Cross-site scripting (XSS) vulnerability in plupoad flash component in jDownloads before 3.2.59 allows remote attackers to inject arbitrary web script.
A local buffer overflow vulnerability exists in CloudMe Sync v1.11.0 due to improper bounds checking of user-supplied data. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable application. This can result in arbitrary code execution in the context of the application.
A vulnerability, which was classified as critical, has been found in Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5. This issue affects an unknown function of the file Licenseinformation.jsp of the component Access Restriction. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted are confidentiality, integrity, and availability.
A buffer overflow vulnerability exists in Zortam Mp3 Media Studio version 23.45. By crafting a malicious string and pasting it into the directory field of the 'Add Disk to Mp3 Library' feature, an attacker can cause a stack-based buffer overflow, resulting in arbitrary code execution.
A vulnerability in Microsoft Edge Content Process (MicrosoftEdgeCP.exe) allows an attacker to bypass Address Space Layout Randomization (ASLR) and tamper with another MicrosoftEdgeCP.exe process in such a way that it never enables ACG. This can be done by OpenProcess() and calling a single WriteProcessMemory() with a known address. This allows the attacker to further tamper with the process and get it to allocate executable memory and run arbitrary payload either in process A or process B.
The fix for CVE-2017-11830 is insufficient to prevent a normal user application adding a cached signing level to an unsigned file by exploiting a TOCTOU in CI leading to circumventing Device Guard policies. The fix was to add a check that the target file passed isn’t writable. However, when the file handle is converted to a file object with ObReferenceObjectByHandle the desired access is 0, which means we can pass a handle with any granted access including SYNCHRONIZE or READ_CONTROL, which do not respect file sharing. So we can still exploit this issue by doing the following: 1. Open the file for write access. 2. Reopen another handle to the file for SYNCHRONIZE access. 3. Set cached signing level through the handle opened in 2. 4. Wait for oplock, rewrite file using handle opened in 1. Release oplock.
We have discovered that the nt!NtQueryVirtualMemory system call invoked with the MemoryImageInformation (0x6) information class discloses uninitialized kernel stack memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 8 to 10. The layout of the corresponding output buffer is unknown to us; however, we have determined that an output size of 24 bytes is accepted. At the end of that memory area, 4 uninitialized bytes from the kernel stack can be leaked to the client application. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
The nt!NtQueryVirtualMemory system call invoked with the MemoryBasicInformation (0x0) and MemoryPrivilegedBasicInformation (0x8) information classes discloses uninitialized kernel stack memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. Both information classes appear to return the same output structure, MEMORY_BASIC_INFORMATION. On x64 builds, the compiler introduces 4 bytes of padding between the 'AllocationProtect' and 'RegionSize' fields, in order to align the latter to an 8-byte boundary. Furthermore, 4 extra unused bytes are also added at the end of the structure, in order to align its size to an 8-byte boundary. None of these 8 unused bytes are initialized in the kernel's local copy of the structure, and so they are returned to the user-mode caller in this undefined form.
The nt!NtQueryInformationProcess system call invoked with the ProcessImageFileName (0x1B) information class discloses uninitialized kernel memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. According to the ZwQueryInformationProcess function documentation, the ProcessImageFileName information class returns a UNICODE_STRING structure containing the name of the image file for the specific process. On x64 builds, the compiler introduces 4 bytes of padding between the 'MaximumLength' and 'Buffer' fields, in order to align the 'Buffer' pointer to an 8-byte boundary. These padding bytes are never initialized in the kernel's local copy of the structure, and so they are returned to the user-mode caller in this form. The problem is best illustrated by running the attached proof-of-concept program, which invokes the nt!NtQuerySystemInformation syscall with the affected information class and prints the contents of the output buffer on the screen.
The nt!NtQueryInformationTransactionManager system call invoked with the TransactionManagerRecoveryInformation (4) information class may disclose uninitialized kernel pool memory to user-mode clients. The vulnerability affects Windows 7 to 10, 32/64-bit. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.