The code in IOMXNodeInstance.cpp that handles enableNativeBuffers uses port_index without validation, leading to writing the dword value 0 or 1 at an attacker controlled offset from the IOMXNodeInstance structure.
There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.
The android.graphics.Bitmap class illegally assumes that the size of the ashmem region provided by the user matches the actual underlying size of the Bitmap. When un-flattening a Bitmap from a Parcel, the class first calculates the assumed size of the Bitmap from the user-provided dimensions. Then, it calls Parcel::readBlob in order to map the given ashmem file descriptor to the process's VAS. This mapping is done using the size calculated from the Bitmap's dimensions (and not the size of the underlying ashmem descriptor). Later, the Bitmap constructor internally stores the ashmem file descriptor and mapped memory address, along with the size of the mapping. However, instead of using the same calculated size which was used when mapping the shared memory region, it accidentally queries the ashmem region for its real size, like so: mPixelStorage.ashmem.size = ashmem_get_size_region(fd). This size can be completely controlled by an attacker (simply by calling ASHMEM_SET_SIZE), and may be arbitrary large. Later, when the Bitmap is GC-ed, the destructor triggers a call to Bitmap::doFreePixels which unmaps the Bitmap's data, by calling: munmap(mPixelStorage.ashmem.address, mPixelStorage.ashmem.size). This means that an attacker can cause the size of the unmapped region to be arbitrarily large, thus unmapping crucial regions in the remote process's VAS.
PowerShell can read and process XML files, this is by design. However, its XML parser is vulnerable to XXE attacks, if a user reads a malicious XML file using powershells XML API. This can potentially allow local files to be accessed and exfiltrated to an attackers server.
This exploit is for Ubuntu 16.04 x86_64 and is a race condition exploit which uses AF_PACKET. The exploit is used to alter the vsyscall page and register a new sysctl.
$_GET['message'] is not escaped, allowing for every registered user to access the URL http://target/wp-admin/admin.php?page=simple-personal-message-outbox&action=view&message=0%20UNION%20SELECT%201,2.3,name,5,slug,7,8,9,10,11,12%20FROM%20wp_terms%20WHERE%20term_id=1
Cross Site Scripting: First We Need To login To Panel And page Parameter Vulnerable to Cross Site Scripting http://192.168.1.1/cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=%3Cscript%3Ealert%28%22c_C%22%29%3C/script%3E. Default Telnet Root Password: Username:root Password:root telnet 192.168.1.1 (none) login: root Password:root ~ $ cat /proc/version Linux version 2.6.19 (dsl@crlinux) (gcc version 3.4.6-1.3.6) #3 Fri May 18 13:09:57 CST 2012. Directory Traversal: First We Need To login To Panel And getpage Parameter Vulnerable to Local File Disclosure http://192.168.1.1/cgi-bin/webproc?getpage=../../../../etc/passwd&var:menu=setup&var:page=wireless
When the Telnet Negotiation is activated (-T option), Netcat parses the incoming packets looking for Telnet Control Codes by running them through buggy switch/case code. Aforementioned code fails to safely check for array boundaries resulting in an array out of bounds write.
A local attacker with access to a vulnerable system can replace the "nssm.exe" executable with a malicious version, allowing them to add a backdoor Administrator account once the "Apache CouchDB" service is restarted or system rebooted. As Apache CouchDB runs as LOCALSYSTEM, standard users can now execute arbitrary code with the privileges of the SYSTEM.
Microsoft Windows MSINFO32.exe is vulnerable to XML External Entity attack which can potentially allow remote attackers to gain access to and exfiltrate files from the victims computer if they open a malicious ".nfo" file via remote share / USB etc.
Services By CQR