There is an intra-object overflow in Shannon Baseband, inside the 5G SM protocol implementation (NrSmMsgCodec as it is called in Shannon according to debug strings), when decoding the Extended protocol configuration options message (IEI = 0x7B).
fbcb90e472d2e3ece0a5999daefccbac91cb16b93b5bdde7163bb7f5b46c8021There is an intra-object overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Service Area List message (IEI = 0x27).
ca27ff3f40a5cef1422ff326c82c6ac37d4d2a24ac33342144bc8a5c84aa2848There is a heap buffer overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Operator-defined access category definitions message (IEI = 0x76).
0d9b32ed9b931576486f7e7630f9b8e393f008ff2bccc77a8e30f84a45f1e0f0There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Extended emergency number list" message (IEI = 0x7A).
ba04bb179ad4db118c637bfe6c329d2d3ebef7e310034bd5a8af11fa0123adc3There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Emergency number list" message (IEI = 0x34).
ff7c534a4bbc11dc3cd3ac7fb2571e8b2fc9cddf789fa05fff2fc30be17f2acaOn newer macOS/iOS versions, entitlements in binary signature blobs are stored in the DER format. libCoreEntitlements.dylib is the userspace library for parsing and querying such entitlements. The kernel has its own version of this library inside the AppleMobileFileIntegrity module. libCoreEntitlements exposes several functions, such as, for example, to convert entitlements to a dictionary representation (e.g. CEQueryContextToCFDictionary) or to query a specific entitlement (CEContextQuery). Unfortunately, different functions traverse the DER structure in a subtly different way, which allows one API to see one set of entitlements and another API to see a different set of entitlements.
9313c983a56ba7500d8b9861b16b1c103ae3a9454de12a836126f89cec59a1b8There is a vulnerability in Cisco Jabber that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Cisco Jabber client, including XMPP stanzas that are normally sent only by the trusted server.
ed2115ba91caeae4b0245ae0141359b56fa7d27077ea7a8cb6d34c1aa2ad914cThere is an out-of-bounds write vulnerability when decoding a certain flavor of RAW image files on macOS. The vulnerability has been confirmed on macOS 12.3.1. Although the advisory notes an attached poc, Google did not have one attached.
b0cdd2ef0c901dd72ddd0b3fa6f8cc6fcb53635705915e5ec0c9100853c07cb3There is a vulnerability in Kik Messenger for Android that allows an attacker to send arbitrary XMPP stanzas (XMPP control messages) to another Kik client, including XMPP stanzas that are normally sent only by the Kik server. Included is a proof of concept that demonstrates sending of the stc stanza which triggers a captcha dialog and opens an arbitrary attacker-control webpage on the victim client. However, the full impact is likely larger than this, and includes any application features accessible over XMPP.
3f66b31a34e395df392668d6453b6eee4bbfd623765c95d99108116f95c8a143Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to smuggle (or, if you prefer, inject) an arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).
80c339179764f04e39876070e482957638cbcf822ccdb04b5cc72ea035585e1eThis report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the latest (5.9.3) client running on Windows 64-bit, however some or all parts of the chain are likely applicable to other platforms.
c5835f3651ef4f351fdd27038787c6bd633712398f3562132cf3224e2a0a5e16Internet Explorer suffers from an issue where incorrect JIT optimization in jscript9.dll leads to memory corruption.
cb83b562636ea76e2bb8cf3458b612c7c7976ae831087491f462b16ec9a8758eJavaScriptCore suffers from a crash condition due to an uninitialized register in slow_path_profile_catch. Proof of concept that affects Safari is included.
8dd2cde7c2edb66fc6061ca48debe795fc639981944e4354c301b47af6a7c4b1There is a vulnerability in jscript9 that could potentially be exploited to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.
606c70d052dc8c1d7e1341312dd04cc58864a77781e24662e763b3034ce543ceThere is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.
a69629e9e2a8eed322ffb78022a68eb8a35d57aa71fce77bfd75edc522377becCoreGraphics can be made to write out-of-bounds memory when rendering a specially crafted font. This vulnerability can also be triggered through Safari. The vulnerability was confirmed on macOS Big Sur version 11.1.
e8027d05a6dd6acb716ee4876e073b6e72b34b7dfda2f94a9e8c4770517e1dddThere is an out-of-bounds write vulnerability in WindowsCodecsRaw.dll in the COlympusE300LoadRaw::olympus_e300_load_raw function that can be triggered by parsing a crafted Olympus E300 raw image with Windows Imaging Component (WIC). The vulnerability has been reproduced on Windows 10 64-bit with the most recent patches applied.
d01f7ca6621863dce70b509fef4e28ee4b3568035e8e437b4e161e9285c8ecbbThere is an out-of-bounds write vulnerability when decoding a malformed PICT image on macOS. The vulnerability has been confirmed on the latest stable macOS version.
c35348d97c283eb70c823e79074d302b25abb42fe776372cea3414d300e1ce0dThere is an out-of bounds read vulnerability in WindowsCodecsRaw.dll while processing a malformed Canon raw image. This can potentially lead to disclosing the memory of the affected process. All applications that use Windows Image Codecs for image parsing are potentially affected. The vulnerability has been confirmed on Windows 10 v2004 with the most recent patches applied.
449ae24e2e05dd0778a7ef251c34dfe7a3baf77ef865a69c498ccb7a059d82e3Microsoft Internet Explorer suffers from a use-after-free vulnerability in Script arguments during toJSON callback.
8028683bdacfe9537d7aa6ebec7ccf45a6d6f6e1549c16b0e3cc53a6d8853f2bMicrosoft Edge suffers from a Flash click2play bypass with CObjectElement::FinalCreateObject.
fdda336815ac63fe08759882eed8c25471acba4310abb045c2527612f4538060There is an issue in VBScript in the VbsErase function. In some cases, VbsErase fails to clear the argument variable properly, which can trivially lead to crafting a variable with the array type, but with a pointer controlled controlled by an attacker.
e3cbf1077875f9a05eea70f53538809230cbe1a14641ae99c456cce2835e9409Microsoft Edge has an issue where the default flash click2play whitelist is insecure.
b67a708bf7118de58f25eedb37a2a8891d000105b033f1e3397bcf8d54354a2aIncorrect convexity assumptions in Skia can lead to multiple buffer overflow vulnerabilities.
3a576a2a2e1e3f21c3c1af4f1257d137b7f010a80f1df3c8ddb7ca7a404aec6dStarting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default. However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.
b0f1afdfeed7b58164b0ac07caec27811ba02f778e45365490b8d741eb009e35
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed