When run without Application Verifier enabled, a buffer overflow vulnerability was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled. This bug did not reproduce in Office 2010 or 2013. The minimized crashing file shows a one bit deltas from the original file at offset 0x49E8. OffVis reports this to be the CreateTime field of an OLESSDirectoryEntry structure. The global variable dword_30F5F9BC is pointing to a structure which is corrupted, resulting in a buffer overflow.
A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled. This bug did not reproduce in Office 2010 or 2013. The minimized crashing file shows two one bit deltas from the original file. The first delta at offset 0x1CF7E and the second is at offset 0x3A966. Both of these offset appear to be BIFFRecord lengths.
This vulnerability was observed in Microsoft Excel 2007 running on Windows 2003 R2. This crash was also reproduced in Microsoft Excel 2010 on Windows 7 x86 and Microsoft Excel 2013 on Windows 8.1 x86. The test environment was Excel 2007 on Windows 2003 R2 with application verifier basic checks enabled. The minimized crashing file shows two deltas from the original. The first at offset 0x237 is in the data of the 4th BIFFRecord and the second delta at offset 0x34a5 is in the type field of a BIFFRecord.
A vulnerability has been detected in the login page from web application FAROL. Sql injection anauthenticated. The e-mail field at login page is vulnerable. The e-mail field is vulnerable to Error Based Sql injection.
KirbyCMS has a vulnerability that allows to upload normally disallowed PHP script files. This issue can only be exploited by authenticated users, however admin role is not required. Additionally, KirbyCMS has another vulnerability - Cross-Site Request Forgery (CSRF) - which may allow attackers to perform file upload actions on behalf of an already authenticated KirbyCMS users, if an attacker manages to trick them into visiting a specially-crafted website. This issue can allow an unauthorised attacker to modify or upload new content. Both of the issues can be combined to execute arbitrary PHP code on the remote server hosting KirbyCMS, if a logged-in victim visits a malicious page containing an exploit crafted by an attacker.
The Task Scheduler can be made to delete a task after it’s trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP. If a scheduled task is configured with DeleteExpiredTaskAfter setting the service will delete the task including its task file after the triggers have expired. It does the deletion in a timer callback thread but doesn’t call DeleteFile with the privileges of the task, instead running at local system. The PoC demonstrates the vulnerability deleting an arbitrary file from the system.
The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078. It is possible to bypass the check by creating a process using one of the pre signed executables, such as explorer.exe, RuntimeBroker.exe or LicensingUI.exe then inject a DLL into the process.
When a custom font is used in Windows 10 the User Mode Font Driver comes into play. This is initialized by a call from the kernel into the user sessions winlogon process which in turn spawns a new copy of fontdrvhost.exe. The process is started inside an appcontainer heavily restricting what resources it could access if a font bug was able to compromise it. However win32k exposes some additional calls to the UMFD for its own purposes, some of which are potentially dangerous. For that reason (presumably) winlogon creates the process with a specific DACL limiting access to the process and initial thread to SYSTEM only. There’s a few problems with this approach, firstly it’s still running in the context of the user and includes the user’s environment variables such as PATH. This might mean if any badly written code later relies on the drive mapping or PATH there could be issues. More serious however is the specified DACL only applies to the process object and the initial thread object, but not to any subsequent thread. Therefore those threads get the default DACL from the process token (which is never changed) and are marked as owned by the current user, so the DACL could be rewritten anyway. This is a problem as with write access to the threads it’s possible to change their context and redirect execution to an arbitrary location. As the token is a lowboi token this means it’s possible to execute code as SYSTEM.
Silver Peak VXOA Multiple Vulnerabilities affects Silver Peak VX versions prior to 6.2.11. The vulnerabilities include command injection, unauthenticated file read, mass assignment, shell upload, and hardcoded credentials. By combining these vulnerabilities, an attacker may remotely obtain root privileges on the underlying host. The command injection vulnerability lies in the "snmp" call, which does not sanitise the "auth_key" parameter before including it in an executed command string. The unauthenticated file read vulnerability allows an attacker to read arbitrary files on the filesystem by using the "get_file" call of the REST JSON interface.
Bolt CMS contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 2.2.4.
Services By CQR