An ACE is an Access Control Entry, of which many may be attached to an ACL (Access Control List). On Windows, an ACL can be of type SACL or DACL (Discretionary vs System). The routine nt!SeObjectCreateSaclAccessBits omits proper bounds checking, allowing an attacker who specifies a pathological ACE size and count to disrupt the operation of the system. By specifying pathological ACE configuration, we can cause a fatal system error.
A bitblt (bit block transfer) is used to copy one rectangular region of screen to another, often performing a raster operation (rop) of some sort (e.g. and, or, xor). On Windows, bitblts are performed using the BitBlt() GDI32 api, which is passed a source and destination DC, along with the dimensions of the regions to transfer. BitBlt() is backed by the native system service, NtGdiBitBlt(). On Windows 7, the following code from win32k!GreStretchBltInternal is guarded by a check for a rop including CAPTUREBLT (Include Layered Windows). This code does not handle dcoSrc == dcoTrg, which causes bUnMap() to be called twice for the same SURFACE. This will cause a synchronization error, and result in a bugcheck due to the unhandled exception. It's possible that on MP machines a race condition could exist that would allow an attacker to continue past the initial error, possibly resulting in an exploit.
The Kernel Transaction Manager (ktm) was introduced in Windows Vista and has been included in subsequent versions of Windows. Microsoft describes the feature in this MSDN article. The API documentation for CreateTransaction() explains that the LPGUID parameter UOW is reserved and must be NULL. However, looking at nt!TmInitializeTransaction you can see Microsoft uses this internally, and rely on a NULL LPGUID in NtCreateTransaction to differentiate new transactions. Nothing prevents an attacker from ignoring the fact that this parameter is reserved, allowing us to cause a pathological KTM state of operation. This vulnerability is obviously exploitable, and can be used to elevate privileges on vulnerable systems.
MUSE v4.9.0.006 is vulnerable to a local universal buffer overflow vulnerability. An attacker can exploit this vulnerability by creating a malicious .pls file and executing it on the target system. This will cause a SEH overwrite and allow the attacker to execute arbitrary code on the target system.
A buffer overflow vulnerability exists in MUSE v4.9.0.006 when a specially crafted .m3u file is opened. An attacker can exploit this vulnerability to execute arbitrary code on the target system by sending a malicious .m3u file. The vulnerability is due to insufficient boundary checks when processing the .m3u file.
An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'id' in the URL. This can be done by appending a malicious SQL query to the vulnerable parameter 'id' in the URL. For example, http://site.com/index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- or http://site.com/index.php?option=com_ongallery&task=ft&id=-1+union+select+1--
123 Flashchat version 7.8 is vulnerable to Directory Traversal, XSS and Password sent via clear text. Directory Traversal can be exploited by sending a specially crafted HTTP request containing directory traversal sequences (e.g. “/../../../../../../boot.ini”) to the vulnerable server. XSS can be exploited by sending a specially crafted HTTP request containing malicious JavaScript code (e.g. “<script>alert(“Corelan”)</script>”) to the vulnerable server. Password sent via clear text can be exploited by sending a specially crafted HTTP request containing the user’s credentials (e.g. “username=admin&password=admin”) to the vulnerable server.
A parameter is not properly sanitised before being used by the require_once function, allowing a guest to include local files.
The component "com_equipment" is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable parameter. The vulnerable parameter is "id" and "sec_men_id" in the URL. The malicious SQL query can be sent using the "Union" operator.
Rosoft media player 4.4.4 is vulnerable to a SEH buffer overflow vulnerability. An attacker can exploit this vulnerability by sending a specially crafted m3u file to the victim. The attacker can execute arbitrary code on the victim's system by exploiting this vulnerability.
Services By CQR