A buffer overflow vulnerability exists in the fd_recalibrate() function of the floppy disk driver in Linux kernel versions 2.4.x and 2.6.x. The vulnerability is caused by the lack of proper bounds checking when writing to the floppy disk drive. An attacker can exploit this vulnerability by sending a specially crafted request to the floppy disk driver, resulting in a buffer overflow and potentially allowing the execution of arbitrary code.
This exploit is a proof of concept for CVE-2018-0114, which is an authentication bypass vulnerability in Cisco node-jose versions <0.11.0. The exploit is written in Python 3 and takes two arguments: a payload and a key size. It creates an RSA key pair, assembles a header and payload, creates a signature, and then generates a JWT. The JWT can then be used to bypass authentication.
A persistent Cross Site Scripting (XSS) vulnerability exists in Coship RT3052 Wireless Router. An attacker can inject malicious JavaScript code in the Network Name(SSID) field of the router's web interface, which will be executed in the context of the router's web interface. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of the affected site.
A specially crafted REGISTER message with a malformed `branch` or `From tag` triggers an off-by-one heap overflow.
The handling of the virtual registry NtLoadKey callback reloads registry hives insecurely leading to arbitrary file creation resulting in EoP. On 1703 it doesn’t check for the Application Key flag, but then recalls ZwLoadKey with the arguments passed by the user mode caller. This effectively allows you to circumvent the requirement for SeRestorePrivilege as will also create a new hive file with kernel privileges in the context of the current user. This is a trivial EoP by dropping a arbitrary file to disk then getting system privileges.
There is a vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. The proof of concept involves a script that uses the RegExp.input property to call the String.prototype.match method on a large string, which can result in pieces of memory being displayed.
We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a EXCEPTION_RECORD structure to user-mode memory while passing execution to a user-mode exception handler. The vulnerability affects 64-bit versions of Windows 7 to 10. In that structure, the entire "ExceptionInformation" array consisting of 15*8=120 bytes is left uninitialized and provided this way to the ring-3 client. As a result, running the attached proof-of-concept program reveals 120 bytes of kernel stack memory (set to the 0x41 marker with stack-spraying to illustrate the problem).
We have discovered that the nt!NtQueryInformationThread system call invoked with the 0 information class (ThreadBasicInformation) discloses portions of uninitialized kernel stack memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The specific layout of the corresponding output buffer is unknown to us; however, we have determined that the output size is 48 bytes. At offset 4 of the data, 4 uninitialized bytes from the kernel stack are leaked to the client application. This is most likely caused by compiler-introduced alignment between the first and second field of the structure (4-byte and 8-byte long, respectively). This would also explain why the leak does not manifest itself on x86 builds, as the second field is 4-byte long and therefore must be aligned to 4 instead of 8 bytes. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
The nt!NtQueryVirtualMemory system call invoked with the 2 information class (MemoryMappedFilenameInformation) discloses portions of uninitialized kernel pool memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The output buffer for this information class is a UNICODE_STRING structure followed by the actual filename string. The output data is copied back to user-mode memory under the following stack trace (on Windows 7 64-bit). On 64-bit builds, there is a 4-byte padding between the "MaximumLength" and "Buffer" fields inserted by the compiler, in order to align the "Buffer" pointer to 8 bytes. This padding is left uninitialized in the code and is copied in this form to user-mode clients, passing over left-over data from the kernel pool.
A sqli + low priv remote RCE vulnerability is used to establish a low priv remote shell from the UEB 10 host. A local privesc exploit containing the desired command is uploaded to the host using this shell, and executed. The initial low priv shell is closed, and the local privesc script is deleted.
Services By CQR