Результаты поиска

Microsoft Edge - 'Array.map' Heap Overflow (MS16-119) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=923 There is a heap overflow in Array.map in Chakra. In Js::JavascriptArray::MapHelper, if the array that is being mapped is a Proxy, ArraySpeciesCreate is used to...

Microsoft Edge - 'Function.apply' Information Leak (MS16-119) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=920 When Function.apply is called in Chakra, the parameter array is iterated through using JavascriptArray::ForEachItemInRange. This function accepts a...

Microsoft Edge - 'Array.join' Infomation Leak (MS16-119) <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=919 When an array is joined in Chakra, it calls JavascriptArray::JoinArrayHelper, a function that is templated based on the type of the array. This function then...

Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=873 We have encountered Windows kernel crashes in the memmove() function called by nt!CmpCheckValueList while...

Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=876 We have encountered a Windows kernel crash in the nt!RtlValidRelativeSecurityDescriptor function...

WhatsApp - RTP Processing Heap Corruption Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet. 08-31 15:43:50.721 9428 9713 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7104200000 in tid 9713 (Thread-11) 08-31 15:43:50.722 382...

Microsoft Windows - 'win32k.sys' TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=864 We have encountered a number of Windows kernel crashes in the win32k!itrp_GetCVTEntryFast function (called by...

ifwatchd - Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Linux::Priv...

Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120) Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=868 We have encountered Windows kernel crashes in the win32k!sbit_Embolden and...

ghostscript - executeonly Bypass with errorhandler Setup While documenting bug 1675, I noticed another problem with errordict in ghostscript. Full working exploit that works in the last few versions is attached, viewing it in evince, imagemagick, gimp, okular, etc should add a line to...

SPIP 3.1.2 - Cross-Site Request Forgery ## SPIP 3.1.2 Exec Code Cross-Site Request Forgery (CVE-2016-7980) ### Product Description SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software...

Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank =...

Microsoft Edge Chakra JIT - 'BailOutOnInvalidatedArrayHeadSegment' Check Bypass /* The BailOutOnInvalidatedArrayHeadSegment check uses the JavascriptArray::GetArrayForArrayOrObjectWithArray method to check whether the given object is an array. If it's not an array, it will decide to skip the...

SPIP 3.1.1/3.1.2 - File Enumeration / Path Traversal ## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982) ### Product Description SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is...

Microsoft Edge Chakra JIT - Type Confusion /* The switch statement only handles Js::TypeIds_Array but not Js::TypeIds_NativeIntArray and Js::TypeIds_NativeFloatArray. So for example, a native float array can be considered as of type ObjectType::Object under certain circumstances where...

Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/windows/reflective_dll_injection' class MetasploitModule <...

Oracle Netbeans IDE 8.1 - Directory Traversal [+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt [+] ISR: ApparitionSec Vendor: =============== www.oracle.com...

SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution ## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998) ### Product Description SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of...

Unitrends UEB - HTTP API Remote Code Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit Rank = NormalRanking include...

Navigate CMS - (Unauthenticated) Remote Code Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include...

IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation ######################################################################### # Exploit Title: IObit Advanced SystemCare Unquoted Service Path Privilege Escalation # Date: 19/10/2016 # Author: Ashiyane Digital Security...

Linux - Kernel Pointer Leak via BPF /* Commit 82abbf8d2fc46d79611ab58daa7c608df14bb3ee ("bpf: do not allow root to mangle valid pointers", first in v4.15) included the following snippet: ========= @@ -2319,43 +2307,29 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env...

Android - sdcardfs Changes current->fs Without Proper Locking Tested on a Pixel 2 (walleye): [ro.build.ab_update]: [true] [ro.build.characteristics]: [nosdcard] [ro.build.date]: [Mon Jun 4 22:10:18 UTC 2018] [ro.build.date.utc]: [1528150218] [ro.build.description]: [walleye-user 8.1.0...

Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123) /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=885 Windows: DFS Client Driver Arbitrary Drive Mapping EoP Platform: Windows 10 10586, Edge 25.10586.0.0 not tested 8.1 Update 2...