WebKit - WebAssembly Compilation Info Leak

WebKit - WebAssembly Compilation Info Leak arrayBufferView-vector : staticcastarrayBuffer-impl-data; If the source buffer is a view DataView or TypedArray, arrayBufferView-vector is returned. The vector method returns the start of the data in the buffer, including any offset. However, the functio...

CVE-2018-4222

An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit"...

AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass

/ ======== Intro / Overview ======== After Michael Schwarz made some interesting observations, we started looking into variants other than the three already-known ones. I noticed that Intel's Optimization Manual says in section 2.4.4.5 "Memory Disambiguation": A load instruction micro-op may depe...

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Posted by Ivan Fratric, Project Zero With Windows 10 Creators Update, Microsoft introduced a new security mitigation in Microsoft Edge: Arbitrary Code Guard ACG. When ACG is applied to a Microsoft Edge Content Process, it makes it impossible to allocate new executable memory within a process or...

Fedora 26 : php (2018-6071a600e8)

PHP version 7.1.17 26 Apr 2018 Date: - Fixed bug php76131 mismatch arginfo for datecreate. carusogabriel Exif: - Fixed bug php76130 Heap Buffer Overflow READ: 1786 in exifiifaddvalue. Stas FPM: - Fixed bug php68440 ERROR: failed to reload: execvp failed: Argument list too long. Jacob Hipps - Fixe...

oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in nextstateval during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetchtoken and...

oniguruma: Invalid pointer dereference in left_adjust_char_head()

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in leftadjustcharhead during regular expression compilation. Invalid handling of reg-dmax in forwardsearchrange could result in an invalid pointer...

Penetration Testers Framework: PTF

The PenTesters Framework PTF is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we’ve been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all o...

Juniper Junos IDP Policy Compilation Packet Handling Firewall Rule Bypass Remote Information Disclosure (JSA10846)

According to its self-reported version number, the remote Junos device is affected by an information disclosure vulnerability. C Tenable Network Security, Inc. include'compat.inc'; if description scriptid109212; scriptversion"1.6"; scriptsetattributeattribute:"pluginmodificationdate",...

MDX Toolkit - error when wrapping android app - APKTool Error

MDX Toolkit version: 10.8.5 on-prem and cloud. -This article explains how to fix the issue on the on-prem version- When MDX Toolkit is trying to re-compile it shows the following error: "Re-compile the app using APKTool 2.3.1 and it fails" Complete log of the error is shown below: De-Compiling th...

Gobuster - Directory/File & DNS Busting Tool Written In Go

Gobuster is a tool used to brute-force: URIs directories and files in web sites. DNS subdomains with wildcard support. Oh dear God.. WHY!? Because I wanted: 1. ... something that didn't have a fat Java GUI console FTW. 2. ... to build something that just worked on the command line. 3. ... somethi...

Easy Windows and Linux cross-compilers for macOS

tl;dr: you can install cross-compiler toolchains to compile C/C++ for Windows or Linux from macOS with these two Homebrew Formulas. brew install FiloSottile/musl-cross/musl-cross brew install mingw-w64 Cross-compiling C and C++ is dreadful. While in Go you just need to set an environment variable...

QuarkslaB Dynamic binary Instrumentation: QBDI

QuarkslaB Dynamic binary Instrumentation QBDI is a modular, cross-platform and cross-architecture DBI framework. It aims to support Linux, macOS, Android, iOS and Windows operating systems running on x86, x86-64, ARM and AArch64 architectures. Information about what is a DBI framework and how QBD...

Microsoft Windows jscript!RegExpComp::Compile Heap Overflow Exploit

There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors. Windows: Heap overflow in jscript!RegExpComp::Compile through IE or local network via WPAD CVE-2017-11890 There is a heap overflow in jscript.dll when compiling a...

Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation

I recently blogged about how the installation process of version 5.0.0 of this plugin could be hihacked by a local attacker or malware in order to escalate privileges to root. Hashicorp pushed some mitigations for this issue fairly quickly but unfortunately 5.0.1 is still exploitable with a...

WebDavC2 - A WebDAV C2 Tool

WebDavC2 is a PoC of using the WebDAV protocol with PROPFIND only requests to serve as a C2 communication channel between an agent, running on the target system, and a controller acting as the actuel C2 server. Architecture WebDavC2 is composed of: a controller, written in Python, which acts as t...

Microsoft Edge Chakra JIT - BailOutOnTaggedValue Bailouts Type Confusion

Microsoft Edge Chakra JIT - BailOutOnTaggedValue Bailouts Type Confusion / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else...

DR.CHECKER - A Soundy Vulnerability Detection Tool for Linux Kernel Drivers

DR.CHECKER: A Soundy Vulnerability Detection Tool for Linux Kernel Drivers Tested on Ubuntu = 14.04.5 LTS 1. Setup The implementation is based on LLVM, specifically LLVM 3.8. We also need tools like c2xml to parse headers. First, make sure that you have libxml required for c2xml: sudo apt-get...

Excalibur - An Eternalblue exploit payload based Powershell

Excalibur is an Eternalblue exploit based "Powershell" for the Bashbunny project. It's purpose is to reflect on how a "simple" USB drive can execute the 7 cyber kill chain. Excalibur may be used only for demostrations purposes only, and the developers are not responsible to any misuse or illeagal...

Design/Logic Flaw

The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/$USER:shared/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges...