On newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.
9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.
ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914cThere is an out-of-bounds write vulnerability when decoding a certain flavor of RAW image files on macOS. The vulnerability has been confirmed on macOS 12.3.1. Although the advisory notes an attached poc, Google did not have one attached.
b0cdd2ef0c901dd72ddd0b3fa6f8cc6fcb53635705915e5ec0c9100853c07cb3There is a vulnerability in Kik Messenger for Android that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Kik client, including XMPP stanzas that are normally sent only by the Kik server. Included is a proof of concept that demonstrates sending of the stc stanza which triggers a captcha dialog and opens an arbitrary attacker-control webpage on the victim client. However, the full impact is likely larger than this, and includes any application features accessible over XMPP.
3f66b31a34e395df392668d6453b6eee4bbfd623765c95d99108116f95c8a143Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).
80c339179764f04e39876070e482957638cbcf822ccdb04b5cc72ea035585e1eThis report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.
c5835f3651ef4f351fdd27038787c6bd633712398f3562132cf3224e2a0a5e16Internet Explorer suffers from an issue where incorrect JIT optimization in jscript9.dll leads to memory corruption.
cb83b562636ea76e2bb8cf3458b612c7c7976ae831087491f462b16ec9a8758eJavaScriptCore suffers from a crash condition due to an uninitialized register in slow_path_profile_catch. Proof of concept that affects Safari is included.
8dd2cde7c2edb66fc6061ca48debe795fc639981944e4354c301b47af6a7c4b1There is a vulnerability in jscript9 that could potentially be exploited to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.
606c70d052dc8c1d7e1341312dd04cc58864a77781e24662e763b3034ce543ceThere is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.
a69629e9e2a8eed322ffb78022a68eb8a35d57aa71fce77bfd75edc522377becCoreGraphics can be made to write out-of-bounds memory when rendering a specially crafted font. This vulnerability can also be triggered through Safari. The vulnerability was confirmed on macOS Big Sur version 11.1.
e8027d05a6dd6acb716ee4876e073b6e72b34b7dfda2f94a9e8c4770517e1dddThere is an out-of-bounds write vulnerability in WindowsCodecsRaw.dll in the COlympusE300LoadRaw::olympus_e300_load_raw function that can be triggered by parsing a crafted Olympus E300 raw image with Windows Imaging Component (WIC). The vulnerability has been reproduced on Windows 10 64-bit with the most recent patches applied.
d01f7ca6621863dce70b509fef4e28ee4b3568035e8e437b4e161e9285c8ecbbThere is an out-of-bounds write vulnerability when decoding a malformed PICT image on macOS. The vulnerability has been confirmed on the latest stable macOS version.
c35348d97c283eb70c823e79074d302b25abb42fe776372cea3414d300e1ce0dThere is an out-of bounds read vulnerability in WindowsCodecsRaw.dll while processing a malformed Canon raw image. This can potentially lead to disclosing the memory of the affected process. All applications that use Windows Image Codecs for image parsing are potentially affected. The vulnerability has been confirmed on Windows 10 v2004 with the most recent patches applied.
449ae24e2e05dd0778a7ef251c34dfe7a3baf77ef865a69c498ccb7a059d82e3Microsoft Internet Explorer suffers from a use-after-free vulnerability in Script arguments during toJSON callback.
8028683bdacfe9537d7aa6ebec7ccf45a6d6f6e1549c16b0e3cc53a6d8853f2bMicrosoft Edge suffers from a Flash click2play bypass with CObjectElement::FinalCreateObject.
fdda336815ac63fe08759882eed8c25471acba4310abb045c2527612f4538060There is an issue in VBScript in the VbsErase function. In some cases, VbsErase fails to clear the argument variable properly, which can trivially lead to crafting a variable with the array type, but with a pointer controlled controlled by an attacker.
e3cbf1077875f9a05eea70f53538809230cbe1a14641ae99c456cce2835e9409Microsoft Edge has an issue where the default flash click2play whitelist is insecure.
b67a708bf7118de58f25eedb37a2a8891d000105b033f1e3397bcf8d54354a2aIncorrect convexity assumptions in Skia can lead to multiple buffer overflow vulnerabilities.
3a576a2a2e1e3f21c3c1af4f1257d137b7f010a80f1df3c8ddb7ca7a404aec6dStarting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default. However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.
b0f1afdfeed7b58164b0ac07caec27811ba02f778e45365490b8d741eb009e35There is an reference leak in Microsoft VBScript that can be turned into an use-after-free given sufficient time. The vulnerability has been confirmed in Internet Explorer on various Windows versions with the latest patches applied.
bbed7824f89e9377c1a62b7a38d9841ad9be96f597755fed927b3e56bee44b2cThere is an out-of-bounds write vulnerability in jscript.dll in the JsArrayFunctionHeapSort function. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network.
44579881567c53e64a8aab7be8ad5b9de9c62e57487408187bfa4fe7b1adbd56There is an out-of-bounds vulnerability in Microsoft VBScript in rtFilter. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied.
787b477ccfcf4e5ec10751b188d5bc87141748ffcd37526a29a5654c900f7593There is a use-after-free vulnerability in Microsoft VBScript. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied. There are possibly two vulnerabilities triggerable by the same proof of concept included.
4d368e653a42596f0318f358cc51225567ac7ae3f445045de8e6e98d697a4007WebKit suffers from a WebCore::InlineTextBox::paint out-of-bounds read vulnerability.
994518e9454b66b07b1cd4ca2b9c80bad5057866a1f0bfc7cba8cbaab2478e58
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed