It’s possible to bypass the ProcessFontDisablePolicy check in win32k to load a custom font from an arbitrary file on disk even in a sandbox. This might be used as part of a chain to elevate privileges. If anything this is really a useful demonstration that you probably really want to shutdown the object manager directory shadowing as part of the sandbox mitigations, even if you don’t fix the explicit bypass. The issue is due to a race condition in the check which looks similar to the following: int WIN32K::bLoadFont(...) { int load_option = GetCurrentProcessFontLoadingOption(); bool system_font = true; if (load_option) { HANDLE hFile = hGetHandleFromFilePath(FontPath); <- First open of path BOOL system_font = bIsFileInSystemFontsDir(hFile); <- Should return True ZwClose(hFile); if (!system_font) { LogFontLoadAttempt(FontPath); if (load_option == 2) return 0; } } // Switch out path here HANDLE hFont = hGetHandleFromFilePath(FontPath); <- Will open our custom font // Map font as section}
An attacker can create a chain of e.g. /proc/$pid/environ mappings where process 1 has /proc/2/environ mapped into its environment area, process 2 has /proc/3/environ mapped into its environment area and so on. A read from /proc/1/environ would invoke the pagefault handler for process 1, which would invoke the pagefault handler for process 2 and so on. This would, again, lead to kernel stack overflow.
The Adobe Type Manager Font Driver (ATMFD.DLL) responsible for handling PostScript and OpenType fonts in the Windows kernel provides a channel of communication with user-mode applications via an undocumented gdi32!NamedEscape API call. The nature of the channel is similar to IOCTLs of type METHOD_BUFFERED, in that it also uses a 32-bit escape code (equivalent to control codes in IOCTL), and input and output buffers employed to pass data to the driver and receive information back. A 0-day pool corruption (stemming from a 16-bit signedness issue) was discovered in Hacking Team's leaked data dump and subsequently fixed by Microsoft in the MS15-077 bulletin.
A vulnerability was found in the gdi32.dll user-mode library, which performs insufficient sanitization of DIBs (Device Independent Bitmaps) in the EMF (Enhanced Metafile) image format. This leads to heap-based out-of-bounds reads while parsing/loading the bitmap, and in some cases to a subsequent memory disclosure. All clients which allow the loading of arbitrary EMF images are affected.
Publisher Pro is the ultimate publishing platform for Joomla, turning your site into a professional news portal or a magazine that people want to read! Itemid Parameter Vulnerable To SQL Injection http://server/index.php?option=com_publisher&view=issues&Itemid=[SQLI]&lang=en
Yona CMS is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://localhost/admin/admin-user/add) that will add a new user as administrator. Once exploited, the attacker can login to the admin panel (http://localhost/admin) using the username and the password he posted in the form.
IonizeCMS is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://localhost/en/admin/user/save) that will add a new user as administrator. Once exploited, the attacker can login to the admin panel (http://localhost/en/admin/auth/login) using the username and the password he posted in the form.
Banshee Media Player is vulnerable to buffer overflow vulnerability.The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Attackers may leverage this issue to execute remote buffer overflow or inject arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
The application suffers from an unquoted search path issue impacting the service '0patchservice' for Windows deployed as part of 0patch solution. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.
This exploit uses a form to send a POST request to the vulnerable Airia application. The POST request contains a mode, file, scrollvalue, contents, and group parameter. The mode parameter is set to 'save', which will save the contents parameter to the file specified in the file parameter. The contents parameter is set to 'CSRF Attack', which will be saved to the file specified in the file parameter. The group parameter is set to '1', which will set the group of the file to '1'. The exploit is triggered by submitting the form using a JavaScript submit command.
Services By CQR