Samsung Galaxy S6 LibQjpeg memory corruption proof of concept exploit.
00a3e0053aaaff6e526e5ce32b3ddb9478f66295e94d52e198a75a61fc3556edSamsung Galaxy S7 Edge suffers from an OMACP WbXml string extension processing overflow vulnerability.
307b84753200201a99532b1e82caa0fe6cf50e88e77c62e1a9a31d3768ba87c4This jpg file causes an invalid pointer to be freed when media scanning occurs on Samsung Galaxy S6.
c28f5048c94508b781d43243304bf68709181131a5a4fdac2d1d3ce2a45f4842Samsung Galaxy S6 suffers from a gif parsing crash in Samsung Gallery.
1888e67a728513e8cd393db3e20349262212f24acc1bffc72a4c47bc6d390b05Samsung Galaxy S6 suffers from a bitmap decoding crash in Samsung Gallery.
b5dfd64ba8ca5fdf49e8b162af363928f2cc6086a53817ac47499c6c57342a90Samsung Galaxy S6 Android.media.process face recognition memory corruption proof of concept exploit.
a5e7dfca54ad57cd87ac2d393d7a5abcda17cd922cada6c71474e80ae98e77e0The Task Scheduler can be made to delete a task after it's trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.
c30785bf661d0d66daa78abe61a94c360587d6e66ae875cfc5a81dc4ec54b02eThe NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.
9bcf7274e363f1dc579d9ed68048a01019d56cc2f841f1a4a04c182389196296Microsoft Excel 2007 running on Windows 2003 suffers from a use-after-free vulnerability.
460bd27af88f7165a795d698b85d2e4cd8c83732200f70dc5c84e7b8e4818f79A use-after-free crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
3b2e620089c3777eb2d36942713f33cf68f9865e894dbaee83bdbdb3af57385cA type confusion crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
247823ed9395d266e8674965a149848a04a5b7380aa2bf3723839d71d6ca65a6The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.
6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.
f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052cAdobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.
94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259fThe Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.
1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013baThe Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.
1fd4f2bf985f7460d71d17680841dc5c059fe7c05b9a7ac1a776291868ff74e3The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.
a34aa2485110ffeff9b63cf7063d71e3ac6548549f001e7517073b7f1ffaa5caInstall.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.
4b9ea14e8540ddbdec18fe305074224119369e420b4ed663a1f2bac393fa7f15The Windows Kernel is subject to a kernel-mode type-confusion vulnerability inside win32k!NtUserSetInformationThread due to referencing a user-mode handle via ObReferenceObjectByHandle with a "NULL" type specified (it should instead be using *LpcPortObjectType to protect against this vulnerability). This vulnerability can be triggered from inside CSRSS via the syscall win32k!NtUserSetInformationThread with ThreadInformationClass set to "UserThreadCsrApiPort" and the parameter of the syscall set to a HANDLE that is not an LPC object.
f08ca467d2241babc70e51da65057abb65b9ecf85249b35405cfc513910c45d6The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and a heap overflow within the context of the host.
13f86bfcab19e0b4b4a2b31f5267866e4f2e1bf60fa810d064d79e7a787b0c07Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.
9112fd06f8a9594124ac555685a4c390b42d8b36cbf029a9deca63894f80b49eMicrosoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.
71aae25eeff40a890630b5def4b9a4c33395e8cd48b05b1af664a30be591e023Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.
fc3f3a43acba1f2993d16df8be2f8af7217caf24ea88bc37b3ab71571b41e296Flash suffers from a use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.
f25272c8a1f372c28e643e729835debc9a97b7068e8da8e97a5a220acf1e5a89Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector.<uint> (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length.
fcdf12cd364c0ea733d2eac6b27e7d2f9f878fe5206bb8c75cbfc449ce599745
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed