Samsung Galaxy S6 LibQjpeg memory corruption proof of concept exploit.
00a3e0053aaaff6e526e5ce32b3ddb9478f66295e94d52e198a75a61fc3556edWhen setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains in the stack.
784ff7b73b5ba4aba1ac24bbe51f62d68e8c1405d60181192fb3613898562723There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
2e1c6f0cbff4d283e27bc67ff2c3d6a2f97825e1fb4b4c03692fb92493f675d7In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many properties of the Sound and NetStream classes.
988359360be0f5f9adf193f6cd3a04d83c07dd40e147fd6dcd237b7482c3bf8cAn instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).
fc4873a13244f4cbc031eca310103bf8bf2dd9f88a4c98659fde47aa2310d88dIf the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted.
b56d353e5eaa5e4528ff1ffb7dc841c80fd0d96e3e3d63729b195cd39ca14474Three use-after-free proof of concept exploits for Flash.
2e4eefce9ede8e949e02bc78fdf89f165e66883de32412b8f8591292e5d9a762A use-after-free bug exists while setting the TextFilter.filters array.
31a6c05930a52b35dcd3d8092a6d0a8288bfbf9225bc353369358d98b9ab95b8There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes.
80b4a9baafb714f2dd9d49514a0fc66cae5b4722cb091640d14ef74e3e9fafccThis is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.
b7ac22badf51c7c646164605a8e31a6bc88e7bf96892a72cbd86c59704b16c46Researchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
f3c9bc75807a1970026b1a04826e0374c827b906a3593467dfd94e746404d46eResearchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
6e52ae3b34903df13fac42f16c8c4249f5713a3b28e9e618f11bd01a076bfda5If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker.
1295da6dedc93d6a1fe5a27a6f5a706c9506fa2c29602370bf75f3ab7f7f7165Researchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
6a8eb9549bb642753717c8d5defcb82e1195517e9f35e5373e1e62cfe755b503There is a use-after-free in attachMovie due to the initObject. If the initObject contains an object that calls a method that deletes the movie clip that is being attached, a use-after-free occurs.
90bd26fa45bf4967bccd506cc65201e1553ca1b0810ffe60271cde208371b15bResearchers have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file.
86ad060ed6b0b92f73638bde724be9999e6d4cd36658f6ce0e727753ba8c5617There are use-after-frees related to storing a single pointer (this this pointer) in several MovieClip drawing methods, including beginFill, beginBitmapFill, beginGradientFill, linGradientStyle, lineTo, moveTo, curveTo and lineStyle.
eb82146aef2be66c90cc556f2ab77a11428236e2b722274ee758243d8ec6b0e3This Metasploit module exploits a vulnerability that exists in the KNOX security component of the Samsung Galaxy firmware that allows a remote webpage to install an APK with arbitrary permissions by abusing the 'smdm://' protocol handler registered by the KNOX component. The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3, and Ace 4.
03a3f71c2c2fa9fd0b119371b2d55e432974a0922073ac802b493949e3fd1f34The Samsung Galaxy S3 and S4 phones come with a pre-loaded application that allows for spoofing and creation of arbitrary SMS content.
de5e8b452ffe3b39a1cf8ac1351ee8616bf67fdf04eb175ac2a45a481240863dThe Samsung Galaxy S3 w/ Android version 4.1.2 suffers from a bypass vulnerability due to S-Voice allowing the launch of any command even when the screen is locked.
f859a2a4bfd30be0e55663fe5c258853b5ad3a563064a6354107e8e25a8fc7ccSecunia Security Advisory - MWR InfoSecurity has reported two vulnerabilities in Samsung Galaxy S III, which can be exploited by malicious people to compromise a vulnerable device.
e15e4ecf64866ee592cf81d40bdda9debb4602f91d90c29371531a81241df33dSecunia Security Advisory - A vulnerability has been reported in Samsung Galaxy S III, which can be exploited by malicious people to cause a DoS (Denial of Service).
939d54052f7f5931d554b11cfdb777715f342c05b6124124222823930d9140cbSome system directories on the Samsung Galaxy S2 for Sprint-US (Epic 4G Touch) are world-writable and allow for information disclosure, modification, and may lead to local root compromise of the device.
9f06ef12f388247b4f5396e78958861f0d2d299cd6eda363dcfb33d724706997Goolag Scanner version 1.0. This tool has been released by the Cult of the Dead Cow to automate Google hacking using 1,500 predefined search queries.
052f30701a3f98d4097362ef486c4e09cecdf65778832bd34781b2d744896d38The RSA KEON Registration Authority Web Interface suffers from multiple cross site scripting vulnerabilities. Version 1.0 is susceptible.
26c310be669771da1384f9cf1a2df0bcb062948b01a68a3476d898341ac35511Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. This may allow malicious content to bypass HTTP content scanning systems. Systems affected include Checkpoint Web Intelligence and IBM ISS Proventia Series systems.
ed7d99c4b0c8cf924026804e5a72dd264e34e794211f2f18d66d3c41fdd46077
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed