Fortinet FortiClient 5.2.3 (Windows 10 x64 Post-Anniversary) - Local Privilege Escalation

/ Check these out: - https://www.coresecurity.com/system/files/publications/2016/05/Windows%20SMEP%20bypass%20U%3DS.pdf - https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/ Tested on: - Windows 10 Pro x64 Post-Anniversary - ntoskrnl.exe: 10.0.14393.953 - FortiShield.sys: 5.2.3.633 Thanks to...

Microsoft Windows - 'gdi32.dll' EMR_SETDIBITSTODEVICE Heap Out-of-Bounds Reads / Memory Disclosure

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=992 In issue 757, I described multiple bugs related to the handling of DIBs Device Independent Bitmaps embedded in EMF records, as implemented in the user-mode Windows GDI library gdi32.dll. As a quick reminder, the DIB-embedding...

Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)

Microsoft Windows 8.1 x64 - RGNOBJ Integer Overflow MS16-098 // Source: https://github.com/sensepost/ms16-098/tree/b85b8dfdd20a50fc7bc6c40337b8de99d6c4db80 // Binary: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe include include include include inclu...

Microsoft GDI+ - DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=824 The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMRPLGBLT...

Microsoft Windows - GDI+ DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=824 The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMRPLGBLT, EMRBITBLT, EMRSTRETCHBLT, EMRSTRETCHDIBITS etc. T...

Microsoft Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap Out-of-Bounds ReadsMemory Disclosure (MS16-074)

Microsoft Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap Out-of-Bounds ReadsMemory Disclosure MS16-074 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=757 As clearly visible in the EMF Enhanced Metafile image format specification MS-EMF, there are multiple...

win32k Clipboard Bitmap - Use-After-Free

Source: https://code.google.com/p/google-security-research/issues/detail?id=533 This PoC triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the clipboard. --- Note that multiple PoC executions and...

[SECURITY] Fedora 19 Update: autotrace-0.31.1-34.fc19

AutoTrace is a program for converting bitmaps to vector graphics. Supported input formats include BMP, TGA, PNM, PPM, and any format supported by ImageMagick, whereas output can be produced in Postscript, SVG, xfig, SWF, and others...

[SECURITY] Fedora 18 Update: inkscape-0.48.4-1.fc18

Inkscape is a vector graphics editor, with capabilities similar to Illustrator, CorelDraw, or Xara X, using the W3C standard Scalable Vector Graphics SVG file format. It is therefore a very useful tool for web designers and as an interchange format for desktop publishing. Inkscape supports many...