Результаты поиска

WebKit - 'Element::setAttributeNodeNS' Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1187 Here's a snippet of Element::setAttributeNodeNS. ExceptionOr<RefPtr<Attr>> Element::setAttributeNodeNS(Attr& attrNode) { ... setAttributeInternal(index...

Of Mice and Keyboards - On the Security of Modern Wireless Desktop Sets 42109.pdf

Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC) #!/usr/bin/python ###################################### # Exploit Title: DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC # Date: 25 May 2017 # Exploit Author: n3ckD_ # Vendor Homepage...

WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1176 When a document loads "about:blank" or "about:srcdoc", it tries to inherit the security origin from its parent frame, or its opener frame if...

WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1197 This is similar to the case https://bugs.chromium.org/p/project-zero/issues/detail?id=1151. But this time, javascript handlers may be fired in...

WebKit - 'Document::prepareForDestruction' / 'CachedFrame' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1163 Here's a snippet of Document::prepareForDestruction void Document::prepareForDestruction() { if...

Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation Windows: CmpAddRemoveContainerToCLFSLog Arbitrary File/Directory Creation EoP Platform: Windows 10 1809 (not tested earlier) Class: Elevation of Privilege Security Boundary (per Windows Security Service...

Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation Windows: Windows Font Cache Service Insecure Sections EoP Platform: Windows 10 1809 (not tested earlier) Class: Elevation of Privilege Security Boundary (per Windows Security Service Criteria): User boundary...

WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1165 Here's a snippet of JSObject::ensureLength. bool WARN_UNUSED_RETURN ensureLength(VM& vm, unsigned length) { ASSERT(length < MAX_ARRAY_INDEX)...

WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1173 When a super expression is used in an arrow function, the following code, which generates bytecode, is called. if...

Microsoft MsMpEng - Use-After-Free via Saved Callers Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259 In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState object(rcx+158h in 64-bit). But the garbage collector doesn't mark this saved value. So...

[Hebrew] Digital Whisper Security Magazine #82 42099.pdf

[Hebrew] Digital Whisper Security Magazine #83 42100.pdf

Trend Micro Deep Security 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution The following advisory describes three (3) vulnerabilities found in Trend Micro Deep Security version 6.5. “The Trend Micro Hybrid Cloud Security solution, powered by XGen...

Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include...

IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow ## Vulnerabilities Summary The following advisory describes six (6) vulnerabilities found in Informix Dynamic Server and Informix Open Admin Tool. IBM Informix Dynamic Server...

Linux - Use-After-Free via race Between modify_ldt() and #BR Exception /* When a #BR exception is raised because of an MPX bounds violation, Linux parses the faulting instruction and computes the linear address of its memory operand. If the userspace instruction is in 32-bit code, this...

Microsoft MsMpEng - Remote Use-After-Free Due to Design Issue in GC Engine Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1258 MsMpEng's JS engine uses garbage collection to manage the lifetime of Javascript objects. During mark and sweep the GC roots the vectors...

Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank =...

Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1) /* CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation vulnerability found by: Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev to compile and run: gcc servu-pe-cve-2019-12181.c -o pe && ./pe */ #include...

Octopus Deploy - (Authenticated) Code Execution (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/powershell' require 'json' class MetasploitModule <...

Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank =...

Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write // Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ // // v8 exploit for https://crbug.com/716044 var oob_rw = null; var leak = null; var arb_rw = null; var code = function() { return 1; } code(); class...

[Turkish] Mobile Penetration Testing 42080.pdf

Microsoft MsMpEng - Multiple Crashes While Scanning Malformed Files Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1261 A detailed introduction to MsMpEng can be found in issue #1252 , so I will skip the background story here. Through fuzzing, we have discovered a number...