JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called.
101dc4b8ff4f7d1e144aeed9b089ca5fedd08e6c84b3be506d775adb205e3772There is a heap overflow in Array.splice in Chakra. When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations.
6a5819407b1a08e3e5fb1fe3572513e26e584b6fd29bae8efb15d284321b36d2There is an overflow when reversing arrays in Chakra. On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array.
51efc1a7f671ca4ab3f0714c3f5a4fe110049441aaaf858fda262b78d884d718There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array.
b151790aef488a9024d8165bd0cf284b8a3f10045d03d24b0017ec0d7a8eab30DCFM Blog version 0.9.7 suffers from a cross site scripting vulnerability.
7f85f345bfb9584c740071aaf0ba13726bdd4825ffb6d5f54cd2f5c8151662baDCFM Blog version 0.9.7 suffers from a remote blind SQL injection vulnerability.
3eb2a13ad07f20d97cd79ab56f4147df3b71badb0a689fd4022b31ce5716ca45WordPress Answer My Question plugin version 1.3 suffers from a remote SQL injection vulnerability.
55f8bf868beda04e015a3abf5f318cde9a2d7069dc4c951dd8fc0ef31f8a52a2WordPress Sirv plugin version 1.3.1 suffers from a remote SQL injection vulnerability.
7598c29bd332ccbf10f665c9f8d80ee342b44fd579d74abc877baca8a35a0e39This Metasploit module uses WMI execution to launch a payload instance on a remote machine. In order to avoid AV detection, all execution is performed in memory via psh-net encoded payload. Persistence option can be set to keep the payload looping while a handler is present to receive it. By default the module runs as the current process owner. The module can be configured with credentials for the remote host with which to launch the process.
69e871d16e65feb44748c1777776eaa7515e2ac4ea1c947a9dde02de854fdd98In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion.
d7ea56cd00bb283459fd55c24ac87e4186f692adde4a4facfd812d4b0ca61f2bNginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root. The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system. This is fixed in 1.6.2-5+deb8u3 package on Debian and 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS. UPDATE 2017/01/13 - nginx packages below version 1.10.2-r3 on Gentoo are also affected.
572946533a64d6b9af6ce4ce53d1c39bc1cc476f9cdbd639425b4aed7713bcefWordPress All In One WP Security and Firewall plugin versions 4.1.4 through 4.1.9 suffer from a cross site scripting vulnerability.
529e84cd77541f83b0ed65669edd6479516fab6293f7fc579a4115aa74f2d889A specially crafted web-page can cause the Javascript engine of Microsoft Internet Explorer 8 to free memory used for a string. The code will keep a reference to the string and can be forced to reuse it when compiling a regular expression.
a44bc80d38c01b629bf33d47219ad52a17a287e1ebeaf43f0e48e32b2c5d2cafCS-Cart versions 4.3.10 and below suffer from an unauthenticated XML external entity (XXE) injection vulnerability.
d055752e041a2e34fe412240fa6a2df718f958b7dee0c4a6b2350b08ba38432aBlacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls. Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack. BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops. Various firewalls such as Cisco ASA 5515/5525/5550/5515-X, Fortigate, SonicWall, and more are affected.
f71da4e19171d1ad7f74a50978fc1981638a994ffd31303ede3fc3d6659fde3fA malicious interaction with the keyctl usermode interface allows an attacker to crash the kernel. Processing the attached certificate by the kernel leads to a kernel nullpointer dereference. This vulnerably can be triggered by any unprivileged user locally.
f84b2c209822d9c15501892e2c718cb3967a4db2792d9be2b18757f3378ca33cThe VHDMP driver does not safely delete files leading to arbitrary file deletion which could result in elevation of privilege.
83a9ca054e84e9cb0b4edffe665f32711fdddafa66cced5b63b30ba0907cfc2fA Windows kernel crash can occur in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hive files.
5395350a5bb6db06990997f9489cc97555596c3fb508d3b40ddb43659f993001The VHDMP driver does not open physical disk drives securely when creating a new VHD leading to information disclosure and elevation of privilege by allowing a user to access data they should not have access to.
ece66dd4e9a21d845f73e76160ee3d7d4ddb8db78f87bb255a2a71718d6d508cThe VHDMP driver does not safely create files related to Resilient Change Tracking leading to arbitrary file overwrites under user control leading to elevation of privilege.
47779f4011b5478d641f7b65e43f21241798700a262c616442aaa6c5144cb4a7This Metasploit module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response.
85d7535ae65c59c347e6f08373d814850760c27acc6b296cd04efd4c9b986b81This Metasploit module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Please note: authentication is required to exploit this vulnerability.
c0669d4763a8b0f7006a57298e45c4f523d05ca9e7d1a8c304ef6ed3cde57c5fThis Metasploit module exploits a stack buffer overflow in Disk Pulse Enterprise 9.0.34. If a malicious user sends a malicious HTTP login request, it is possible to execute a payload that would run under the Windows NT AUTHORITY\SYSTEM account. Due to size constraints, this module uses the Egghunter technique.
f5d3f6dc506476540894b621416c7db2b2aacb69a1d4a3c010a96e3d28c89e09Linux kernel versions 4.4 and above where CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled sysctl is not set to 1 allow for BPF to be abused for privilege escalation. Ubuntu 16.04 has all of these conditions met.
f1306f2352a229f463a8023d32004c95fc69e0766b3089ee18e864c38cfcb735Dolphin versions 7.3.2 and below suffer from authentication bypass and remote command execution vulnerabilities.
a3bc7729982990d06aeb63a81d8dc62e185c70f5e8b4b10517cafc30d9fef6fa
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed