Результаты поиска

iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary...

Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (88e4.30f4): Access...

Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table) We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (5708.4564): Access...

Joomla! Component DT Register 3.2.7 - 'id' SQL Injection # # # # # Exploit Title: Joomla! Component DT Register 3.2.7 - SQL Injection # Dork: N/A # Date: 16.02.2018 # Vendor Homepage: https://www.dthdevelopment.com/ # Software Link...

rConfig - install Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Joomla! Component Fastball 2.5 - 'season' SQL Injection # # # # # Exploit Title: Joomla! Component Fastball 2.5 - SQL Injection # Dork: N/A # Date: 16.02.2018 # Vendor Homepage: http://www.fastballproductions.com/ # Software Link: http://www.fastballproductions.com/ # Version: 2.5 # Category...

Joomla! Component Aist 2.0 - 'id' SQL Injection # # # # # Exploit Title: Joomla! Component Aist <= 2.0 - SQL Injection # Dork: N/A # Date: 16.02.2018 # Vendor Homepage: http://aist.bmstu.ru/ # Software Link: http://aist.bmstu.ru/ # Version: <= 2.0 # Category: Webapps # Tested on...

Joomla! Component AllVideos Reloaded 1.2.x - 'divid' SQL Injection # # # # # Exploit Title: Joomla! Component AllVideos Reloaded 1.2.x - SQL Injection # Dork: N/A # Date: 16.02.2018 # Vendor Homepage: http://allvideos.fritz-elfert.de # Software Link...

Android Janus - APK Signature Bypass (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/payload/apk' class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking...

WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive VULNERABILITY DETAILS ``` bool JSObject::putInlineSlow(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot) { ASSERT(!isThisValueAltered(slot, this)); VM& vm = exec->vm()...

macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common() On macOS, when a new mount point is created, the kernel uses checkdirs() to, as a comment above the function explains: "Scan all active processes to see if any of them have a current or root directory onto...

Joomla! Component Advertisement Board 3.1.0 - 'catname' SQL Injection # # # # # Exploit Title: Joomla! Component Advertisement Board 3.1.0 - SQL Injection # Dork: N/A # Date: 16.02.2018 # Vendor Homepage: http://ordasoft.com/ # Software Link...

Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include...

TV - Video Subscription - Authentication Bypass SQL Injection # Exploit Title: TV - Video Subscription - Authentication Bypass # Dork: N/A # Date: 2018-02-14 # Exploit Author: Borna nematzadeh (L0RD) or [email protected] # Vendor Homepage...

JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds: function main() { const v2 = [1337,1337]; const v3 = [1337,v2,v2,0]; Object.__proto__ =...

ABRT - 'raceabrt' Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File...

Nostromo - Directory Traversal Remote Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include...

EPIC MyChart - X-Path Injection # Exploit Title: Epic Systems Corporation MyChart X-Path Injection # Google Dork: MyChart® licensed from Epic Systems Corporation # Date: 8/19/16 # Exploit Author: Shayan Sadigh (http://threat.tevora.com/author/shayan/) # Vendor Homepage...

WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed VULNERABILITY DETAILS HTMLFrameElementBase.cpp: ``` bool HTMLFrameElementBase::isURLAllowed() const { if (m_URL.isEmpty()) // ***4*** return true; return isURLAllowed(document().completeURL(m_URL)); } bool...

JavaScriptCore - GetterSetter Type Confusion During DFG Compilation The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc): let...

Microsoft Edge - 'UnmapViewOfFile' ACG Bypass Background: To implement ACG (https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/#VM4y5oTSGCRde3sk.97), Edge uses a separate process for JIT compiling. This JIT Process is also responsible for mapping native...

Pdfium - Pattern Shading Integer Overflows This vulnerability relies on several minor oversights in the handling of shading patterns in pdfium, I'll try to detail all of the issues that could be fixed to harden the code against similar issues. The DrawXShading functions in...

Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace Related to issue 1490 . When parsing ShadingPatterns; according to the specification they shouldn't be permitted to have a pattern colorspace as their base colorspace, but this is not validated, leading to...

Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow /* Here's a snippet of the method. ASSIGN_RETURN_FAILURE_ON_EXCEPTION( isolate, captures_length_obj, Object::ToLength(isolate, captures_length_obj)); const int captures_length =...

Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion /* This is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552). If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses...