Результаты поиска

Sandboxie 5.18 - Local Denial of Service author = ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail...

Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1260 MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT...

Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1155 Skia bug: https://bugs.chromium.org/p/skia/issues/detail?id=6294 There is a heap overflow in SkARGB32_Shader_Blitter::blitH caused by a...

Mozilla Firefox < 53 - 'gfxTextRun' Out-of-Bounds Read <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1160 Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1343552 There is an out-of-bounds read vulnerability in Firefox. The vulnerability was...

Mozilla Firefox < 53 - 'ConvolvePixel' Memory Disclosure <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1185 Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1347617 There is an out of bound read leading to memory disclosure in Firefox. The...

WebKit - 'enqueuePageshowEvent' / 'enqueuePopstateEvent' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1151 Here is a snippet of CachedFrameBase::restore which is invoked when cached frames are restored. void CachedFrameBase::restore()...

WebKit - 'FrameLoader::clear' Stealing Variables via Page Navigation <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1162 void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView) {...

Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1120 When an object element loads a JavaScript URL(e.g., javascript:alert(1)), it checks whether it violate the...

Exim 4.87 - 4.91 - Local Privilege Escalation #!/bin/bash # # raptor_exim_wiz - "The Return of the WIZard" LPE exploit # Copyright (c) 2019 Marco Ivaldi <[email protected]> # # A flaw was found in Exim versions 4.87 to 4.91 (inclusive). # Improper validation of recipient address in...

WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1134 Here's a snippet of ContainerNode::parserRemoveChild. void ContainerNode::parserRemoveChild(Node& oldChild) {...

WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting Sources: https://bugs.chromium.org/p/project-zero/issues/detail?id=1146 https://bugs.chromium.org/p/chromium/issues/detail?id=519558 VULNERABILITY DETAILS From /WebKit/Source/core/dom/ContainerNode.cpp...

Introduction to Manual Backdooring 42061.pdf

Apple WebKit / Safari 10.0.3(12602.4.8) - 'WebCore::FrameView::scheduleRelayout' Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1109 PoC: --> <body> <script> let f = document.body.appendChild(document.createElement('iframe')); let g =...

Apple WebKit / Safari 10.0.3(12602.4.8) - 'Editor::Command::execute' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1133 Here's a snippet of Editor::Command::execute used to handle |document.execCommand|. bool...

VX Search Enterprise 9.5.12 - GET Buffer Overflow (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include...

CentOS 7.6 - 'ptrace_scope' Privilege Escalation #!/usr/bin/env bash ####################################################### # # # 'ptrace_scope' misconfiguration # # Local Privilege Escalation #...

Samba 3.5.0 - Remote Code Execution #!/usr/bin/env python # Title : ETERNALRED # Date: 05/24/2017 # Exploit Author: steelo <[email protected]> # Vendor Homepage: https://www.samba.org # Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 # CVE-2017-7494 import argparse import os.path import sys import...

Apple macOS/iOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unp_externalize is responsible for externalizing the file descriptors carried within a unix domain socket...

Apple macOS/iOS Kernel - Memory Disclosure Due to Lack of Bounds Checking in netagent Socket Option Handling /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1140 netagent_ctl_setopt is the setsockopt handler for netagent control sockets. Options of type...

Apple macOS - Lack of Bounds Checking in HIServices Custom CFObject Serialization Local Privilege Escalation /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1219 HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism...

Apple macOS/iOS - 'TIKeyboardLayout initWithCoder:' NSKeyedArchiver Heap Corruption Due to Rounding Error Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1172 Using lldb inside a simple hello_world app for iOS we can see that there are over 600 classes which we could get...

Apple macOS/iOS - 'CAMediaTimingFunctionBuiltin' NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1175 CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method reads an Int "index" then...

Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Linux Kernel 4.11 - eBPF Verifier Log Leaks Lower Half of map Pointer /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1251 When the eBPF verifier (kernel/bpf/verifier.c) runs in verbose mode, it dumps all processed instructions to a user-accessible buffer in...

Apple macOS/iOS - Memory Corruption Due to Bad Bounds Checking in NSCharacterSet Coding for NSKeyedUnarchiver Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1168 The dump today has this list of iOS stuff: https://wikileaks.org/ciav7p1/cms/page_13205587.html Reading through...