A SQL injection vulnerability exists in Joomla! Component Extra Search v2.2.8. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary SQL commands on the underlying database.
This python script is used to exploit the improper access control vulnerability in a web application. The script sends a request to the URL http://ip_address/DataStore/990_user_account.js?index=0&pagesize=10 with the required headers and reads the response. This allows an attacker to access the user account information without authentication.
A use-after-free vulnerability exists in Internet Explorer 11.0.9600.18537 (update version 11.0.38) which can lead to info leak / memory disclosure. The root cause of the bug is a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled.
There is a use-after-free security vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build. PoC and ASan log can be found below. Notes for reproducing: PoC uses domFuzzLite3 extension in order to trigger the garbage collecor. After the PoC is opened, it takes about 10 seconds for the crash to occur.
We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function, while trying to translate colors based on a malformed color profile file. The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the file, creates a color transform and translates some colors.
We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!Fill_ushort_ELUTs_from_lut16Tag function, while trying to display a TIFF image with a malformed embedded color profile.
A crash in the Windows GDI+ library was discovered in the gdiplus!GetRECTSForPlayback function while trying to display a malformed EMF+ image file. The crash appears to be caused by insufficient validation of the record size in relation to the number of declared records in the EMF+ header.
Through fuzzing, a number of different crashes in the Windows Uniscribe user-mode library were discovered while trying to display text using a corrupted font file or calling documented Uniscribe API functions against such malformed fonts. These crashes manifest through invalid memory READ accesses, some of which occur at page boundaries, while other at seemingly valid yet non-mapped addresses.
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!FillAlternatesList function, while trying to request a list of alternate glyphs for a specific glyph in a corrupted font file. In our test harness, we set the cMaxAlternates parameter of the ScriptGetFontAlternateGlyphs function to 10, indicating that this is the maximum number of values which can be written to the output pAlternateGlyphs array. However, the API function does not seem to respect the argument and attempts to write more data into the buffer -- in this case, 29 WORDs. The vulnerability can also be confirmed by looking at the output value of pcAlternates, which should never exceed 10 in this case, but is indeed set to 29. As a result, the bug may lead to corruption of various memory areas, including stack, heap, and static memory, depending on the type of pointer passed to the function by its caller.
We have encountered Windows kernel crashes in the internal nt!nt!HvpGetBinMemAlloc and nt!ExpFindAndRemoveTagBigPages functions while loading corrupted registry hive files. We believe both crashes to be caused by the same bug. Examples of crash log excerpts generated after triggering the bug are shown below.
Services By CQR