When processing malformed H264 streams in readSPSandGetDecoderParams, it can lead to OOB read, OOB write and stack_chk crashes. This issue can occur if someone accepts a malicious FaceTime call. To reproduce the issue, the attacker needs to build no-encrypt.c, copy the file to /usr/lib/mylib, use insert_dylib to add /usr/lib/mylib to AVConference, build video-replay.c, use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference, use insert_dylib to add /usr/lib/mylib to AVConference, edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write, restart the machine, extract the attached sc.zip to /out and change the permissions so it's readable by AVConference, and call the target.
There is a memory corruption issue when processing a malformed RTP video stream in FaceTime that leads to a kernel panic due to a corrupted heap cookie or data abort. This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS, it does not crash on a Mac. The issue can be reproduced using the attached sequence of RTP packets.
PortSmash is a side-channel attack that exploits simultaneous multithreading (SMT) in modern processors to obtain private cryptographic keys. It is a local attack that requires the attacker to have access to the same physical machine as the victim. The attack is based on the fact that SMT allows two threads running on the same physical core to observe each other’s cache-evicted data. This attack is based on the fact that SMT allows two threads running on the same physical core to observe each other’s cache-evicted data. The attack works by having one thread, the spy, monitor the cache-evicted data of the other thread, the victim, while the victim is performing a cryptographic operation. The spy can then use the data it observes to infer the secret cryptographic key used by the victim.
An attacker can exploit a SQL injection vulnerability in Voovi Social Networking Script 1.0. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'user' parameter of the '/[PATH]/' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can allow the attacker to steal sensitive data from the database.
Any third party web application can steal credentials created in Royal TS/X when browser extension is enabled. Browser extension communicates using websockets (default TCP port 54890) and websockets do not use any validation to verify origin of the request.
LiquidVPN installs the helper tool 'com.smr.liquidvpn.OVPNHelper' for performing privileged (root) actions. In order to allow other LiquidVPN components to send messages to the helper tool, it implements an XPC service. Static code analysis showed, that the XPC service does not filter incoming messages. This means, regular users (local attackers) can craft arbitrary XPC messages and send them to the service. This leads to the following issues: 'anycmd' Privilege Escalation (reserved CVE-2018-18857)
Softros LAN Messenger 9.2 is vulnerable to Denial of Service attack when a maliciously crafted file is used as a custom log file location. An attacker can exploit this vulnerability by running a python code to create a malicious file, copying its content to clipboard, selecting a custom log file location in Softros LAN Messenger and pasting the clipboard content. This will cause the application to crash.
Any user can read files from the server without authentication due to an existing LFI in the following path: http://target/index.php?q=file:///[FilePath]
Mongo Web Admin 6.0 is vulnerable to information disclosure. An attacker can send a GET request to the webservice/Data/connections.json endpoint to view the connection details such as host, port, user, and password.
Poppy Web Interface Generator 0.8 is vulnerable to an arbitrary file upload vulnerability. An attacker can upload a malicious file to the web server by sending a specially crafted HTTP request to the vulnerable application. This can be exploited to execute arbitrary code on the web server.
Services By CQR