek Domanski | Zero Day Initiative / Flashback Team | [CVE-2018-8460: Exposing a double free in Internet Explorer for code execution](https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo) - ([YouTube version](https://www.youtube.com/watch?v=zjafMP7EgEA)) | 26 | | Lucas Tay | Star Labs | [Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability](https://starlabs.sg/blog/2020/10/analysis-exploitation-of-a-recent-tp-link-archer-a7-vulnerability/) | 27 | | David Yesland | Rhino Security Labs | [Exploiting CVE-2018-1335: Command Injection in Apache Tika](https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/) | 28 | | Shaun Mirani | Independent Security Evaluators (ISE) | [Show Mi The Vulns: Exploiting Command Injection in Mi Router 3](https://blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09) | 29 | 30 | 31 | ## Double Free 32 | [CWE-415](https://cwe.mitre.org/data/definitions/415.html): Double Free 33 | 34 | > *"The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations."* 35 | 36 | | Author(s) | Source | Article | 37 | | --- | --- | --- | 38 | | Simon Zuckerbraun | Zero Day Initiative | [CVE-2018-8460: Exposing a double free in Internet Explorer for code execution](https://www.thezdi.com/blog/2018/10/18/cve-2018-8460-exposing-a-double-free-in-internet-explorer-for-code-execution) | 39 | | Jinwook Shin | Microsoft Security Response Center | [MS13-068: A difficult-to-exploit double free in Outlook](https://msrc-blog.microsoft.com/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook/) | 40 | | Arthur Gerkis | Exodus Intelligence | [Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940)](https://blog.exodusintel.com/2019/05/19/pwn2own-2019-microsoft-edge-renderer-exploitation-cve-2019-9999-part-1/) | 41 | | Andrey Konovalov | Andrey Konovalov's Blog | [CVE-2016-2384: Exploiting a double-free in the USB-MIDI Linux kernel driver](https://xairy.github.io/blog/2016/cve-2016-2384) | 42 | 43 | 44 | ## NULL Pointer Dereference 45 | [CWE-476](https://cwe.mitre.org/data/definitions/476.html): NULL Pointer Dereference 46 | 47 | > *"A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit."* 48 | 49 | | Author(s) | Source | Article | 50 | | --- | --- | --- | 51 | | Leeqwind | xiaodaozhi | [Win32k NULL-Pointer-Dereference Analysis by Matching the May Update](https://xiaodaozhi.com/exploit/156.html) | 52 | | Sam Brown | MWR Labs / F-Secure | [PDF] [Windows Kernel Exploitation 101: Exploiting CVE-2014-4113](https://labs.f-secure.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf) | 53 | 54 | 55 | ## Type Confusion 56 | [CWE-843](https://cwe.mitre.org/data/definitions/843.html): Access of Resource Using Incompatible Type ('Type Confusion') 57 | 58 | > *"The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type."* 59 | 60 | | Author(s) | Source | Article | 61 | | --- | --- | --- | 62 | | Man Yue Mo | GitHub Security Lab| [Ghostscript type confusion: Using variant analysis to find vulnerabilities](https://securitylab.github.com/research/ghostscript-type-confusion) | 63 | | David Wells | Tenable | [Exploiting a Webroot Type Confusion Bug](https://medium.com/tenable-techblog/exploiting-a-webroot-type-confusion-bug-215308145e32) | 64 | | Natalie Silvanovich | Google Project Zero | [One Perfect Bug: Exploiting Type Confusion in Flash](https://googleprojectzero.blogspot.com/2015/07/one-perfect-bug-exploiting-type_20.html) | 65 | | The ZDI Research Team | Zero Day Initiative | [CVE-2018-12794: Using Type Confusion to Get Code Execution in Adobe Reader](https://www.thezdi.com/blog/2018/9/18/cve-2018-12794-using-type-confusion-to-get-code-execution-in-adobe-reader) | 