The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length. If an interface is attached, the length cannot be changed. However, by creating and attaching to a bridge interface, the length can be changed and the buffer size will be out of sync with the actual allocated buffer size, leading to heap corruption when packets are received on the target interface.
This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is 'cmc' and 'password'. By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.
The necp_open syscall is used to obtain a new necp file descriptor. The necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap. The bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c) another thread can call close on the new fd which will free fd_data before we enqueue it at (e).
The SIOCGIFORDER system call allows userspace programs to query the list of interface identifiers used to build the list. The loop at (c) iterates through the list of all entries and the check at (c) is supposed to check that the write at (d) won't go out of bounds, but it should be a >=, not a >.
SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox. By providing a value with the most-significant bit set making it negative when cast to a signed type, we can pass the bounds check at (b) and lead to reading an interface pointer out-of-bounds below the ifindex2ifnet array. This leads very directly to memory corruption at (d) which will add the value read out of bounds to a list structure.
exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn. It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS). For the special, exception and audit ports it tries to update the new task to reflect the port action by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if any of those calls fail it calls ipc_port_release_send(port). task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't an audit session port. This means we can cause two references to be dropped on the port when only one is held leading to a use after free in the kernel.
Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig. This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it uses to index an array of pointers with no bounds checking. This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer on which a virtual method is called. With some heap grooming this could be used to get kernel code execution.
Maian Greetings v2.1 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'cat' parameter in the 'index.php' script. This can be exploited to bypass authentication and gain access to the application.
Maian Survey v1.1 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'cmd' and 'survey' parameters in the 'index.php' script. This can be exploited to bypass authentication and gain access to the application.
Login as regular user and inject SQL in the URL parameter 'user' to access the following fields from the mu_members table: id, joindate, sign_date, joinstamp, username, email, accpass.
Services By CQR