what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 2 of 2

Files from Jietao Yang

Flash Broker-Based Sandbox Escape Via Unexpected Directory Lock

Posted Aug 19, 2015

Authored by Jietao Yang, Jihui Lu

FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker uses CreateFile to open the destination folder for check. If CreateFile fails, the destination will be considered as a valid path. However, FlashBroker uses dwShareMode as 0 in CreateFile, which make CreateFile always fail if handle of the destination folder is held by other.

tags | exploit, arbitrary

systems | linux

advisories | CVE-2015-3083

SHA-256 | 1833e423f195e8f2809219e0689a0b518a6badd8204abdb35e1d3ceaabc57452

Download | Favorite | View

Flash Broker-Based Sandbox Escape Via Forward Slash

Posted Aug 19, 2015

Authored by Jietao Yang

FlashBroker is vulnerable to an NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.

tags | exploit, arbitrary

systems | linux

advisories | CVE-2015-3082

SHA-256 | ecdb7f0d31c0d78cd25fb1e2a301573230e10f182d90e0e3e0fec1b6a16204ba

Download | Favorite | View