The attached testcase triggers a use-after-free condition in win32k. The attached debugger output was triggered on Windows 7 with Special Pool enabled on win32k.sys.
The attached testcase crashes Window 7 32-bit with Special Pool enabled on win32k.sys due to a use-after-free condition. The bug appears to be a race condition between two threads and multiple runs on the PoC might be required to trigger the bug. This is more reliable on systems with multiple cores.
The attached proof-of-concept (PoC) code crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove operation while copying the cursor content from unmapped memory. This could potentially be used by an attacker to leak kernel memory. When reproducing this issue in VMWare, it is necessary to remove VMWare tools. In QEMU the issue reproduces reliably.
A pool buffer overflow vulnerability exists in Windows 7 32-bit due to a flaw in an ioctl handler. This vulnerability can be exploited by sending a specially crafted request to the vulnerable system. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the kernel.
The NVIDIA Stereoscopic 3D Driver Service exposes the named pipe “stereosvrpipe” which implements a simple command response service. One of the commands (number 2) will write an arbitrary value to a fixed set of two registry keys, one which is specific to NVIDIA (no effort has been made to determine if this could be abused) and also the HKEY_LOCAL_MACHINE explorer Run key. This Run key is inspected when a new copy of the Windows Explorer shell is started, any values are treated as command lines to execute. Therefore any user on the system can create an arbitrary run key entry and get their own commands to execute in the security context of any other user (such as an administrator) who logs into the system to interact with the desktop. The named pipe is not locked down to prevent abuse, in fact it’s given a NULL DACL which means that any user can open the device, although it can’t be exploited from typical application sandboxes such as Chrome or IE. When the pipe is created no attempt is made to prevent remote access to the pipe (by passing the PIPE_REJECT_REMOTE_CLIENTS) flag. This means that the service can also be exposed to externals systems on the same network, allowing the vulnerability to be exploited between machines in a Windows Domain environment.
This exploit is for Audacious 3.7 and is a local crash PoC. It creates a copy of a test mp3 file and then uses the Mp3Info library to set the artist tag to a string of 1048576 'A' characters. This causes the application to crash when the file is opened.
This exploit allows an attacker to execute arbitrary code on the vulnerable system. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'arguments' parameter of the 'decodeArguments' API hook. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable system. Successful exploitation of this vulnerability can result in arbitrary code execution on the vulnerable system.
A Use-After-Free memory corruption occured when Outside In decode (JBIG2Decode) a stream with an invalid image. Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
An error in the the PDF parser, could lead to a memory corruption when processing a crafted PDF with an invalid image. Successful exploitation of the vulnerabilities may allow execution of arbitrar y code.
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.
Services By CQR