The win32k!NtQueryCompositionSurfaceBinding system call discloses portions of uninitialized kernel stack memory to user-mode clients. The output buffer, and the corresponding temporary stack-based buffer in the kernel are 0x308 bytes in size. The first 4 and the trailing 0x300 bytes are zero'ed out at the beginning of the function, however, the remaining 4 bytes at offset 0x4 are never touched, and so they contain whatever data was written there by the previous system call. These 4 bytes are then subsequently leaked to the user-mode caller. Exploitation of this bug is further facilitated by the fact that the contents of the buffer are copied back to user-mode even if the syscall fails.
A vulnerability was discovered in the nt!NtGdiGetFontResourceInfoInternalW system call, which discloses portions of uninitialized kernel stack memory to user-mode clients. This is caused by the fact that for user-specified output buffer sizes up to 0x5c, a temporary stack-based buffer is used by the syscall for optimization. As opposed to the pool allocation, the stack memory area is not pre-initialized with zeros, and when it is copied back to user-mode in its entirety, its contents disclose leftover kernel stack bytes containing potentially sensitive information. The vulnerability is fixed in Windows 10, which has the memset() call at the beginning of the function.
Optionsbleed is a vulnerability in Apache web servers that allows attackers to leak memory from the server. It is caused by a bug in the handling of the Allow header in the HTTP OPTIONS request. The vulnerability was discovered in 2017 and affects Apache versions 2.2.34 and 2.4.27 and later.
A number of Windows kernel crashes were encountered in the win32k.sys driver while processing corrupted TTF font files. The PAGE_FAULT_IN_NONPAGED_AREA (50) error was encountered, which is caused by an invalid system memory reference. This can be protected by a Probe.
The win32k!NtGdiGetGlyphOutline system call handler may disclose large portions of uninitialized pool memory to user-mode clients. The function first allocates memory (using win32k!AllocFreeTmpBuffer) with a user-controlled size, then fills it with the outline data via win32k!GreGetGlyphOutlineInternal, and lastly copies the entire buffer back into user-mode address space. If the amount of data written by win32k!GreGetGlyphOutlineInternal is smaller than the size of the allocated memory region, the remaining part will stay uninitialized and will be copied in this form to the ring-3 client.
iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc.
A vulnerability in the win32k.sys driver of Windows was discovered while processing corrupted TTF font files. The vulnerability causes a PAGE_FAULT_IN_NONPAGED_AREA (50) error, which occurs when an invalid system memory address is referenced. The invalid memory addresses accessed by the win32k!bGeneratePath function are seemingly "wild", e.g. 0x8273xxxx, 0x8274xxxx, 0x8275xxxx, etc.
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source.
Digileave 1.2 is vulnerable to Cross-Site Request Forgery (CSRF) which allows an attacker to update the admin user. An attacker can craft a malicious HTML page and send it to the victim. When the victim visits the malicious page, the attacker can update the admin user with the provided credentials.
Netdecision 5.8.2 is vulnerable to local privilege escalation due to a lack of proper validation of user-supplied input. An attacker can exploit this vulnerability to gain elevated privileges on the system.
Services By CQR