A collection of software bug types and articles showcasing the hunt for and exploitation of them.
- Command Injection
- Double Free
- NULL Pointer Dereference
- Type Confusion
- Unexpected Sign Extension
- Use After Free
- Use of Externally-Controlled Format String
- Write-What-Where
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
"The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."
| Author(s) | Source | Article |
|---|---|---|
| Pedro Ribeiro, Radek Domanski | Zero Day Initiative / Flashback Team | CVE-2018-8460: Exposing a double free in Internet Explorer for code execution - (YouTube version) |
| Lucas Tay | Star Labs | Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability |
| David Yesland | Rhino Security Labs | Exploiting CVE-2018-1335: Command Injection in Apache Tika |
| Shaun Mirani | Independent Security Evaluators (ISE) | Show Mi The Vulns: Exploiting Command Injection in Mi Router 3 |
CWE-415: Double Free
"The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations."
| Author(s) | Source | Article |
|---|---|---|
| Simon Zuckerbraun | Zero Day Initiative | CVE-2018-8460: Exposing a double free in Internet Explorer for code execution |
| Jinwook Shin | Microsoft Security Response Center | MS13-068: A difficult-to-exploit double free in Outlook |
| Arthur Gerkis | Exodus Intelligence | Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940) |
| Andrey Konovalov | Andrey Konovalov's Blog | CVE-2016-2384: Exploiting a double-free in the USB-MIDI Linux kernel driver |
CWE-476: NULL Pointer Dereference
"A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit."
| Author(s) | Source | Article |
|---|---|---|
| Leeqwind | xiaodaozhi | Win32k NULL-Pointer-Dereference Analysis by Matching the May Update |
| Sam Brown | MWR Labs / F-Secure | [PDF] Windows Kernel Exploitation 101: Exploiting CVE-2014-4113 |
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
"The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type."
| Author(s) | Source | Article |
|---|---|---|
| Man Yue Mo | GitHub Security Lab | Ghostscript type confusion: Using variant analysis to find vulnerabilities |
| David Wells | Tenable | Exploiting a Webroot Type Confusion Bug |
| Natalie Silvanovich | Google Project Zero | One Perfect Bug: Exploiting Type Confusion in Flash |
| The ZDI Research Team | Zero Day Initiative | CVE-2018-12794: Using Type Confusion to Get Code Execution in Adobe Reader |
| Microsoft Defender ATP Research Team | Microsoft | Understanding type confusion vulnerabilities: CVE-2015-0336 |
| Mark Dowd, Ryan Smith, David Dewey | Black Hat USA 2009 | Attacking Interoperability |
| Max Van Amerongen | F-Secure | Exploiting CVE-2019-17026 - A Firefox JIT Bug |
| Nils Emmerich | ERNW | Java Buffer Overflow with ByteBuffer (CVE-2020-2803) and Mutable MethodType (CVE-2020-2805) Sandbox Escapes |
| Max Van Amerongen | F-Secure | Exploiting CVE-2019-17026 - A Firefox JIT Bug |
| Yuki Chen | Qihoo 360 Vulcan Team | When GC Triggers Callback |
CWE-194: Unexpected Sign Extension
"The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses."
| Author(s) | Source | Article |
|---|---|---|
| Kim Youngsung | LINE Engineering | Buffer overflow in PJSIP, a VoIP open source library |
CWE-416: Use After Free
"Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code."
| Author(s) | Source | Article |
|---|---|---|
| Abdul-Aziz Hariri | Zero Day Initiative | Use-After-Silence: Exploiting a Quietly Patched UAF in VMWare |
| Man Yue Mo | GitHub Security Lab | Exploiting a textbook use-after-free in Chrome |
CWE-134: Use of Externally-Controlled Format String
"The software uses a function that accepts a format string as an argument, but the format string originates from an external source."
| Author(s) | Source | Article |
|---|---|---|
| Joe Giron | Gironsec | Exploit in Skyrim |
CWE-123: Write-what-where Condition
"Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow."
| Author(s) | Source | Article |
|---|---|---|
| Simon Zuckerbraun | Zero Day Initiative | RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer |
| Taha Karim | Confiant | Internet Explorer CVE-2019–1367 Exploitation — part 2 |
| ZecOps Research Team | ZecOps | Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC |