Chrome suffers from an issue where a data race in AudioArray::Allocate can lead to out-of-bounds access.
40c89fb5d3f2f33337160274195305f3cd381ef1ff99e9b1b31576dd9241fd40Flash suffers from a broker-based sandbox escape.
ff44243af4b26853124e63a9869c6b81f401bc2ad222680958329a437559b8efFlash suffers from a broker-based sandbox escape.
32f8d2576cdd393f19c2a9cdbb6d3476d8fda0611004641c02e347365ebea2aeThe "transient array" specified in the "Type 2 Charstring format" specs but also available in Type1 fonts (originally for the purpose of facilitating Multiple Master fonts) is allocated dynamically only if the CoolType interpreter encounters an instruction which requires the presence of the array, such as "get" or "store". While allocating the array, however, the routine does not automatically clear the contents of the newly created buffer.
6ace69fba4e02dc5c9eedf369a1611909bcd055bd1c38c7a835323a1176ce061There is an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and remote code execution.
f100f0c5cc96a2a407b46491520f1bce43ba7ca526f4e6c69f5887bf768c2ecaThe Type1/CFF CharString interpreter code in the Adobe Type Manager Font Driver (ATMFD.DLL) Windows kernel module does not perform nearly any verification that the operand stack is large enough to contain the required instruction operands, which can lead to up to "off-by-three" overreads and overwrites on the interpreter function stack.
51ba13f671a701f0476a89dfbec32f4088b01330862ec09c0a793c9e3d8643a0The system call NtPowerInformation performs a check that the caller is an administrator before performing some specific power functions. The check is done in the PopUserIsAdmin function. On Windows 7 this check is bypassable because the SeTokenIsAdmin function doesn't take into account the impersonation level of the token and the rest of the code also doesn't take it into account.
8e80a5edbfcfa8ce64460f4e9edf0e6164d6af2253e064cbdbd72a18a7cc6f4aWhen calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
025afc3b744a755fe32430c68ff260ef742b1772b907721185ee3c58dbde5b57An access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
a9bceda55620d3ed4cd20aec8a272a586fc3442122decbc24a9ba59a81f9b08bAn access violation occurs in Adobe Flash Player plugin while parsing a mutated swf file.
d1b4ab4f8b0404b6ba7f6fd0ce0dddffa431bd6d447a9316b9385e81916c89f2In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject.
90eacb51d34198b2be5fdbf20c1cbafadb5acc055ea1efde7be967cbaf2262efWhen setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains in the stack.
784ff7b73b5ba4aba1ac24bbe51f62d68e8c1405d60181192fb3613898562723There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property.
2e1c6f0cbff4d283e27bc67ff2c3d6a2f97825e1fb4b4c03692fb92493f675d7In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many properties of the Sound and NetStream classes.
988359360be0f5f9adf193f6cd3a04d83c07dd40e147fd6dcd237b7482c3bf8cAn instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).
fc4873a13244f4cbc031eca310103bf8bf2dd9f88a4c98659fde47aa2310d88dIf the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted.
b56d353e5eaa5e4528ff1ffb7dc841c80fd0d96e3e3d63729b195cd39ca14474Three use-after-free proof of concept exploits for Flash.
2e4eefce9ede8e949e02bc78fdf89f165e66883de32412b8f8591292e5d9a762A use-after-free bug exists while setting the TextFilter.filters array.
31a6c05930a52b35dcd3d8092a6d0a8288bfbf9225bc353369358d98b9ab95b8If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker.
1295da6dedc93d6a1fe5a27a6f5a706c9506fa2c29602370bf75f3ab7f7f7165Chrome suffers from a ui::AXTree::Unserialize related use-after-free vulnerability.
c401c178ffecc2c543e0506717b170b45cb01c6106506bf7304ac67f0c08bfb4Feeder.co RSS Feeder version 5.2 for Chrome suffers from multiple cross site scripting vulnerabilities.
c227d9d9a4c7675cd2e18a765b40cd5955a316d3ece0b557dcc289f4c9d80f82Google Chrome suffers from an installed extensions arbitrary detection vulnerability.
52da5016877181aca474a508679782a3b2ff97357ecd8b355f349ada96f2d008Gmail Checker plus Chrome suffers from cross site request forgery and cross site scripting vulnerabilities.
36a68bd9e9fde10d7b5a7b1971af8b6237f36edee542649eae9f1bc1b13f7a19Goolag Scanner version 1.0. This tool has been released by the Cult of the Dead Cow to automate Google hacking using 1,500 predefined search queries.
052f30701a3f98d4097362ef486c4e09cecdf65778832bd34781b2d744896d38The RSA KEON Registration Authority Web Interface suffers from multiple cross site scripting vulnerabilities. Version 1.0 is susceptible.
26c310be669771da1384f9cf1a2df0bcb062948b01a68a3476d898341ac35511Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded traffic. This may allow malicious content to bypass HTTP content scanning systems. Systems affected include Checkpoint Web Intelligence and IBM ISS Proventia Series systems.
ed7d99c4b0c8cf924026804e5a72dd264e34e794211f2f18d66d3c41fdd46077
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed