A buffer overflow vulnerability was discovered in RealPlayer 18.1.5.705, which is caused by a lack of proper bounds checking when handling user-supplied data. This can be exploited to cause a stack-based buffer overflow by supplying a specially crafted file to the application. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application.
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. It exploits a race condition in the way the Linux kernel's memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. This vulnerability allows an attacker to gain root access on the vulnerable system.
This script exploits the freepbx website, elevates privileges and returns a reverse bind tcp as root
The vulnerability can be mitigated by using prepared statements (with parameterized queries) and by using stored procedures.
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. It is a race condition bug that exploits a flaw in the Linux kernel’s memory-management subsystem. It allows an attacker to gain write access to a read-only memory mapping, such as those used to store program text, by exploiting a race condition between the madvise(MADV_DONTNEED) system call and a read/write system call. The exploit is achieved by racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory. The attacker then writes to /proc/self/mem to reset the file pointer to the memory position. The exploit is done in parallel by passing two arguments, the file and the content, and opening the file in read-only mode. The attacker then uses MAP_PRIVATE for copy-on-write mapping.
This module exploits a command injection vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4. We use a combination of default credentials with a weakness in the anti-csrf generation to achieve command injection on fresh pineapple devices prior to configuration. Additionally if default credentials fail, you can enable a brute force solver for the proof-of-ownership challenge. This will reset the password to a known password if successful and may interrupt the user experience. These devices may typically be identified by their SSID beacons of 'Pineapple5_....'; details derived from the TospoVirus, a WiFi Pineapple infecting worm.
The isolated private namespace created by ierutils has a insecure DACL which allows any appcontainer process to gain elevated permissions on the namespace directory which could lead to elevation of privilege. In iertutils library IsoOpenPrivateNamespace creates a new Window private namespace (which is an isolated object directory which can be referred to using a boundary descriptor). The function calls CreatePrivateNamespace, setting an explicit DACL which gives the current user, ALL APPLICATION PACKAGES and also owner rights of GENERIC_ALL. This is a problem because this is the only security barrier protecting access to the private namespace, when an application has already created it, this means that for example we can from any other App Container open IE’s or Edge’s with Full Access. One way of exploiting this condition is to open the namespace for WRITE_DAC privilege and add inheritable ACEs to the DACL. Doing this would result in any new object in the isolated namespace being created by Edge or IE being accessible to the attacker, also giving write access to resources such as IsoSpaceV2_ScopedTrusted which are not supposed to be writable for example from a sandboxed IE tab.
The spread operator in JavaScript allows an array to be treated as function parameters using the syntax 'f(...a)'. When DirectGetItemAtFull accesses the array, if an element of the array is undefined, it will fall back to the prototype of the array. In some situations, for example if the prototype is a Proxy, this can execute user-defined script, which can change the length of the array, meaning that the call can overflow destArgs.Values, even through the length has already been checked.
When an array is joined in Chakra, it calls JavascriptArray::JoinArrayHelper, a function that is templated based on the type of the array. This function then calls JavascriptArray::TemplatedGetItem to get each item in the array. If an element is missing from the array, this function will fall back to the array object's prototype, which could contain a getter or a proxy, allowing user script to be executed. This script can have side effects, including changing the type of the array, however JoinArrayHelper will continue running as it's templated type even if this has happened. This can allow object pointers in an array to be read as integers and accessed by a malicious script.
When Function.apply is called in Chakra, the parameter array is iterated through using JavascriptArray::ForEachItemInRange. This function accepts a templated parameter, hasSideEffect that allows the function to behave safely in the case that iteration has side effects. In JavascriptFunction::CalloutHelper (which is called by Function.apply) this parameter is set to false, even though iterating through the array can have side effects. This can cause an info leak if the side effects cause the array to change types from a numeric array to a variable array. A PoC is as folows and attached. Running this PoC causes an alert dialog with pointers in it.
Services By CQR