There is a heap buffer overflow in Shannon Baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the Operator-defined access category definitions message (IEI = 0x76).
0d9b32ed9b931576486f7e7630f9b8e393f008ff2bccc77a8e30f84a45f1e0f0There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Extended emergency number list" message (IEI = 0x7A).
ba04bb179ad4db118c637bfe6c329d2d3ebef7e310034bd5a8af11fa0123adc3There is a heap buffer overflow in Shannon baseband, inside the 5G MM protocol implementation (NrmmMsgCodec as it is called in Shannon according to debug strings), specifically when handling the "Emergency number list" message (IEI = 0x34).
ff7c534a4bbc11dc3cd3ac7fb2571e8b2fc9cddf789fa05fff2fc30be17f2acaThere is a heap corruption bug that can occur when QT processes a malformed TIFF image. It happens because the size of the QImageData backing the image is calculated is calculated using the format of the image, meanwhile TIFFReadScanline calculates the length to be read based on TIFFScanlineSize, which determines the size base on three tags in the TIFF file, width, samples per pixel and bits per sample.
765990ea3bd9f2c14232bcfa3535efba165c1990d1e7949df33a649783e33d0bThere is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data and no verification or signature is validated before the vulnerability occurs.
116febb937a201a0c4eba25cc3b30fe506befd25359b35fcac75d7c488a642f1There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
1bd312f7b4a101fec53ac225a7f3d6e0201421a8aa365cfae0b3c2da6c90a236There is a heap overflow in Skia when drawing paths with anti-aliasing turned off. This issue can be triggered in both Google Chrome and Mozilla Firefox by rendering a specially crafted SVG image. Proof of concepts included.
3f160181c8497dc4cf1f1145b96c07f641ce5f7ac700a9824ddcbbf59315795bThere is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors.
d5005d70833db3288d6f3582bebbc45f33bc2b359d5ffcd7ebdfc34a9678b7c2There is a heap overflow vulnerability in Apple's assembleBGScanResults when handling ioctl results.
e497d754530da645d0dfa81b8d9378547e7195bb0e4f5b900f516e4799502c81There is a heap overflow in Apple's AppleBCMWLANCore driver when handling Completed Firmware Timestamp messages (0x27).
859f5e2dd3a8465d5b3ba18254bb4a28a1247d2b72149d337adb0d58d1245663There is a heap overflow in Array.splice in Chakra. When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations.
6a5819407b1a08e3e5fb1fe3572513e26e584b6fd29bae8efb15d284321b36d2There is a heap overflow in ATF image packing. The file included in this archive demonstrates the vulnerability.
75949283b275ba71dc670b094f371b7c75020394f96a47c29fb5a1af31f4c0a4The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
6a43091589e97afa78001dc6e8f0c4e88aed1de975f8578e7b0706c3c45901f3The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.
6aef4dd16b7085d61fe94cd118f3ece652f9cd33df0722b63a4bf31f53557554An OS X IOKit kernel memory corruption issue occurs due to a bad bzero in IOBluetoothDevice.
f3d2f3b8051f90b86f0cfd263f09f98a7e0e04c1e1fcff20c13e3ca8f318052cAdobe Reader X and XI for windows suffers from an out-of-bounds write in CoolType.dll.
94d511f0b5c52532ba8c4998f0ae71bb9ef6d1788cd193c33ea257be138b259fThe Windows Kernel is subject to two related kernel-mode type-confusion vulnerabilities inside win32k!xxxRemoteReconnect. In both cases, a user-mode parameter passed to the syscall is incorrectly resolved to its underlying kernel representation via ObReferenceObjectByHandle passing NULL as the "ObType" field (rather than *IoFileTypeObject and *IoDeviceTypeObject respectively). Because the type is not checked, if a handle of a type other than a HANDLE to a file and a device are passed, the kernel incorrectly uses the underlying representation of the object as a PFILE_OBJECT and a PDEVICE_OBJECT, causing memory corruption in the kernel.
1fc87129199a0c6cd9e6a9fa146cc6e891c7331266896538d14fc884c57013baThe Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.
1fd4f2bf985f7460d71d17680841dc5c059fe7c05b9a7ac1a776291868ff74e3The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root and exploitable.
a34aa2485110ffeff9b63cf7063d71e3ac6548549f001e7517073b7f1ffaa5caInstall.framework has a suid root binary at /System/Library/PrivateFrameworks/Install.framework/Resources/runner that allows for arbitrary mkdir, unlink, and chown.
4b9ea14e8540ddbdec18fe305074224119369e420b4ed663a1f2bac393fa7f15The Windows Kernel is subject to a kernel-mode type-confusion vulnerability inside win32k!NtUserSetInformationThread due to referencing a user-mode handle via ObReferenceObjectByHandle with a "NULL" type specified (it should instead be using *LpcPortObjectType to protect against this vulnerability). This vulnerability can be triggered from inside CSRSS via the syscall win32k!NtUserSetInformationThread with ThreadInformationClass set to "UserThreadCsrApiPort" and the parameter of the syscall set to a HANDLE that is not an LPC object.
f08ca467d2241babc70e51da65057abb65b9ecf85249b35405cfc513910c45d6The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and a heap overflow within the context of the host.
13f86bfcab19e0b4b4a2b31f5267866e4f2e1bf60fa810d064d79e7a787b0c07Microsoft Office 2007 suffers from a RTF XML SmartTags use-after-free vulnerability.
9112fd06f8a9594124ac555685a4c390b42d8b36cbf029a9deca63894f80b49eMicrosoft Office 2007 suffers from a OneTableDocumentStream invalid object vulnerability.
71aae25eeff40a890630b5def4b9a4c33395e8cd48b05b1af664a30be591e023Microsoft Office 2007 suffers from a stack-based buffer overflow vulnerability when handling a malformed document.
fc3f3a43acba1f2993d16df8be2f8af7217caf24ea88bc37b3ab71571b41e296Flash suffers from a use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.
f25272c8a1f372c28e643e729835debc9a97b7068e8da8e97a5a220acf1e5a89
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed