External Method 36 of IOUSBInterfaceUserClient is _AbortStreamPipe. It takes two scalar inputs and uses the second one as an array index to read a pointer to a C++ object without checking the bounds then calls a virtual method on it. Furthermore there's no check that the array pointer is non-null; if it is then we can get a controlled offset-from-zero read; since our controlled dword will be multiplied by 8 to index the array this means we can easily get the kernel to dereference a controllable userspace address. In this case a value of 0xf0f0f0f0 leads to the kernel reading an IOKit object pointer from 0x787878780. This poc maps that page to demonstrate control of a kernel object pointer.
The x86 emulator component of Comodo Antivirus is vulnerable to a heap overflow due to an integer overflow in the MSVBVM60!rtcLowerCaseVar emulated routine. By providing a maliciously crafted length parameter, an attacker can overwrite the trusted heap buffer and potentially execute arbitrary code.
The exploit occurs when a malformed file is fed to tshark, causing a static memory out-of-bounds write in the dissect_ber_integer function of packet-ber.c. This leads to a global-buffer-overflow error.
In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated. The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a heap overflow.
The LZMA decompression algorithm used by Comodo does not properly handle parameters outside the specified range, leading to memory corruption. This can be exploited remotely to achieve code execution as NT AUTHORITYSYSTEM.
The Comodo Antivirus attempts to unpack the Packman executable packer. If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. This leads to various crashes and allows an attacker to free an arbitrary pointer, leading to code execution as NT AUTHORITYSYSTEM.
This exploit targets WordPress version 2.1.3 and takes advantage of a SQL injection vulnerability in the "admin-ajax.php" file. The exploit allows an attacker to extract sensitive information from the WordPress database using blind fishing technique. The exploit was written by Janek Vind "waraxe" and was published on May 21, 2007.
This is an exploit for the x86/OpenBSD ftp vulnerability. It allows an attacker to execute arbitrary code on the target system.
The x86 emulator in Comodo Antivirus can be exploited by triggering emulation through methods like sending an email or visiting a website. The emulator has memory corruption issues and also implements shims for Win32 API calls, some of which run as NT AUTHORITYSYSTEM. One example is the USER32!GetKeyState shim.
This exploit allows remote attackers to execute arbitrary code on the target server.
Services By CQR