The method AppleGraphicsControlClient::checkArguments does actually appear to test whether the pointer at this+0xd8 is non-null, but uses it anyway. We can race external methods which call this with another thread calling IOServiceClose to get a NULL pointer there. By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.
There's an integer overflow issue in get_node_path_locked, which results in a buffer overflow. For all of the calling paths, this is going to overflow a stack buffer in the parent function. It can be triggered by a malicious app creating a directory structure in /sdcard with a total path length longer than PATH_MAX, which can be achieved by creating a directory heirarchy starting with several directories with short names and later renaming these parent directories to have longer names. It appears that the overflow is close enough to the bottom of the stack that with a large overflow we can corrupt thread data that is used before the stack cookie is checked, suggesting that this issue is possibly exploitable despite the presence of stack cookies.
The method nvCommandQueue::GetHandleIndex doesn't check whether this+0x5b8 is non-null before using it. We can race a call to this method this with another thread calling IOServiceClose to get a NULL pointer there. By mapping the NULL page in userspace this gives us trivial kernel RIP control as the code makes a virtual call on a NULL object pointer.
IPFire, a free linux based open source firewall distribution, version <= 2.15 Update Core 82 contains an authenticated remote command execution vulnerability via shellshock in the request headers.
The League of Legends Folder is installed with insecure file permissions. It was found that all folder and most file permissions were incorrectly configured during installation. It was possible to replace most binaries. This can be used to get a horizontal and vertical privilege escalation.
Armadito is an modern antivirus developped by the french company TecLib'. Looking at the source code made public few days ago, it was discovered that there was a backdoor (or a really lack of knowledge from their developpers, meaning that they should reconsider working in security). As it can be seen in the GitHub repository in the file : armadito-av/core/windows/service/scan_onaccess.c at line 283, an obvious backdoor has been implemented. Calling a file ARMADITO.TXT-Malware.exe (or whatever containing ARMADITO.TXT in its name) simply bypass the runtime analysis of the antivirus.
PHP `filter_input()` function with `FILTER_VALIDATE_URL` flag is used to validate url inside `savefaq` functionality. But this function doesn’t protect against XSS. By default every user can propose faq entries. When admin activate article using http://phpmyfaq/admin/?action=view url or records.defaultActivation option is enabled, XSS will be visible on entry page. For exploitation use folowing url inside Link for this FAQ field: http://example.com/"><script>alert("xss")</script>
miniMySQLAdmin is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious HTML page that contains a form with hidden fields that can be used to execute arbitrary SQL queries on the vulnerable server. This can be used to create a new user with full privileges.
A CSRF vulnerability exists in Mobiketa 1.0 which allows an attacker to add an admin user to the application. An attacker can craft a malicious HTML page containing a form with hidden fields and submit it to the vulnerable application. The form contains the parameters required to add an admin user to the application. Upon successful submission, the attacker can gain access to the application as an admin user.
When using an XML parser on returned data by a remote node, OMSA does not restrict the use of external entities. This PoC first emulates a remote node (OMSA -> WS-Man -> this) and requests from the victim OMSA (this -> HTTPS -> OMSA) that it be managed. Next, the PoC requests (this -> HTTPS -> OMSA) a plugin that will attempt to parse returned XML, and when the OMSA instance requests this XML from the emulated node (OMSA -> WS-Man -> this), the PoC returns XML that includes a XXE attack, revealing the contents of /etc/redhat-release. Because OMSA merely requires you be authenticated to the node you are managing, which we control, authentication to the victim is not required to exploit this vulnerability.
Services By CQR