Avast suffers from a stack buffer overflow where strncpy length is discarded.
981421efbeda26558ee522287dc5c8002378d0c6e8c1dc43d8d74a5242e44a1cIt is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll. When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to a class factory constructor that tries eventually tries to call mqrt!MQGetPrivateComputerInformation. Because mqrt is a delay loaded dll the loader has inserted a stub to call _tailMerge_mqrt_dll on the first call of this function. This results in a kernelbase!LoadLibraryExA call vulnerable to dll planting. If the attached mqrt.dll is placed in the same directory with the planted-mqrt.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word.
5771239566a3dd5497acb6e81362fcbfc38081d79243fb0cdde1f2ddb41c01c8The attached PEncrypt packed executable causes an OOB write on Avast Server Edition. The attached testcase has the password "infected" to avoid disrupting your mail server.
1dc9821304f839db90568189d065d1bd7ea2eccbddbf7cf1e21c22686b6ddda4Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.
9006764eb2a662f1500a7aa2992e20fb3ecac298b87aed2a54131e2f36307888The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects.
8da5165beab1e91ccd76caa05545423e4f4b91564417f8cdfde58748e1b71575The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early. The researcher observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. Many other antiviruses may be affected, and presumably WinRAR and other archivers.
f997e4c151ea3e156d9094a7b24afa34f8a5710d3d6e665444df919da07dc43cIf the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.
f677bb58e1b1048a5746cfc026a361e68396925db1aa60baa097504025056cfdIf IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.
737efddab602eec39d06bc429fedf7225e7faf8def073ec48a4f8043b9874e33There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.
625ab1bc7c4d776092e3752495889f2493737fe86bdd8d69ac60ec2b69f50ef2Kaspersky Virtual Keyboard suffers from a path traversal vulnerability.
c6c95fb5482461d979dcaea9ccd55fe337bf44a3c13647033eef85646190e4cbTor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).
493a8679f904503048114aca6467faef56861206bab8283d858f37141d95105dThis Metasploit module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null bye at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. Please note that by default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file rdslog0.txt. This exploit was successfully tested on version 9, build 90109 and build 91084.
8c99cf5f1217da665c86fd771e4aa70d6faca00dd6c6fcfa981543f8297351afThis Metasploit module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability.
782645570bac4c529e2ccd8ab1e298b919bf154a4c1e1619b5df9efcd12e1501WordPress Admin Management Xtended plugin version 2.4.0 suffers from a privilege escalation vulnerability.
9b362b9ab07bf2eed14ac27b13523e29a163c28f80ec38b876dcdb55af0d6696SAP NetWeaver J2EE engine version 7.40 suffers from a cross site scripting vulnerability.
46e13fc2d08d4f2a2f7596ad65d82e874901eb76b42dca36ca647644e7bc1891SAP NetWeaver J2EE engine version 7.40 suffers from a remote SQL injection vulnerability.
b8ba26b8f5b9d0f92e607106034454f1bc8b74eff9a4d560a2a111acb23b6525This tool enables a forensic investigator to map connections to originating processes on Android. It does not require root privileges but requires adb and usb debugging. It is meant to assist in detection of malicious APKs.
eedc44e09534f1c71557e98530d738af8b8bd453581549b3ddb72e95a6d93ed0mrtparse is a module to read and analyze the MRT format data. The MRT format data can be used to export routing protocol messages, state changes, and routing information base contents, and is standardized in RFC6396. Programs like Quagga / Zebra, BIRD, OpenBGPD and PyRT can dump the MRT format data. Written in Python.
0d4ba7bd018cad02860ccb1cba6e0eb619c7f2c5ab89af734e1e046981babfaeA reflected cross site scripting vulnerability was found in synnefoclient for Synnefo IMS 2015. The vulnerability has been discovered in the plan_name parameter on the request to fetch the package details for the logged in user. Request method is GET.
1aa548f792cd26dae870dc249c5997d19468b01ddea5005e482ca88a5e16bec8Joomla Shape 5 MP3 Player version 2.0 suffers from a local file disclosure vulnerability.
9fc4f80c339f4969c4baad3e0bf59da9dd64faf7366bdfec4b599baaca7a767aHP Security Bulletin HPSBHF03431 1 - Potential security vulnerabilities have been identified with HPE Network Switches. The vulnerabilities could be exploited locally to allow bypass of security restrictions, and indirect vulnerabilities. Revision 1 of this advisory.
9a821e4577df5ef3172503a2ddc94868fc748e366877c6623fc49b8e23238965Debian Linux Security Advisory 3417-1 - Tibor Jager, Jorg Schwenk, and Juraj Somorovsky, from Horst Gortz Institute for IT Security, published a paper in ESORICS 2015 where they describe an invalid curve attack in Bouncy Castle Crypto, a Java library for cryptography. An attacker is able to recover private Elliptic Curve keys from different applications, for example, TLS servers.
158a825b04f0f40bb96f1d9a00a016aba3e89852c2b38ad9489af18ccb50c100Ubuntu Security Notice 2834-1 - Kostya Serebryany discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. CVE-2015-7497,CVE-2015-7498, CVE-2015-7499, Hugh Davenport discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. Various other issues were also addressed.
61b96556b93c6f6ad5083cbd7aa53bd7fe2308b3eabfb234f8691cc54ba5f437Debian Linux Security Advisory 3416-1 - Takeshi Terada discovered a vulnerability in PHPMailer, a PHP library for email transfer, used by many CMSs. The library accepted email addresses and SMTP commands containing line breaks, which can be abused by an attacker to inject messages.
1410bd2881e97706204c2cb60bcb42189bced0ddb685460ac61f925cdffd1cb9Red Hat Security Advisory 2015-2618-01 - Chromium is an open-source web browser, powered by WebKit. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. All Chromium users should upgrade to these updated packages, which contain Chromium version 47.0.2526.80, which corrects these issues. After installing the update, Chromium must be restarted for the changes to take effect.
94ea6373bf25d07b9bbc098c12ae5e7c25885ecc5b6f2bc2f3ec9d7fb18fb1d4
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed