shopify-scripts: SIGSEGV - mrb_vm_exec - line:1681

PoC: ------------------- The following code triggers the bug attached as testmrbvmexec1681.rb: def try yield ensure yield end a=lambda do a.try do return end end.call Mirb - Debug: ------------------- gdb r testmrbvmexec1678.rb The program being debugged has been started already. Start it from th...

shopify-scripts: SIGSEGV - mrb_vm_exec - vm.c in line:1272

PoC: ------------------- The following code triggers the bug attached as testmrbvmexec1272.rb: a,a,a,a=0,def e end a Sandbox: ------------------- x@x:/Desktop/research/mruby-engine/bin$ ./sandbox testmrbvmexec1272.rb ./sandbox:20: BUG Segmentation fault at 0x00000000000018 ruby 2.2.6p396 2016-11-...

Google Patches Android 'Custom Boot Mode' Vulnerability

A high-risk Android custom boot mode vulnerability was one of many bugs patched by Google as part of its January Android Security Bulletin released earlier this week. On Thursday, the IBM security team that discovered the vulnerability disclosed details about the flaw which leaves Nexus 6 and 6P...

Linux kernel local integer overflow vulnerability (CNVD-2017-00226)

The Linux kernel is the kernel used by the operating system Linux, released by the Linux Foundation in the United States. The 'ringbufferresize' function in the kernel/trace/ringbuffer.c file of the profiling subsystem in versions of the Linux kernel prior to 4.6.1 has a security vulnerability du...

DEBIAN-CVE-2016-9754

The ringbufferresize function in kernel/trace/ringbuffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffersizekb file...

CVE-2016-9754

CVE-2016-9754 affects the Linux kernel’s ring_buffer_resize in the profiling subsystem, where integer calculations in ring_buffer.c before 4.6.1 allow a local user to gain privileges by writing to /sys/kernel/debug/tracing/buffer_size_kb. The issue is fixed in kernel 4.6.1 and later. Affected pro...

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

How to Enable Debug Logging on Workspace Environment Management Agent manually, if no connectivity to Broker exists

The Workstation Environment Management Agent and related service feature an optional debug level of logging.This additional level of logging is significantly more verbose than the standard logging levels and is disabled by default and only enabled to troubleshoot specific issues. Under normal...

shopify-scripts: SIGSEGV - kh_resize_iv - Null Deref

PoC --------------------- The following code triggers the bug attached as khresizeiv.rb: l t'',''doend s'',''do.end d t''do.end a=Array.new a.=102,0 € s a.tos a a.tos a.i Debug - mirb --------------------- gdb r khresizeiv.rb Starting program: /home/x/Desktop/research/mruby/bin/mirb khresizeiv.rb...

CVE-2016-9595

A flaw was found in katello-debug where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files...

foreman-debug local information disclosure vulnerability

Foreman is a set of lifecycle management tools for use in physical and virtual servers. The tool provides features such as service provisioning, configuration management, and status reporting. A local information disclosure vulnerability exists in foreman-debug. An attacker could exploit the...

shopify-scripts: kh_get_n2s() stack overrun

Defining recursive classes could lead to a stack overrun in khgetn2s, POC ===================== With this code we can achieve a stack overflow classProc class P classProc class P class P t end end end end end Debug analysis ===================== simo@vlab64:/sources/mruby/bin/mruby/% cat CR1.rb |...

Java Debug Wire Protocol (JDWP) - Remote Code Execution

Java Debug Wire Protocol JDWP - Remote Code Execution !/usr/bin/python Universal JDWP shellifier @hugsy And special cheers to @lanjelot import socket import time import sys import struct import urllib import argparse JDWP protocol variables HANDSHAKE = "JDWP-Handshake" REQUESTPACKETTYPE = 0x00...

ALPINE-CVE-2016-9014

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWEDHOSTS...

PYSEC-2016-18

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWEDHOSTS...

XenMobile: Error during enrollment "could not connect to the server"

During the enrollment for IOS devices you receive the error "Could not connect to the server " during the installation of the Profiles. In the XMS Server debug logs we would see: "UserDeviceLimitExceededException"...

XenMobile Domain users unable to authenticate - LDAP response read timed out, timeout used

If domain users or admins are failing to authenticate to XenMobile, verify if the following error appears in the debug log 2016-04-05T10:25:50.128+0000 | 5EAF1FBBC192FC0D | WARN | http-nio-10080-exec-77 | com.sparus.nps.apple.security.AuthUtils | Forcing LDAP auth: cannot refresh user data:...

WNC01WH vulnerable to enabling debug option

Overview WNC01WH provided by BUFFALO INC. is a network camera. WNC01WH contains an enabling debug option vulnerability. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...

JVN#40613060: Multiple vulnerabilities in WNC01WH

WNC01WH provided by BUFFALO INC. is a network camera. WNC01WH contains multiple vulnerabilities listed below. Denial-of-service DoS - CVE-2016-7821 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H| Base Score: 6.5 CVSS v2| AV:N/AC:H/Au:N/C:N/I:N/A:C| Base...

shopify-scripts: Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox

Introduction ============ Certain invalid Ruby programs which should normally raise a syntax error are able to cause an infinite loop in MRuby's parser which makes the mruby-engine sandbox and consequently the MRI process it is running in unresponsive to SIGTERM. The process begins looping foreve...