An Attackers are able to completely compromise the web application built upon Grid Gallery as they can gain access to the admin panel and manage the website as an admin without prior authentication! Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php Step 2: Access http://example.com/path/admin/index.php
An Attackers are able to completely compromise the web application built upon Dream Gallery as they can gain access to the admin panel and manage the website as an admin without prior authentication! Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php Step 2: Access http://example.com/path/admin/index.php
Viart Shopping Cart 5.0 is vulnerable to CSRF Shell Upload. An attacker can craft a malicious HTML page and send it to the admin of the application. When the admin visits the page, the malicious code will be executed and the attacker can upload a shell to the server. The shell can be accessed from http://localhost/images/[your shell].
FRticket is a customer support ticket system. An attacker can inject malicious code into the ticket title field, which is stored in the database and can be executed when the ticket is viewed by an administrator. This can be exploited to execute arbitrary HTML and JavaScript code in the browser of the administrator.
nvAPIClient::Escape is the sole external method of nvAcclerator userclient type 0x2a0. It implements its own method and parameter demuxing using the struct-in struct-out buffers. The second dword in the struct in buffer is another method identified used in a switch statement in ::Escape to choose the method to call. Method 24 is ::SetClocksShmoo. On entry to this method rsi points to a buffer in kernel space with completely user-controlled contents. The uint16_t field at +0xc is used a loop count for the memory copying loop at +0xff3e with insufficient bounds checking. The destination stack buffer is 0x520 bytes below the saved frame pointer but the code only checks whther the value we provide (after bit shifting) is greater than 0xff. Since each iteration of the loop writes 0x14 bytes we can actually write up to 0x13ec bytes which is well over the size of the stack buffer which is being copied into. This bug is reachable from the safari renderer sandbox and the chrome gpu process sandbox on device with the appropriate hardware (eg macbookpro)
This is a Use-After-Free vulnerability in the OS X/iOS kernel. The vulnerability is caused by a race condition between the copyProperty macro used by is_io_registry_entry_get_property_bin and the testNetBootMethod external method. The copyProperty macro takes the entry's properties lock before reading and taking a reference on the property, while the testNetBootMethod external method directly calls the overriden setProperty without taking that same lock. This can lead to a Use-After-Free condition if the ::release call happens before the ::retain in copyProperty. This PoC will crash as a UaF but with more care, it is possible to get the OSSerialize to serialize an invalid object leading to a kernel memory disclosure.
The IOHIDFamily function IOHIDDevice::handleReportWithTime takes at attacker controlled unchecked IOHIDReportType enum, which was cast from an int in either IOHIDLibUserClient::_setReport or _getReport. handleReportWithTime only checks that the enum is <= the max, but enums are really just (signed) ints so there needs to be a lower-bounds check here too. reportType is then used in GetHeadElement, which leads to an OOB read off the head array followed by virtual function calls.
Pretty much all the external methods of CoreCaptureUserClient call CoreCaptureUserClient::stashGet passing an attacker controlled key. If that key isn't in the list of stashed objects then stashGet returns a NULL pointer. No callers actually check the return value though which leads immediately to a call to a virtual method on a NULL pointer. By mapping the NULL page we can get trivial RIP control.
IOAccelerator external method IOAccelSharedUserClient2::page_off_resource uses the pointer at this+0x100 without checking if it's NULL. A series of dereferences from this pointer lead to trivial RIP control. We can race two threads, in one call the external method and in the other call IOServiceClose, which NULLs out the pointer at this+0x100. By mapping the NULL page into userspace we can control the pointer read.
AppleGraphicsDeviceControlClient doesn't check that its pointer to its IOService (at this+0xd8) is non-null before using it in all external methods. We can set this pointer to NULL by racing two threads, one of which calls IOServiceClose which NULLs out the pointer and the other of which makes any external method call. By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.
Services By CQR