Trend Micro Deep Discovery suffers from multiple CSRF vectors, allowing an authenticated user to modify various settings of the application.
The Olbookmarks 0.7.4 version is vulnerable to multiple Remote File Inclusion (RFI) attacks. An attacker can exploit these vulnerabilities by injecting malicious code via the 'root' parameter in various PHP files.
The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods. However, by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call, we can cause a use-after-free of the IOCommandGate.
The attached fuzz case causes a crash in shape rendering.
External Method 36 of IOUSBInterfaceUserClient is _AbortStreamPipe. It takes two scalar inputs and uses the second one as an array index to read a pointer to a C++ object without checking the bounds then calls a virtual method on it. Furthermore there's no check that the array pointer is non-null; if it is then we can get a controlled offset-from-zero read; since our controlled dword will be multiplied by 8 to index the array this means we can easily get the kernel to dereference a controllable userspace address. In this case a value of 0xf0f0f0f0 leads to the kernel reading an IOKit object pointer from 0x787878780. This poc maps that page to demonstrate control of a kernel object pointer.
The x86 emulator component of Comodo Antivirus is vulnerable to a heap overflow due to an integer overflow in the MSVBVM60!rtcLowerCaseVar emulated routine. By providing a maliciously crafted length parameter, an attacker can overwrite the trusted heap buffer and potentially execute arbitrary code.
The exploit occurs when a malformed file is fed to tshark, causing a static memory out-of-bounds write in the dissect_ber_integer function of packet-ber.c. This leads to a global-buffer-overflow error.
In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated. The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a heap overflow.
The LZMA decompression algorithm used by Comodo does not properly handle parameters outside the specified range, leading to memory corruption. This can be exploited remotely to achieve code execution as NT AUTHORITYSYSTEM.
The Comodo Antivirus attempts to unpack the Packman executable packer. If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. This leads to various crashes and allows an attacker to free an arbitrary pointer, leading to code execution as NT AUTHORITYSYSTEM.