The Microsoft Windows kernel pool address is leaked via an undocumented GetFontData feature in ATMFD.
0fc9e0391632fca8d511a3b229bca0a1Anti-Virus solutions are split into several different components (an unprivileged user mode part, a privileged user mode part and a kernel component). Logically the different systems talk to each other. By abusing NTFS directory junctions it is possible from the unprivileged user mode part ("the UI") to restore files from the virus quarantine with the permissions of the privileged user mode part ("Windows service"). This may results in a privileged file write vulnerability.
7862227fbd0c9e346e9689c3307fcd0aPSFTPd Windows FTP Server version 10.0.4 Build 729 suffers from use-after-free, log injection, and various other vulnerabilities.
a6b220a3915564ca47ef1ce14c453651Datto Windows Agent suffers from multiple remote code execution vulnerabilities.
676d485c422ed3c22a813b3845e1997aThis Metasploit module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.
e8d2e4d615be10d88bf8b20b6b549143Dialog Mobile Broadband version 23.015.11.01.297 suffers from a dll hijacking vulnerability.
d50ba80bd092d2bcf2040522c57ed047MIMEDefang is a flexible MIME email scanner designed to protect Windows clients from viruses. Includes the ability to do many other kinds of mail processing, such as replacing parts of messages with URLs. It can alter or delete various parts of a MIME message according to a very flexible configuration file. It can also bounce messages with unacceptable attachments. MIMEDefang works with the Sendmail 8.11 and newer "Milter" API, which makes it more flexible and efficient than procmail-based approaches.
77b2f2178727dc600a9c1cf075b0ecd8Apple Security Advisory 2017-10-31-7 - iCloud for Windows 7.1 is now available and addresses multiple code execution vulnerabilities.
26891f75fd57c0122ac654f4a17c984cApple Security Advisory 2017-10-31-6 - iTunes 12.7.1 for Windows is now available and addresses multiple code execution vulnerabilities.
4a902dbb65b5e5fff878166c822f5799Microsoft Windows 10 Creators Update suffers from a 32-bit execution of ring-0 code from NULL page via NtQuerySystemInformation (class 185, Warbird functionality).
3b1777f8309fb6e91148a1b542d501efThe Windows Attachment Manager does not correctly handle JAR files marked as high risk when accessed via Internet Explorer 11.
0a2b101ba0ba57f6c9393f4be248261bUnder certain circumstances a shared folder on Windows can be abused remotely to obtain the user credentials and to freeze the machine.
75df1861286943e3f336ac2f00048071Whitepaper called Hacksys Extreme Vulnerable Windows Driver Analysis. Part 1 of a series. Written in Arabic.
c6aaef0e16af84719f2f55fdbf70e8dbMicrosoft Windows Game Definition File Editor (GDFMaker) version 6.3.9600.16384 suffers from an XML external entity injection vulnerability.
c7d0ae4a7bf14a2d1e2cae2ae115040aThis advisory discusses a Microsoft Windows kernel pool memory disclosure into NTFS metadata ($LogFile) in Ntfs!LfsRestartLogFile.
f4472007f780b633aa086c20fa3c9ee8The Microsoft Windows kernel pool suffers from a nt!RtlpCopyLegacyContextX86 related memory disclosure vulnerability.
e7fc69388cdf09d854702265504b52eb117 bytes small Windows x64 API hooking shellcode.
0e1f30f71a25c4a08e91b66ad4ca90deThere exists an unauthenticated SEH based vulnerability in the HTTP server of Sync Breeze Enterprise version 10.1.16, when sending a GET request with an excessive length it is possible for a malicious user to overwrite the SEH record and execute a payload that would run under the Windows NT AUTHORITY\SYSTEM account. The SEH record is overwritten with a "POP,POP,RET" pointer from the application library libspp.dll. This exploit has been successfully tested on Windows XP, 7 and 10 (x86->x64). It should work against all versions of Windows and service packs.
d7371f0084bb280d35baaca73d2c929dThis Metasploit module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off by abusing the way "WinSxS" works in Windows systems. This Metasploit module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also).
168e1d24d366b109430b6a8f6c85ad79Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers.
237525d8f189f1253ca18b00a055eccbThe PostgreSQL 10 installer for Windows suffers from a dll hijacking vulnerability.
f46c2b1ad8a1d5e4276cb73262711868This is a collection of exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on the affected system. The exploits should work fine on Windows 10 x64 with Creators Update, build 15063.540 (latest version of Win10 before the release of Microsoft's September Updates).
1bbb2193435fcfc4958108cf2fde83e9HP Security Bulletin HPESBMU03753 1 - Several potential security vulnerabilities have been identified in HPE System Management Homepage (SMH) on Windows and Linux. The vulnerabilities could be exploited remotely resulting in Cross-site scripting, local and remote Denial of Service, local and remote execution of arbitrary code, local elevation of privilege and local unqualified configuration change. Revision 1 of this advisory.
3610a8a805b73bebd3f6895b697cadacEMC AppSync host plug-in on Windows platform includes a denial of service (DoS) vulnerability that could potentially be exploited by malicious users to compromise the affected system. Versions 3.5 and below are affected.
0dc5c768a6b91e7f30ed970745210698Apple Security Advisory 2017-09-25-8 - iTunes 12.7 for Windows addresses code execution, memory corruption, and various other vulnerabilities.
306ff87175ca8e8645b30d800ae4ccb2
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed