The Samsung Graphics 2D driver (/dev/fimg2d) is accessible by unprivileged users/applications. It was found that the ioctl implementation for this driver contains a locking error which can lead to memory errors (such as use-after-free) due to a race condition. The key observation is in the locking routine definitions in fimg2d.h, where the g2d_lock/g2d_unlock routines are no-ops when BLIT_WORKQUE is defined, which appears to be the default configuration. Unfortunately the alternative spin lock routines are not used consistently with this configuration. For example, the FIMG2D_BITBLT_BLIT ioctl command can lead to a use-after-free vulnerability if two processes with different mm’s have access to the same file descriptor.
The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server. There is a stack buffer overflow in the compat ioctl for m2m1shot, where the data.buf_out.num_planes value is attacker-controlled 'u8' value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop.
The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events. At the very least the JavaScript could exploit the attack surface provided within the WebView control. It might also be possible to access local file content or emails depending on the full configuration of the WebView, although this hasn't been tested fully.
You can change the password of your router even if you have not the access. In Bar address copy and paste : 'javascript:mimic_button('goto: 9096..')' the router redirect you to another page to change the password.
This vulnerability allows any authenticated JIRA user to execute code running as Tomcat identity. This is achieved by sending a specially crafted request to the JIRA server, which contains malicious Velocity Template code. This code is then executed by the server, allowing the attacker to execute arbitrary code.
This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or operating system version because of the php_uname() function.
In versions of Mac OS X before 10.11.1, the applescript:// URL scheme is provided, which opens the provided script in the Applescript Editor. Pressing cmd-R in the Editor executes the code without any additional confirmation from the user. By getting the user to press cmd-R in Safari, and by hooking the cmd-key keypress event, a user can be tricked into running arbitrary Applescript code. Gatekeeper should be disabled from Security & Privacy in order to avoid the unidentified Developer prompt.
Win10Pcap-Exploit is a buffer overflow vulnerability in Win10Pcap, a Windows packet capture library. The vulnerability is caused by a lack of bounds checking when handling user-supplied data. An attacker can exploit this vulnerability by sending a specially crafted packet to the target system, which can cause a denial of service or allow the attacker to execute arbitrary code.
Alreader 2.5 is a free FB2 reader for Windows. An overflow occurs when a long name of the author is created in the FB2 file. The app uses WCHAR (1 char - 2 bytes) and UTF-16 encoding. A single null byte can be used in the payload. To bypass ALSR, a ROP style is used. The main module Alreader2.exe is non-ALSR and contains calls to GetModuleHandleW and GetProcAdress. These functions can be used to get a pointer to call VirtualProtect to make the stack executable and run Shellcode. At overflow, SEH is overwritten, allowing control of EIP. To get control of the stack, an ADD to ESP value is used. This is followed by a chain of ROP gadgets.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via the multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Services By CQR