A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts.
074ca17f20fc3585508db683bc708cadA heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library.
74f5b83ac15a386d0e98eb59705c2a66On Microsoft Windows, the LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in elevation of privilege.
6d02ec8a84f62a9cf2ee150b26a8f78aOn Microsoft Windows, the LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to elevation of privilege.
77b361493b8c0d502d033818bd814a0bOn Microsoft Windows, the NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.
c842665e8c982e999825c50d9c78df7aOn Microsoft Windows, the LUAFV driver bypasses security checks to copy short names during file virtualization which can be tricked into writing an arbitrary short name leading to elevation of privilege.
dd49da95f51474f4c5e19bc2d1015952On Microsoft Windows, the LUAFV driver doesn't take into account a virtualized handle being duplicated to a more privileged process resulting in elevation of privilege.
a1fec4a7c7f902a8a18eb1e16515b938On Microsoft Windows, the LUAFV driver reuses the file's create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file resulting in elevation of privilege.
3cb71794adeb390f66e06400fdb22445On Microsoft Windows, the SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a system binary leading to elevation of privilege.
9f3bf345b40d34f07347582eafa1a2c3Chrome suffers from a use-after-free vulnerability in FileChooserImpl.
9482cae8e5970a7f1be1609209542324JavaScriptCore suffer from an out-of-bounds access vulnerability in FTL JIT due to LICM moving array access before the bounds check.
666ca0b0b1f37dcfd1113b475c267cadChrome suffers from an internal object leak vulnerability in ReadableStream.
6a97d2f992936446497e3bbc759c1cfbChrome suffers from a type confusion vulnerability in JSPromise::TriggerPromiseReactions.
1da1ae35b490e46af58d5192967700ddJavaScriptCore suffers from CodeBlock use-after-free vulnerabilities due to dangling Watchpoints.
44941500a9bd200e3ded8e6050b94b65Chrome suffers from a type confusion vulnerability in V8TrustedTypePolicyOptions::ToImpl.
98c38647d36157a9c19284e8e46c2d46The compositor thread in WebKitGTK+ might alter a FilterOperation object's reference count variable at the same time as the main thread. Then the reference count corruption might lead to a use-after-free condition.
7cf03baad452fd88cc65c2145f359558XNU has an issue where pidversion increment during execve is unsafe.
98cad986f696210bc1f2b23ff3589ba7JavaScriptCore has an issue where createRegExpMatchesArray does not respect inferred types.
890d106035374c388ef370b205c1ca00A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.
cdcb535655303de5282b8e9ce3804be5A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.
2d9234f04f13771cc4ba74f08b736649This is a critical memory corruption vulnerability in any API backed by verify_crt(), including gnutls_x509_trust_list_verify_crt() and related routines in GnuTLS.
ccebe291a8ca3ffea320b528513b5f23The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.
89f47ed75e40cece6cb2c49cd4ca6364The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access. Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a trusted VMX process. Affects VMware Workstation Windows version 14.1.5 (on Windows 10). Also tested on VMware Player version 15.0.2.
c70a9a606361322046a94717d41168b1snap uses a seccomp filter with a blacklist for TIOCSTI can be circumvented.
d115b8657c274c5957091d315ab7e604NSS suffers from a NULL dereference issue when parsing Netscape Certificate Sequences in CERT_DecodeCertPackage().
35138609aae47bba66dfd5eb881a1aa8
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed