The MRCREATECOLORSPACEW::bCheckRecord() function starts off by checking if the length of the record is greater or equal than 0x50 (80) and then immediately proceeds to reading the .cbData field at offset 0x25c (604). Since the record is not guaranteed to be large enough to hold the value at +0x25c, the instruction shown above can read beyond the allocated buffer. Furthermore, the value obtained from offset +0x25c is also used to verify the remaning size of the record, however, the comparison is performed without taking into account the possibility of an integer overflow.
There is a use-after-free in SetNative. If a watch is placed on a native that is initialized by SetNative, it can delete the object the set is being called on, leading to a use-after-free.
There is a use-after-free in addProperty. If a property is added to a MovieClip object that already has a watch defined, and the watch deleted the MovieClip, it is used after it is freed. A minimal PoC follows: var t = this.createEmptyMovieClip( "t", 1); t.watch("a", func); t.addProperty("a", func, func); function func(){ trace("a"); } A sample fla and swf are attached.
There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be called and the object can be initialized to one with a destructor before the FileReference constructor sets the object data, leading to type confusion when the object is garbage collected.
A stack corruption vulnerability exists in Adobe Flash Player versions prior to 28.0.0.137. The vulnerability is caused by a boundary error when parsing MP4 files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.
There is a large heap overflow in reading an ATF image to a Bitmap object. To reproduce the issue, load the attach file '4' using LoadImage.swf as follows: LoadImage.swf?img=4
There is an overflow in the processing of raw 565 textures in ATF processing. To reproduce the issue, load the attach file '70' using LoadImage.swf as follows: LoadImage.swf?img=70
There is an out of bounds read when placing a corrupt image. This issue might be exploitable, depending on what is read. A PoC is attached. To reproduce issue, put both files on a server, and load http://127.0.0.1/LoadImage.swf?img=70
There is an out-of-bounds read in JXR processing which is probably not exploitable, but could be used an an information leak. To reproduce the issue, load the attach file '8' using LoadImage.swf as follows: LoadImage.swf?img=8
This exploit is a proof-of-concept code for a remote code execution vulnerability in Cisco IOS. It allows an attacker to execute arbitrary code on a vulnerable Cisco IOS device. The exploit works by sending a specially crafted packet to the vulnerable device. The packet contains two shellcodes, one for spawning a reverse Cisco CLI shell and one for spawning a reverse "/bin/sh" shell. The shellcodes are written in assembly language and are encoded using a simple XOR encoding scheme.
Services By CQR