281 matches found
Adobe Flash TextField.setFormat - Use-After-Free
Adobe Flash TextField.setFormat - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=586 The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can...
Adobe Flash TextField.text Setter - Use-After-Free
Adobe Flash TextField.text Setter - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=576 There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's...
Adobe Flash MovieClip.attachBitmap - Use-After-Free
Adobe Flash MovieClip.attachBitmap - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=593 There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used...
Adobe Flash MovieClip.localToGlobal - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=570 There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get...
Adobe Flash MovieClip.startDrag - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=592 There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used. A minimal POC follows: this.createEmptyMovieClip"mc", 1;...
Adobe Flash MovieClip.duplicateMovieClip - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=591 There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used. A minimal...
Adobe Flash TextField.setFormat - Use-After-Free
Exploit for windows platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=586 The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method ca...
win32k Desktop and Clipboard - Null Pointer Dereference
win32k Desktop and Clipboard - Null Pointer Dereference Source: https://code.google.com/p/google-security-research/issues/detail?id=534 The attached PoC triggers a null pointer condition on Windows 7 32-bit, which can potentially be exploited on versions of Windows that allow mapping the null pag...
Adobe Flash TextField.antiAliasType Setter - Use-After-Free
Adobe Flash TextField.antiAliasType Setter - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=560 There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will...
Adobe Flash TextField.antiAliasType Setter - Use-After-Free
Exploit for windows platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=560 There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be writt...
Rar - CmdExtract::UnstoreFile Integer Truncation Memory Corruption
Source: https://code.google.com/p/google-security-research/issues/detail?id=550 The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize earl...
Debian DSA-3397-1 : wpa - security update
Several vulnerabilities have been discovered in wpasupplicant and hostapd. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2015-4141 Kostya Kortchinsky of the Google Security Team discovered a vulnerability in the WPS UPnP function with HTTP chunked...
Microsoft Windows Kernel - Brush Object Use-After-Free (MS15-061)
Microsoft Windows Kernel - Brush Object Use-After-Free MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=304 Creating a device context with the flag DCXNORESETATTRS and selecting a brush object into the device context will result in the brush being freed on...
Apple Mac OSX Regex Engine (TRE) - Integer Signedness / Overflow
Source: https://code.google.com/p/google-security-research/issues/detail?id=429 The OS X regex engine function tretnfarunparallel contains the following code: int tbytes; ... if !matchtags numtags = 0; else numtags = tnfa-numtags; ... int rbytes, pbytes, totalbytes; char tmpbuf; / Compute the...
Adobe Flash - Pointer Crash in Drawing and Bitmap Handling
Adobe Flash - Pointer Crash in Drawing and Bitmap Handling Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id A nasty looking crash is manifesting in various different ways under fuzzing, apparentl...
Adobe Flash AS2 - Color.setRGB Use-After-Free
Adobe Flash AS2 - Color.setRGB Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610...
Adobe Flash - Pointer Crash in Button Handling
Adobe Flash - Pointer Crash in Button Handling Source: https://code.google.com/p/google-security-research/issues/detail?id=399&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The attached sample, signalsigsegv7ffff60a14299554f4dc661554237404dfe394d4c6c3e674.swf, crashes in...
Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)
Source: https://github.com/monoxgas/Trebuchet Trebuchet MS15-076 CVE-2015-2370 Privilege Escalation Copies a file to any privileged location on disk Compiled with VS2015, precompiled exe in Binary directory Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll This is a lightly...
DLA-231-1 dulwich - security update
Bulletin has no description...
FreeBSD : suricata -- TLS/DER Parser Bug (DoS) (fe910ed6-f88d-11e4-9ae3-0050562a4d7b)
OISF Development Team reports : The OISF development team is pleased to announce Suricata 2.0.8. This release fixes a number of issues in the 2.0 series. The most important issue is a bug in the DER parser which is used to decode SSL/TLS certificates could crash Suricata. This issue was reported ...