The nt!NtGdiEngCreatePalette system call discloses large portions of uninitialized kernel stack memory to user-mode clients. This occurs when palettes are created in the PAL_INDEXED mode with up to 256 colors and a temporary stack-based buffer is used without pre-initializing it with zeros. The uninitialized memory can be treated as valid palette colors, leading to the creation of a palette with uninitialized memory from the kernel stack. This memory can be subsequently read back using the GetPaletteEntries() API.
The nt!NtRemoveIoCompletion system call handler discloses 4 bytes of uninitialized pool memory to user-mode clients on 64-bit platforms. The bug occurs when passing the IO_STATUS_BLOCK structure back to user-mode, where the upper 32 bits of the 'Pointer' field remain uninitialized if only the 'Status' field is initialized. The nt!NtRemoveIoCompletion system call copies the entire structure back to user-mode, revealing the uninitialized memory.
The nt!NtGdiGetPhysicalMonitorDescription system call in Windows 7 to Windows 10 discloses uninitialized kernel stack memory to user-mode clients. The syscall copies a stack-based array of 256 bytes to the caller, but typically only a small portion of the buffer is used to store the requested monitor description, leaving the rest uninitialized. This uninitialized memory region contains sensitive information such as addresses of executable images, kernel stack, kernel pools, and stack cookies.
This exploit allows an attacker to bind a TCP shell to a specific port on a Windows system. The exploit targets the shell32.dll library and is specifically designed for Windows XP.
This exploit allows an attacker to perform Cross-Site Request Forgery attacks on DigiAffiliate version 1.4. The attacker can update the admin account by sending a crafted request to the user_save.asp endpoint.
The Digirez 3.4 application is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can exploit this vulnerability to update user and admin accounts without proper authentication.
The Ncaster 1.7.2 script is vulnerable to remote code execution due to improper validation of the 'adminfolder' parameter in the 'archive.php' file. An attacker can exploit this vulnerability by injecting a shell command in the 'adminfolder' parameter, leading to arbitrary code execution.
This module exploits a buffer overflow vulnerability found in libpal.dll of Disk Pulse Server v2.2.34. The overflow is triggered when sending an overly long 'GetServerInfo' request to the service listening on port 9120.
The nhrp-dos exploit allows an attacker to cause a denial of service by sending malicious packets to a Cisco router that is using the Next-Hop-Resolution Protocol (NHRP). This vulnerability is identified by the Cisco bug ID CSCin95836. NHRP is a protocol used by a source host/router to determine the next hop towards the destination in a Non-Broadcast-Multi-Access (NBMA) subnetwork. The exploit targets the NHRP functionality of Cisco routers and can disrupt network connectivity.
This module exploits a stack based buffer overflow found in EMC Alphastor Library Manager version < 4.0 build 910. The overflow is triggered due to a lack of sanitization of the pointers used for two strcpy functions.
Services By CQR
