The msExchStorageGroup schema class added during Exchange installation can be used to create almost any AD object including users, groups or domain trusts leading to elevation of privilege.
5f885a87a9be3f10bfe9e9e4c08c923cThe default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.
37069deaf47980f1a4c39f62bc13ce25Tor suffers from an issue where half-closed connection tracking ignores layer_hint and due to this, entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit.
e8e6c45ee71383e0832c1cb3f3a8c903Microsoft Windows has an issue where you can use the CreateProcessWithLogon API to escape a write restricted service and achieve full write access as the service user.
00f7a019dea4bf3a1d19442fae579890XNU suffers from a network stack kernel heap overflow due to an out-of-bounds memmove in 6lowpan. Proof of concept code included.
9333b7751aa7686ac0ca4c62a49c3d4eASProtect embeds a runtime DLL that is susceptible to memory corruption. Crash testcase provided.
c5dfe0f9444bf0d36677505f5db2acdcA KVM guest on AMD can launch a L2 guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. Executing vmrun from the L2 guest, will then trigger a second call to nested_svm_vmrun and corrupt svm->nested.hsave with data copied out of the L2 vmcb. For kernel versions that include the commit "2fcf4876: KVM: nSVM: implement on demand allocation of the nested state" (>=5.10), the guest can free the MSR permission bit in svm->nested.msrpm, while it's still in use and gain unrestricted access to host MSRs.
814987fd3e7902c83f77c7f4aa4a3585The Windows Filtering Platform does not verify the token impersonation level when checking filters allowing the bypass of firewall rules leading to elevation of privilege.
982aa6db9c233f089f2999f0cd8711c3Fedora with Gnome has an issue where it is not using fscaps safely.
137193ebd7236c05c0e162358341652eKerberos supports a security buffer to set the target SPN of a ticket bypassing the SPN check in LSASS.
3ff870010a0eb4e32567d271f6a816baSamsung NPU (Neural Processing Unit) suffers from an out-of-bounds write vulnerability in npu_session_format.
1d07a468d88f6847215bbd10504dbcf2ChromeOS suffers from a missing path restriction vulnerability in arc-obb-mounter.
d37b7a8eceb81455f4119e17205b9635SandboxedUnpacker in Chrome uses shared memory in an unsafe fashion.
c1b37408c40a92f21b1c5a084fa55b6cThere is a vulnerability in jscript9 that could potentially be exploited to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.
7bf1477df1aec690e996f9ebbce9b10cLooking at the Mojo implementation of Chrome's legacy IPC, the legacy ipc::Message type is transferred inside a BigBuffer.
1875fce290dce6b3abaf92746666dafaThere is a heap corruption bug that can occur when QT processes a malformed TIFF image. It happens because the size of the QImageData backing the image is calculated is calculated using the format of the image, meanwhile TIFFReadScanline calculates the length to be read based on TIFFScanlineSize, which determines the size base on three tags in the TIFF file, width, samples per pixel and bits per sample.
1a0ad550a77bf87e59f4c4f358cae2f2Gstreamer suffers from a use-after-free vulnerability in Matroska demuxing.
8295d83b0f5ff21a0ba7ec7f666eeee2The QImage class can read out-of-bounds when reading a specially-crafted PNG file, where a tag byte offset goes out of bounds. This could potentially allow an attacker to determine values in memory based on the QImage pixels, if QT is used to process untrusted images.
26119d4fbb3aaf3d523b1a23162d477bThe QImageReader class can read out-of-bounds when converting a specially-crafted TIFF file into a QImage, where the TIFF tile length is inconsistent with the tile size. This could potentially allow an attacker to determine values in memory based of the QImage pixels, if QT is used to process untrusted images.
5ab17349daeac6651bf3ab6ee0c7fee9The fix for CVE-2021-21148 has added a check in |ValueSerializer::WriteJSArrayBuffer| to make sure non-detachable array buffers cannot be transferred. The check can be bypassed with the help of asm.js and property getters.
2c54899cf0b5cf9ab027a5329061b62eThere is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.
50dcfd05a094914cf819e98d3f2de507The Container Manager Service does not configure STORVSP correctly when opening mapped named pipes leading to privilege escalation.
970b0826e9c53e62fb981f362a8095f7The Container Manager Service creates an AppContainer process without impersonating the access token leading to privilege escalation.
ad4654c8ed7054c3225224811ba94b15The Container Manager Service does not impersonate the caller when granting access to virtual disk images leading to privilege escalation.
ae8247dda745d9d8d6c85bfb03878028The Container Manager Service accepts an access token provided by the user without verification allowing an arbitrary process to be created with another user identity leading to privilege escalation.
12c1abb8e71fc62e306c9bc1dea254d3
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed