This vulnerability allows an attacker to modify the mach message at the end of the shared memory buffer, which can be used to send an arbitrary mach port from its namespace with an arbitrary disposition. This can be used to gain code execution as backboardd on iOS 11.4.1 and get a real tfp0 on iOS 7.1.2.
This vulnerability is caused by a stack-based buffer overflow in the second level exception handler for undefined instruction exceptions. The bug is that we can force copyin to fail by unmapping the page containing the undefined instruction while it's being handled. This PoC has an undefined instruction (0xdeadbeef) on its own page and spins up a thread to keep switching the protection of that page between VM_PROT_NONE and VM_PROT_READ|VM_PROT_EXECUTE. We then keep spinning up threads which try to execute that undefined instruction. If the race windows align the thread executes the undefined instruction but when the sleh code tries to copyin the page is unmapped, the copying fails and the exception message we get has stale stack memory.
io_hideventsystem is a MIG service which provides proxy access to various HID devices for untrusted clients. On iOS it's hosted by backboardd and on MacOS by hidd. The actual implementation is in IOKit.framework. It turns out that the userspace code for enqueuing and dequeuing from an IODataQueue has none of the hardening that the kernel code now has, so it's trivial to just replace the length, head and tail fields (which are in a header at the start of the shared memory buffer) such that the remote process tries to enqueue outside of the bounds of the IODataQueue's actual backing buffer.
This PoC file might look familiar; this bug is a trivial variant of CVE-2016-1744 (Apple bug id 635599405). That report showed the bug in the unmap_user_memory external methods; a variant also exists in the map_user_memory external methods. The intel graphics drivers have their own hash table type IGHashTable which isn't thread-safe. map_user_memory manipulates an IGHashTable without locking leading to memory issues (eg UaFs and/or double-frees) tested on MacOS 10.13.5 (17F77) on MacBookPro10,1.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'fid' parameter to '/[PATH]/student_staff/' script. A remote attacker can execute arbitrary SQL commands in application's database, cause a denial of service condition or compromise a vulnerable system.
The Open ISES Project 3.30A is vulnerable to SQL Injection. This vulnerability can be exploited by sending malicious SQL queries to the vulnerable parameter 'tick_lat' in the 'nearby.php' script. An attacker can use this vulnerability to gain access to the database and extract sensitive information.
A denial of service vulnerability exists in Audacity 2.3 when a specially crafted WAV file is imported. An attacker can exploit this vulnerability to cause a denial of service condition. This is achieved by running a perl exploit script which creates a new file with the name 'lock.wav'. Opening this file in Audacity causes the software to lock up.
School ERP Ultimate 2018 is vulnerable to arbitrary file download. An attacker can download any file from the server by manipulating the 'document' parameter in the download.php file. The download.php file is present in both student_staff and office_admin directories. An attacker can download any file from the server by manipulating the 'document' parameter in the download.php file. For example, an attacker can download the /etc/passwd file by sending a GET request to the download.php file with the 'document' parameter set to '../../../../../etc/passwd'.
MySQL Edit Table 1.0 is vulnerable to SQL injection in the 'id' parameter. An attacker can send a maliciously crafted HTTP request to the vulnerable application to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate or disclose arbitrary data in the back-end database.
This exploit allows an attacker to bypass authentication on libSSH servers without credentials. It works by sending a message with the USERAUTH_SUCCESS flag to the server, which will then allow the attacker to open a session and invoke a shell.
Services By CQR