66 | | Microsoft Defender ATP Research Team | Microsoft | [Understanding type confusion vulnerabilities: CVE-2015-0336](https://www.microsoft.com/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/?source=mmpc) | 67 | | Mark Dowd, Ryan Smith, David Dewey | Black Hat USA 2009 | [Attacking Interoperability](http://hustlelabs.com/stuff/bh2009_dowd_smith_dewey.pdf) | 68 | | Max Van Amerongen | F-Secure | [Exploiting CVE-2019-17026 - A Firefox JIT Bug](https://labs.f-secure.com/blog/exploiting-cve-2019-17026-a-firefox-jit-bug/) | 69 | | Nils Emmerich | ERNW | [Java Buffer Overflow with ByteBuffer (CVE-2020-2803) and Mutable MethodType (CVE-2020-2805) Sandbox Escapes](https://insinuator.net/2020/09/java-buffer-overflow-with-bytebuffer-cve-2020-2803-and-mutable-methodtype-cve-2020-2805-sandbox-escapes/) | 70 | | Max Van Amerongen | F-Secure | [Exploiting CVE-2019-17026 - A Firefox JIT Bug](https://labs.f-secure.com/blog/exploiting-cve-2019-17026-a-firefox-jit-bug/) | 71 | | Yuki Chen | Qihoo 360 Vulcan Team | [When GC Triggers Callback](https://paper.seebug.org/1032/#case-3-type-confusion-in-jit-engine) | 72 | 73 | 74 | ## Unexpected Sign Extension 75 | [CWE-194](https://cwe.mitre.org/data/definitions/194.html): Unexpected Sign Extension 76 | 77 | > *"The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses."* 78 | 79 | | Author(s) | Source | Article | 80 | | --- | --- | --- | 81 | | Kim Youngsung | LINE Engineering | [Buffer overflow in PJSIP, a VoIP open source library](https://engineering.linecorp.com/en/blog/buffer-overflow-in-pjsip-a-voip-open-source-library/) | 82 | 83 | 84 | ## Use After Free 85 | [CWE-416](https://cwe.mitre.org/data/definitions/416.html): Use After Free 86 | 87 | > *"Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code."* 88 | 89 | | Author(s) | Source | Article | 90 | | --- | --- | --- | 91 | | Abdul-Aziz Hariri | Zero Day Initiative | [Use-After-Silence: Exploiting a Quietly Patched UAF in VMWare](https://www.thezdi.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware) | 92 | | Man Yue Mo | GitHub Security Lab | [Exploiting a textbook use-after-free in Chrome](https://securitylab.github.com/research/CVE-2020-6449-exploit-chrome-uaf) | 93 | 94 | 95 | ## Use of Externally-Controlled Format String 96 | [CWE-134](https://cwe.mitre.org/data/definitions/134.html): Use of Externally-Controlled Format String 97 | 98 | > *"The software uses a function that accepts a format string as an argument, but the format string originates from an external source."* 99 | 100 | | Author(s) | Source | Article | 101 | | --- | --- | --- | 102 | | Joe Giron | Gironsec | [Exploit in Skyrim](https://www.gironsec.com/blog/2013/05/exploit-in-skyrim/) | 103 | 104 | 105 | ## Write-What-Where 106 | [CWE-123](https://cwe.mitre.org/data/definitions/123.html): Write-what-where Condition 107 | 108 | > *"Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow."* 109 | 110 | | Author(s) | Source | Article | 111 | | --- | --- | --- | 112 | | Simon Zuckerbraun | Zero Day Initiative | [RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer](https://www.thezdi.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer) | 113 | | Taha Karim | Confiant | [Internet Explorer CVE-2019–1367 Exploitation — part 2](https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-2-8143242b5780) | 114 | | ZecOps Research Team | ZecOps | [Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC](https://blog.zecops.com/vulnerabilities/exploiting-smbghost-cve-2020-0796-for-a-local-privilege-escalation-writeup-and-poc/) | 115 | --------------------------------------------------------------------------------