EulerOS 2.0 SP1 : icoutils (EulerOS-SA-2017-1089)

According to the versions of the icoutils package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Multiple vulnerabilities were found in icoutils, in the wrestool program. An attacker could create a crafted executable that, when read by...

Apple iOS / macOS - NSKeyedArchiver Heap Corruption Due to Rounding Error in TIKeyboardLayout initWi

Exploit for multiple platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1172 Using lldb inside a simple helloworld app for iOS we can see that there are over 600 classes which we could get deserialized for persistance for example. The TextInput...

gdal: Memcpy-param-overlap in KML::unregisterLayerIfMatchingThisNode

Project: https://github.com/OSGeo/gdal.git Detailed report: https://oss-fuzz.com/testcase?key=5115360233652224 Project: gdal Fuzzer: libFuzzergdalogrfuzzer Fuzz target binary: ogrfuzzer Job Type: libfuzzerasangdal Platform Id: linux Crash Type: Memcpy-param-overlap Crash Address:...

Safari Browser: Memory corruption in Array concat (CVE-2017-2464)

There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption. In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handled unsafely by the method. It calls JSArray::appendMemcpy, which calculates...

LibSass: stack overflow #6 in libsass

Feeding //0i: to ./sassc -s triggers this stack overflow. ==11380==ERROR: AddressSanitizer: stack-overflow on address 0x7fff1665bfa8 pc 0x000000584802 bp 0x7fff1665c810 sp 0x7fff1665bfb0 T0 0 0x584801 in asanmemcpy /home/geeknik/sassc/bin/sassc+0x584801 1 0x87a353 in char const...

Quest Privilege Manager pmmasterd Buffer Overflow

This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server Privilege Manager for Un...

Broadcom: Multiple memory corruptions in "dhd_pno_process_anqpo_result" (CVE-2017-0572)

Detailed analysis of reference : the https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi4.html the first part https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi11.html Part II Broadcom produces the Wi-Fi HardMAC SoCs which are used to...

MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability(CVE-2017-2489)

MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability Selector 0x710 of IntelFBClientControl ends up in AppleIntelCapriController::getDisplayPipeCapability. This method takes a structure input and output buffer. It reads an attacker...

Important: Red Hat Security Advisory: icoutils security update

An update for icoutils is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

Microsoft Windows - Uniscribe Font Processing Heap-Based Memory Corruption in USP10!MergeLigRecords

Exploit for windows platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1026&desc=2 We have encountered a crash in the Windows Uniscribe user-mode library, in the memcpy function called by USP10!MergeLigRecords, while trying to display text using a...

shopify-scripts: SIGSEGV in str_buf_cat

PoC ------------------- Attached as teststrbufcat.rb Debug - mirb ------------------- Program received signal SIGSEGV, Segmentation fault. memcpysse2unaligned at ../sysdeps/x8664/multiarch/memcpy-sse2-unaligned.S:36 36 ../sysdeps/x8664/multiarch/memcpy-sse2-unaligned.S: No such file or directory...

Buffer overflow

An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "decodeneresourceid" function in the "restable.c" source file. This is happening because the "len" parameter for memcpy is not checked for size and thus becomes a negative integer in the process, resulting in a fail...

DEBIAN-CVE-2017-6009

An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "decodeneresourceid" function in the "restable.c" source file. This is happening because the "len" parameter for memcpy is not checked for size and thus becomes a negative integer in the process, resulting in a fail...

CVE-2017-6009

An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "decodeneresourceid" function in the "restable.c" source file. This is happening because the "len" parameter for memcpy is not checked for size and thus becomes a negative integer in the process, resulting in a fail...

CVE-2017-6009

An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "decodeneresourceid" function in the "restable.c" source file. This is happening because the "len" parameter for memcpy is not checked for size and thus becomes a negative integer in the process, resulting in a fail...

Memory Out-of-Bounds Read Vulnerability in WPS File Parsing

WPS Office is a set of office software developed by Beijing Kingsoft Office Software Company. A memory out-of-bounds read vulnerability exists in WPS file parsing. Due to the docReader module of WPS text, when calling the 'memcpy' function, the program fails to adequately perform boundary checkin...

UBUNTU-CVE-2017-6009

An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the "decodeneresourceid" function in the "restable.c" source file. This is happening because the "len" parameter for memcpy is not checked for size and thus becomes a negative integer in the process, resulting in a fail...

NVIDIA Driver 375.70 - Buffer Overflow in Command Buffer Submission

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1012 DxgkDdiSubmitCommandVirtual is the function implemented by the kernel mode driver responsible for submitting a command buffer to the GPU. One of the arguments passed contains vendor specific data from the user mode driver. The...

libplist: Memcpy-param-overlap in parse_data_node

Project: https://github.com/libimobiledevice/libplist.git Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=4930725262393344 Project: libplist Fuzzer: libFuzzerlibplistbplistfuzzer Fuzz target binary: bplistfuzzer Job Type: libfuzzerasanlibplist Platform Id: linux Crash Type:...

Libbpg BGP image decoding Code Execution Vulnerability

Summary An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be...