Microsoft Windows - 'IOCTL_DISK_GET_DRIVE_LAYOUT_EX' Kernel partmgr Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159 We have discovered that the handler of the IOCTLDISKGETDRIVELAYOUTEX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached...

Microsoft Windows - 'win32k!NtGdiEnumFonts' Kernel Pool Memory Disclosure

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1153 We have discovered that the win32k!NtGdiEnumFonts system call handler discloses very large portions of uninitialized pool memory to user-mode clients. The issue can be reproduced by running the attached proof-of-concept progra...

singaporepools.com.sg XSS vulnerability

Vulnerable URL: http://www.singaporepools.com.sg/en/product/Pages/4dresults.aspx?FollowSite=0=%27-confirm/OPENBUGBOUNTY/-%27 Details: Description| Value ---|--- Patched:| No Latest check for patch:| 10.09.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 25026 VI...

Microsoft Windows 10 Kernel - nt!NtTraceControl (EtwpSetProviderTraits) Pool Memory Disclosure Explo

Exploit for windows platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 We have discovered that the handler of the nt!NtTraceControl system call specifically the EtwpSetProviderTraitsUm functionality, opcode 0x1E discloses portions of...

Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes Token

Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes Token / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1145 We have observed on Windows 7 32-bit that for unclear reasons, the kernel-mode structure containing the default DACL ...

Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 We have discovered that the handler of the nt!NtTraceControl system call specifically the EtwpSetProviderTraitsUm functionality, opcode 0x1E discloses portions of uninitialized pool memory to user-mode clients on Windows 10...

Microsoft Windows Kernel win32k.sys - Multiple Bugs in the NtGdiGetDIBitsInternal System Call Exploi

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1078 We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows...

MS10-040: Vulnerability in Internet Information Services could allow remote code execution

MS10-040: Vulnerability in Internet Information Services could allow remote code execution Support for Windows Vista Service Pack 1 SP1 ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 SP2. For more information,...

Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=874 We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hiv...

Microsoft Windows Kernel - Registry Hive Loading nt!RtlEqualSid Out-of-Bounds Read (MS16-138)

Microsoft Windows Kernel - Registry Hive Loading nt!RtlEqualSid Out-of-Bounds Read MS16-138 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=874 We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by...

endlesspools.com XSS vulnerability

Vulnerable URL: http://www.endlesspools.com/endless-pool-pricing.php?form=28052%22%3E%3Cscript%3Ealert%27OPENBUGBOUNTY%27%3C/script%3E Details: Description| Value ---|--- Patched:| Yes, at 28.07.2017 Latest check for patch:| 28.07.2017 11:15 GMT Vulnerability type:| XSS Vulnerability status:|...

LXD Container Data Read Vulnerability

LXD is a container for managing applications on Linux-based systems. LXD fails to properly set permissions when creating ZFS pool-based loops, allowing a local attacker to exploit the vulnerability to copy and read data from arbitrary LXD containers...

Microsoft Windows - Kernel win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=684 We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example of a crash log excerpt generated after triggering the...

Microsoft Windows Kernel - 'win32k.sys' TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=684 We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example of a crash log excerpt generated after triggering the bug is shown below: --- BADPOOLHEADER 19 The pool ...

CentOS 7 : glibc (CESA-2016:0176)

Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are...

Critical: Red Hat Security Advisory: glibc security and bug fix update

Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are...

Windows win32k.sys TTF Font Processing win32k!fsc_RemoveDups Out-of-Bounds Pool Memory Access

Source: https://code.google.com/p/google-security-research/issues/detail?id=401&can=1 We have encountered a Windows kernel crash in the win32k!fscRemoveDups function while processing corrupted TTF font files, such as: --- PAGEFAULTINNONPAGEDAREA 50 Invalid system memory was referenced. This canno...

Windows ATMFD.DLL Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table Exploit

Exploit for windows platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=386&can=1 We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as: ---...

Microsoft Windows - 'win32k.sys' TTF Font Processing win32k!fsc_BLTHoriz Out-of-Bounds Pool Write

Source: https://code.google.com/p/google-security-research/issues/detail?id=402&can=1 We have encountered a Windows kernel crash in the win32k!fscBLTHoriz function while processing corrupted TTF font files, such as: --- DRIVERPAGEFAULTBEYONDENDOFALLOCATION d6 N bytes of memory was allocated and...

Microsoft Windows - 'ATMFD.DLL' Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table

Source: https://code.google.com/p/google-security-research/issues/detail?id=386&can=1 We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as: --- DRIVERPAGEFAULTINFREEDSPECIALPOOL d5 Memory was referenced after it...