The CloundExperienceHostBroker hosts unsafe COM objects accessible to a normal user leading to elevation of privilege.
7888834d5b9f65c613c040c3ae903e13e111aac394ea82b8960fd0610e98dd60The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and a heap overflow within the context of the host.
13f86bfcab19e0b4b4a2b31f5267866e4f2e1bf60fa810d064d79e7a787b0c07Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.
9112fd06f8a9594124ac555685a4c390b42d8b36cbf029a9deca63894f80b49eMicrosoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.
71aae25eeff40a890630b5def4b9a4c33395e8cd48b05b1af664a30be591e023Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.
fc3f3a43acba1f2993d16df8be2f8af7217caf24ea88bc37b3ab71571b41e296Flash suffers from a use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.
f25272c8a1f372c28e643e729835debc9a97b7068e8da8e97a5a220acf1e5a89Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector.<uint> (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length.
fcdf12cd364c0ea733d2eac6b27e7d2f9f878fe5206bb8c75cbfc449ce599745There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
45e43f90ddcb052986798b06cfd1f46ebd1983e9b8561f2e5e9f429141da9e39If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
35155caf981a1919c824478ec4353bf7b0386be80fed9f35592dd6d487b2c05cThe Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object.
19f7464f744154d2d6dd211423377f3e324df119f1b2817fad6a0f7b4e6ae5f4A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
6730e4bcb74ff3ada116f87db7b421bf1d013003c83ef00b178f449904c4d335The maintenance service creates a log file in a user writable location. It's possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege.
9a1d92cce93d1ad86dd9eac6ec55a2b6aedcc3249f5d93fb13aea55da6b68ba6Flash suffers from a heap-based buffer overflow due to an indexing error when loading FLV files.
4673942893163cde81ade110d85287f3016da128ff399dfaf5a45be550ea11c7Flash suffers from a heap-based buffer overflow vulnerability.
6dc90c34eaf395d7b5fc097c96fc3bbf1b826f568a8b16ab718447c06a8884a7A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86. The crash is caused by a 1 bit delta from the original file at offset 0x31B.
03f7aa286c6f7a41a1b151784a5669dfb726e0a84605f216c88584600f74d02fA crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
a0cd6e10f73a59037ae74f44a92933339dbaf1a11fe054b8edf070270dd6a4c0There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion.
913b0be9845adb6b994362bb787074269b6c1eeb7980d5b0f158933108a65e1aA crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86. The crash is caused by a 1 bit delta from the original file at offset 0x4A45. OffViz identified this offset as OLESSRoot.DirectoryEntries[100].OLESSDirectoryEntry[20].sidLeft with an original value of 0x00000000 and a fuzzed value of 0x00008000.
1abb29b1bfd3c4155dea845a8f4a1b457d8108a08fdcb085f1548e3efeb296aaThere is a use-after-free in the TextField gridFitType setter.
9cfc47e31890f361abe09b956c4448a09809f5f2f950712ad016beb1ef1a03f2A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 running on Windows 7 x86. The attached PoC file will reproduce when Word is closed. However, there were other crashing files (not attached) faulting on the same EIP that did not require Word to be be closed to trigger the crash. This particular PoC did not minimize cleanly and has 666 deltas from the original non-fuzzed file.
1b07b9c7986e7c9c019e444f6094091612c97c9809f57e6a2e72cfe6cd7b5126If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
95ab8619713493badebfbf2dae76fc13420fcd4f602713b108d2bb448361a346A crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
64642201e34edd3485b55db10852c7ff6216617108d4d18639058079b398f937Adobe Flash suffers from a URL resource use-after-free vulnerability.
b04ff115627b5b76c68978f46ab63e22389ddd834b882f77fa2abc234019242eThere is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers.
a39594a8976bb4f531c327c7e110dd1c104a7e1916ad2cb698311e6d442f6784There is a use-after-free in CreateTextField in Adobe Flash.
273c349edf06a32073f319cedaeee5bb11cb28bcdc6a8e4ff0b6c4491275e257A heap overflow exists due to a 64-32 integer truncation issue in device/hid/hid_connection_linux.cc.
770ba2318e417025ee29f56a1103dfb964c9deb4f6c83609e26beb78d0effa4f
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed