There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. The proof-of-concept code creates an iframe with a name attribute, sets the src attribute to a data URI, and then submits the form. The onbeforeunload event handler then appends a <del> element to the document head, which triggers the use-after-free.
During an evaluation of the Vonage home phone router, it was identified that the loginUsername and loginPassword parameters were vulnerable to a buffer overflow. This overflow caused the router to crash and reboot. Further analysis was performed to find out if the the crash is controllable and allow for full remote code execution. A proof of concept code was used to exploit the application, which was only tested against denial of service conditions.
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. The PoC code creates a Uint8Array object and then appends a HTMLScriptElement object to a ContainerNode object. The HTMLScriptElement object is then removed from the ContainerNode object, which causes a use-after-free vulnerability.
This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution.
It’s possible to add a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to to circumventing Device Guard policies and possibly PPL signing levels. Windows Code Integrity has the concept of caching signing level decisions made on individual files. This is done by storing an extended attribute with the name $KERNEL.PURGE.ESBCACHE and filling it with related binary information. As the EA name is a kernel EA it means it can’t be set by user mode code, only kernel mode code calling FsRtlSetKernelEaFile. As user mode code can’t directly set the kernel EA the facility to write the cache entry is exposed through ZwSetCachedSigningLevel(2). This takes a number of arguments, including flags, a list of associated file handles and the target handle to write the EA to.
The Icon Time Systems RTC-1000 (firmware v2.5.7458 and below) Universal Time Clock device is susceptible to a stored Cross Site Scripting (XSS) vulnerability that facilitates session hijacking. Injecting a session hijacking XSS payload into the ‘First Name’ field of an employee record on the employee.html webpage results in payload execution wherever this employee's first name appears in subsequent webpages. Caveat: To exploit this vulnerability, the attacker does need valid credentials to access the device and those credentials must have permissions to change employee names.
The above JavaScript code is JITed as follows: CHECKING THE TYPE OF B ... OP_Memset(a, v, a.length); b[0] = 2.3023e-320; But there's no ImplicitCallFlags checks around OP_Memset. So it fails to detect if the type of 'b' was changed after the 'OP_Memset' called. The PoC shows that it can result in type confusion.
At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system. The PoC provided shows that an array of size 0x1000 is created and a loop is used to increment the index of the array until 0x7fffffff. This causes an integer overflow and the loop continues to increment the index beyond the array size.
A type confusion vulnerability exists in the switch statement and its IR code for JIT in the JavaScript language. The vulnerability occurs when the MultiBr instructions' offset operand is not of type Int32. This can be prevented by checking the type of the offset operand before the MultiBr instruction.
A stored XSS vulnerability exists in Vonage Home Router, which allows an authenticated attacker to inject malicious JavaScript code into the router's web interface. This can be exploited by sending a specially crafted HTTP POST request to the router's web interface. The malicious code is then stored in the router's web interface and is executed when a user visits the affected page.
Services By CQR