The userspace MIG wrapper IORegistryIteratorExitEntry invokes the following kernel function which contains a double free vulnerability if two threads enter at the same time. This vulnerability can be reached from all sandboxes on OS X and iOS.
This vulnerability is due to the lack of locking in IOHDIXControllUserClient::clientClose. At offset +0x200 the user client has a vfs_context_t (struct vfs_context*) which is passed to vfs_context_rele() at offset +0x69. This should be protected by a lock, but it isn't. This means that if two threads call clientClose() at the same time, they can both release the same vfs_context_t, leading to a use-after-free or a double-free.
This exploit is a proof-of-concept (PoC) for a race condition vulnerability in the IORegistryIterator::reset() function in the XNU kernel of iOS and OS X. The vulnerability is caused by a race condition between two threads, where one thread frees the done OSOrderedSet* while the other thread calls ->release on the now free'd OSOrderedSet. This can be exploited by a malicious user to gain control of the instruction pointer, which can be used to execute arbitrary code. The PoC uses OSUnserializeXML to unserialize an OSData object with controlled contents, which puts a controlled heap allocation at the head of the kalloc.80 freelist, giving the attacker control of the instruction pointer.
Multiple NETGEAR wireless routers are out of the box vulnerable to an authentication bypass attack. No router options has to be changed to exploit the issue. So an attacker can access the administration interface of the router without submitting any valid username and password, just by requesting a special URL several times.
The $root-parameter is a __construct. But no value was passed to him. Therefore, nothing can be checked before include in line 13. So an attacker can execute malicious shellcode about it. In this case, the __construct is meaningless.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of VLC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. An heap memory corruption occured when VLC parsed an malformed MPEG-4 file that contain an invalid Sample Table and Sample Descriptiion Box.
A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24. The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called. Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´ function). The vulnerable code is: $myrows = $wpdb->get_results( "SELECT * FROM ".CPABC_APPOINTMENTS_CONFIG_TABLE_NAME." WHERE conwer=$conwer ORDER BY `".CPABC_TDEAPP_CONFIG_ID."` DESC" ); The variable ´$conwer´ is not sanitized and is used in the query.
Multiple privilege escalation were found in appointment-booking-calendar plugin that allows remote low level and unauthenticated users to update calendar owners and options (allowing persistent XSS). Changing all appointment tables with UTF-8 charset, injecting persistent XSS into ´ict´ and ´ics´ options and setting ´CPABC_APPOINTMENTS_LOAD_SCRIPTS´ option to value ´1´.
This exploit is used to gain root access on some Android devices that have the sensord deamon running as root process. The exploit sets the bit suid on /system/bin/mksh and links /data/misc/sensor/fifo_dat to a block device to make it rw. The exploit also disables auto-rotate to not overwrite the /system partition.
The ‘g_name’ parameter is not sanitized in the ‘gallery1.php’ file, which leads to SQL Injection and reflected XSS.
Services By CQR