When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations. A minimal PoC is as follows and a full PoC is attached. The PoC is a bit unreliable, it may need to be refreshed a few times to crash.
On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array. If the size of the array is set to be larger than it was when the length was fetched, the calculation of the array segment head left value on line 5219 can become a very large value (as length is larger than seg->length and seg->left is generally 0). This can cause the segment length to become larger than the segment size the next time SparseArraySegmentBase::EnsureSizeInBound is called, as the method contains the code that can set size to a small value which is less than the segment length. This can lead to an overflow if length is actually more than size.
In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array.
JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called.
$_POST[ 'selectedCategory' ] is not escaped. UpdateCategoryList() is accessible for any user.
$_GET['uid'] is not escaped, allowing an attacker to inject arbitrary SQL commands. An attacker can exploit this vulnerability by crafting a malicious URL and sending it to a victim. The malicious URL contains a specially crafted SQL query that is injected into the application's database.
AspWebServer does not properly validate input. An attacker could provide unexpected values and cause the program to crash or excessive consumption of resources could result in a denial-of-service condition.
An independent vulnerability laboratory researcher discovered a csrf privilege escalate web vulnerability in the official EditMe content managament system. The vulnerability allows to perform malicious client-side web-application requests to execute non-protected functions with own web context. In the absence of security token, an attacker could execute arbitrary code in the administrators browser to gain unauthorized access to the administrator access privileges.
Using official installation instruction at https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/quickstart-ubuntu.html, nagios' user is create with a shell: /usr/sbin/useradd -m -s /bin/bash nagios leading to a entry in /etc/passwd like this "nagios:x:1001:1001::/home/nagios:/bin/bash". This means that if someone has access to the nagios account, he can access any files own by nagios. The Nagios startup script, run by root, is insecurely giving owner of file to nagios use: (/etc/init.d/nagios: line 190) touch $NagiosRunFile chown $NagiosUser:$NagiosGroup $NagiosRunFile $NagiosVarDir/nagios.log $NagiosRetentionFile. If Nagios user symlink $NagiosRunFile to a file that he has no access to, at startup or reboot of the nagios daemon, the init script with give him ownership of the linked file. Exploit: #!/bin/bash -p # TARGETSERVICE="Nagios" LOWUSER="nagios" TARGETPATH="/usr/local/nagios/var/nagios.lock" # Create a symlink to the target file ln -s $TARGETPATH /home/$LOWUSER/nagios.lock # Restart the service /etc/init.d/$TARGETSERVICE restart # Remove the symlink rm /home/$LOWUSER/nagios.lock
In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion.
Services By CQR