JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called.
101dc4b8ff4f7d1e144aeed9b089ca5fedd08e6c84b3be506d775adb205e3772
There is a heap overflow in Array.splice in Chakra. When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations.
6a5819407b1a08e3e5fb1fe3572513e26e584b6fd29bae8efb15d284321b36d2
There is an overflow when reversing arrays in Chakra. On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array.
51efc1a7f671ca4ab3f0714c3f5a4fe110049441aaaf858fda262b78d884d718
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array.
b151790aef488a9024d8165bd0cf284b8a3f10045d03d24b0017ec0d7a8eab30
DCFM Blog version 0.9.7 suffers from a cross site scripting vulnerability.
7f85f345bfb9584c740071aaf0ba13726bdd4825ffb6d5f54cd2f5c8151662ba
DCFM Blog version 0.9.7 suffers from a remote blind SQL injection vulnerability.
3eb2a13ad07f20d97cd79ab56f4147df3b71badb0a689fd4022b31ce5716ca45
WordPress Answer My Question plugin version 1.3 suffers from a remote SQL injection vulnerability.
55f8bf868beda04e015a3abf5f318cde9a2d7069dc4c951dd8fc0ef31f8a52a2
WordPress Sirv plugin version 1.3.1 suffers from a remote SQL injection vulnerability.
7598c29bd332ccbf10f665c9f8d80ee342b44fd579d74abc877baca8a35a0e39
This Metasploit module uses WMI execution to launch a payload instance on a remote machine. In order to avoid AV detection, all execution is performed in memory via psh-net encoded payload. Persistence option can be set to keep the payload looping while a handler is present to receive it. By default the module runs as the current process owner. The module can be configured with credentials for the remote host with which to launch the process.
69e871d16e65feb44748c1777776eaa7515e2ac4ea1c947a9dde02de854fdd98
In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion.
d7ea56cd00bb283459fd55c24ac87e4186f692adde4a4facfd812d4b0ca61f2b
Nginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root. The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system. This is fixed in 1.6.2-5+deb8u3 package on Debian and 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS. UPDATE 2017/01/13 - nginx packages below version 1.10.2-r3 on Gentoo are also affected.
572946533a64d6b9af6ce4ce53d1c39bc1cc476f9cdbd639425b4aed7713bcef
WordPress All In One WP Security and Firewall plugin versions 4.1.4 through 4.1.9 suffer from a cross site scripting vulnerability.
529e84cd77541f83b0ed65669edd6479516fab6293f7fc579a4115aa74f2d889
A specially crafted web-page can cause the Javascript engine of Microsoft Internet Explorer 8 to free memory used for a string. The code will keep a reference to the string and can be forced to reuse it when compiling a regular expression.
a44bc80d38c01b629bf33d47219ad52a17a287e1ebeaf43f0e48e32b2c5d2caf
CS-Cart versions 4.3.10 and below suffer from an unauthenticated XML external entity (XXE) injection vulnerability.
d055752e041a2e34fe412240fa6a2df718f958b7dee0c4a6b2350b08ba38432a
Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls. Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack. BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops. Various firewalls such as Cisco ASA 5515/5525/5550/5515-X, Fortigate, SonicWall, and more are affected.
f71da4e19171d1ad7f74a50978fc1981638a994ffd31303ede3fc3d6659fde3f
A malicious interaction with the keyctl usermode interface allows an attacker to crash the kernel. Processing the attached certificate by the kernel leads to a kernel nullpointer dereference. This vulnerably can be triggered by any unprivileged user locally.
f84b2c209822d9c15501892e2c718cb3967a4db2792d9be2b18757f3378ca33c
The VHDMP driver does not safely delete files leading to arbitrary file deletion which could result in elevation of privilege.
83a9ca054e84e9cb0b4edffe665f32711fdddafa66cced5b63b30ba0907cfc2f
A Windows kernel crash can occur in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hive files.
5395350a5bb6db06990997f9489cc97555596c3fb508d3b40ddb43659f993001
The VHDMP driver does not open physical disk drives securely when creating a new VHD leading to information disclosure and elevation of privilege by allowing a user to access data they should not have access to.
ece66dd4e9a21d845f73e76160ee3d7d4ddb8db78f87bb255a2a71718d6d508c
The VHDMP driver does not safely create files related to Resilient Change Tracking leading to arbitrary file overwrites under user control leading to elevation of privilege.
47779f4011b5478d641f7b65e43f21241798700a262c616442aaa6c5144cb4a7
This Metasploit module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response.
85d7535ae65c59c347e6f08373d814850760c27acc6b296cd04efd4c9b986b81
This Metasploit module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Please note: authentication is required to exploit this vulnerability.
c0669d4763a8b0f7006a57298e45c4f523d05ca9e7d1a8c304ef6ed3cde57c5f
This Metasploit module exploits a stack buffer overflow in Disk Pulse Enterprise 9.0.34. If a malicious user sends a malicious HTTP login request, it is possible to execute a payload that would run under the Windows NT AUTHORITY\SYSTEM account. Due to size constraints, this module uses the Egghunter technique.
f5d3f6dc506476540894b621416c7db2b2aacb69a1d4a3c010a96e3d28c89e09
Linux kernel versions 4.4 and above where CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled sysctl is not set to 1 allow for BPF to be abused for privilege escalation. Ubuntu 16.04 has all of these conditions met.
f1306f2352a229f463a8023d32004c95fc69e0766b3089ee18e864c38cfcb735
Dolphin versions 7.3.2 and below suffer from authentication bypass and remote command execution vulnerabilities.
a3bc7729982990d06aeb63a81d8dc62e185c70f5e8b4b10517cafc30d9fef6fa