KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation

Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: Bluetooth...

KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation

Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-003 Publication Date: 2014.07.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: MQ Access Contr...

Microsoft Windows XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation

Microsoft Windows XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation """ Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1...

Microsoft Windows XP SP3 - 'BthPan.sys' Arbitrary Write Privilege Escalation

""" Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: Bluetooth...

Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation

Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-003 Publication Date: 2014.07.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: MQ Access Contr...

Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation

Title: Oracle VirtualBox Guest Additions Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-001 Publication Date: 07.15.2014 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt 1. Vulnerability Details Affected Vendor: Oracle Affected Product: VirtualBox...

Linux 3.4+ - Arbitrary write with CONFIG_X86_X32

No description provided by source. / Local root exploit for CVE-2014-0038. https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c Bug: The X86X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace. Exploit primitive: Pass a pointer to a kernel address as...

MW6 Technologies MaxiCode ActiveX (Data param) - Buffer Overflow

No description provided by source. !-- =========================================================================== Problem: The Data parameter is subject to a buffer overflow DEFINITELY leading to arbitrary code execution. COM Object - 2355C601-37D1-42B4-BEB1-03C773298DC8 MW6MaxiCode Class File...

Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption

No description provided by source. Luigi Auriemma Application: Novell GroupWise Messenger http://www.novell.com/products/groupwise/ Versions: = 2.1.0 Platforms: Windows, Linux, NetWare Bug: write4 Exploitation: remote, versus server Date: 16 Feb 2012 found 10 May 2011 Author: Luigi Auriemma e-mai...

Linux kernel 3.4+ Arbitrary write with CONFIG_X86_X32

Exploit for linux platform in category local exploits / Local root exploit for CVE-2014-0038. https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c Bug: The X86X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace. Exploit primitive: Pass a pointer to ...

Linux Kernel 3.4 3.13.2 (Ubuntu 13.10) - CONFIG_X86_X32 Arbitrary Write (2)

Linux Kernel 3.4 3.13.2 Ubuntu 13.10 - CONFIGX86X32 Arbitrary Write 2 / Local root exploit for CVE-2014-0038. https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c Bug: The X86X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace. Exploit primitive: Pa...

Linux Kernel 3.4 &lt; 3.13.2 (Ubuntu 13.10) - &#039;CONFIG_X86_X32&#039; Arbitrary Write (2)

/ Local root exploit for CVE-2014-0038. https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c Bug: The X86X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace. Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg, if the...

Sandbox Escape: Linux 3.4+: arbitrary write with CONFIG_X86_X32

asmlinkage long compatsysrecvmmsgint fd, struct compatmmsghdr user mmsg, unsigned int vlen, unsigned int flags, struct compattimespec user timeout int datagrams; struct timespec ktspec; if flags & MSGCMSGCOMPAT return -EINVAL; if COMPATUSE64BITTIME return sysrecvmmsgfd, struct mmsghdr user mmsg,...

MW6 Technologies MaxiCode - ActiveX &#039;Data&#039; Buffer Overflow (PoC)

!-- =========================================================================== Problem: The Data parameter is subject to a buffer overflow DEFINITELY leading to arbitrary code execution. COM Object - 2355C601-37D1-42B4-BEB1-03C773298DC8 MW6MaxiCode Class File Description : MaxiCode ActiveX File...

Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase

Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase I'm quite proud of this list cycle trick, here's how to turn it into an arbitrary write. First, we create a watchdog thread that will patch the list atomically when we're ready. This is needed because we can't...

win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase

Exploit for windows platform in category dos / poc I'm quite proud of this list cycle trick, here's how to turn it into an arbitrary write. First, we create a watchdog thread that will patch the list atomically when we're ready. This is needed because we can't exploit the bug while HeavyAllocPool...

HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

Added: 01/26/2012 CVE: CVE-2011-4786 BID: 51396 OSVDB: 78306 Background HP Easy Printer Care Software is a tool to control and monitor up to 20 HP printers. Problem HP Easy Printer Care Software 2.5 and prior versions are vulnerable to remote code execution. The CacheDocumentXMLWithId method from...

HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

Added: 01/26/2012 CVE: CVE-2011-4786 BID: 51396 OSVDB: 78306 Background HP Easy Printer Care Software is a tool to control and monitor up to 20 HP printers. Problem HP Easy Printer Care Software 2.5 and prior versions are vulnerable to remote code execution. The CacheDocumentXMLWithId method from...

HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

Added: 01/26/2012 CVE: CVE-2011-4786 BID: 51396 OSVDB: 78306 Background HP Easy Printer Care Software is a tool to control and monitor up to 20 HP printers. Problem HP Easy Printer Care Software 2.5 and prior versions are vulnerable to remote code execution. The CacheDocumentXMLWithId method from...

HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution

Added: 01/26/2012 CVE: CVE-2011-4786 BID: 51396 OSVDB: 78306 Background HP Easy Printer Care Software is a tool to control and monitor up to 20 HP printers. Problem HP Easy Printer Care Software 2.5 and prior versions are vulnerable to remote code execution. The CacheDocumentXMLWithId method from...