Intel HD Graphics Windows Kernel Driver (igdkmd64) Code Execution Vulnerability(CVE-2016-5647)

SUMMARY A vulnerability exists in the communication functionality of Intel Graphics Kernel Mode Driver. A specially crafted message can cause a vulnerability resulting in executing arbitrary code. An attacker can send specific message to trigger this vulnerability and escalate his privileges on t...

Adobe ColdFusion Deserialization RCE (CVE-2017-11283, CVE-2017-11238)

During my research into the Java Remote Method Invocation RMI protocol, the most common RMI service that I came across was Adobe ColdFusion’s Flex integration service which is used to support integration between Flash applications and ColdFusion components. A quick look at this service led to the...

Symantec Norton Security IDSvix86 PE Remote System Denial of Service Vulnerability(CVE-2016-5308)

SUMMARY A denial of service vulnerability exists in the Portable Executable file scanning functionality of Symantec Norton Security. A specially crafted PE file can cause an access violation in IDSvix86 kernel driver resulting in denial of service. An attacker can trigger this vulnerability for...

Apple Image I/O EXR Color Component Remote Code Execution Vulnerability(CVE-2016-4629)

SUMMARY An exploitable heap based buffer overflow exists in the handling of EXR images on OS X. A crafted EXR document can lead to a heap based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved EXR file delivered by other means when opened in any...

Microsoft Edge Scripting Engine Remote Memory Corruption Vulnerability(CVE-2017-11799)

Bailout: "ChakraCore’s background JIT compiler generates highly optimized JIT’ed code based upon the data and infers likely usage patterns based on the profile data collected by the interpreter. Given the dynamic nature of JavaScript code, if the code gets executed in a way that breaks the profil...

Apple Core Graphics BMP Framework img_decode_read Remote Code Execution Vulnerability(CVE-2016-4637)

SUMMARY An exploitable out of bounds write exists in the handling of BMP images on Apple OS X and iOS. A crafted BMP document can lead to an out of bounds write resulting in remote code execution. Vulnerability can be triggered via a saved BMP file delivered by other means when opened in any...

Apple Image I/O API Tiled TIFF Remote Code Execution Vulnerability(CVE-2016-4631)

SUMMARY An exploitable heap based buffer overflow exists in the handling of TIFF images on Apple OS X and iOS operating systems. A crafted TIFF document can lead to a heap based buffer overflow resulting in remote code execution. This vulnerability can be triggered via malicious web page, MMS...

Apple Image I/O EXR Compression Remote Code Execution Vulnerability(CVE-2016-4630)

SUMMARY An exploitable heap based buffer overflow exists in the handling of EXR images on OS X. A crafted EXR document can lead to a heap based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved EXR file delivered by other means when opened in any...

Microsoft Edge Scripting Engine Remote Memory Corruption Vulnerability(CVE-2017-11802)

No description provided by source. The "String.prototype.replace" method can be inlined in the JIT process. So in the method, all the calls which may break the JIT assumptions must be invoked with updating "ImplicitCallFlags". But "RegexHelper::StringReplace" calls the replace function without...

Microsoft Edge Scripting Engine Remote Memory Corruption Vulnerability(CVE-2017-11809)

Here's a snippet of the method that interprets a javascript function's bytecode. Js::Var Js::InterpreterStackFrame::INTERPRETERLOOPNAME PROBESTACKscriptContext, Js::Constants::MinStackInterpreter; closureInitDone Assertthis-mreader.GetCurrentOffset == 0; this-InitializeClosures; DoStackScopeSlots...

Microsoft Windows Device Guard Local Security Bypass Vulnerability(CVE-2017-11823)

Windows: WLDP/MSHTML CLSID UMCI Bypass Platform: Windows 10 S thought should be anything with UMCI Class: Security Feature Bypass Summary: The enlightened lockdown policy check for COM Class instantiation can be bypassed in MSHTML hosts leading to arbitrary code execution on a system with UMCI...

Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-11784)

One kernel memory disclosure in the exception handling code has already been discovered and reported as issue 1177 . It was fixed in the June Patch Tuesday as CVE-2017-8482. However, it seems there is another bug in this code area, this time a pool as opposed to stack memory leak. We've had some...

Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-11817)

This tracker entry is a fork of issue 1325, which this bug was reported as a part of. However, as some essential information and context was provided in issue 1325, the "Reported" date was adjusted there to account for it. The new information did not concern the vulnerability discussed here, so w...

Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-11785)

We have discovered that the nt!NtQueryObject syscall handler discloses portions of uninitialized pool memory to user-mode clients when the following conditions are met: 1. It is invoked with the ObjectNameInformation information class and a file object associated with a file on local disk other...

Apple OS X Scene Kit DAE XML Code Execution Vulnerability(CVE-2016-1850)

SUMMARY An exploitable type confusion vulnerability exists in the handling of DAE images on OS X. A crafted DAE document can trigger a type confusion vulnerability which potentially could be exploited to achieve attacker controlled code execution. Vulnerability can be triggered via a saved DAE fi...

Mac OS X 10.12 isolation mechanism bypass vulnerability

Vulnerability summary Mac OS X a vulnerability exists that could allow an attacker to bypass the Apple of the isolation mechanism, without any restrictions to execute arbitrary JavaScript code. Vulnerability submitter From WeAreSegment security researcher Filippo Cavallarin to Beyond Security SSD...

Microsoft Office SMB Information Disclosure

Vulnerability Summary The following advisory describes an information disclosure found in Microsoft Office versions 2010, 2013, and 2016. Microsoft Office is: “Whether you’re working or playing, Microsoft is here to help. We’re the company that created Microsoft Office, including Office 365 Home,...

ZTE uSmartView DLL Hijacking

Vulnerability summary The following advisory describes an DLL Hijacking found in ZTE uSmartView. ZTE uSmartView offers: “ZTE provides full series of cloud computing products including cloud terminals, cloud desktops, virtualization software, and cloud storage products and end-to-end integrated...

Webmin Multiple Vulnerabilities

Vulnerability summary The following advisory describes three 3 vulnerabilities found in Webmin version 1.850 Webmin “is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the...

Oracle OIT ContentAccess libvs_mwkd VwStreamSection Code Execution Vulnerability(CVE-2016-3593)

Description A partially controlled memory corruption vulnerability exists in Mac Works Database file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in arbitrary code execution. Tested...

Oracle OIT IX SDK libvs_pdf arbitrary pointer access(CVE-2016-3579)

Description When parsing a specially crafted PDF document, a value derived from a file is used as a memory pointer leading to a process crash. Tested Versions Outside In IX SDK 8.5.1. Product URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html Details When...

Oracle OIT ContentAccess libvs_word+63AC Code Execution Vulnerability(CVE-2016-3592)

Description Partially controlled memory write vulnerability exists in Mac Word file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic leads to an out of bounds memory overwrite resulting in code execution. Tested Versions Oracle Outside In...

Oracle OIT IX SDK TIFF ExtraSamples Code Execution Vulnerabiity(CVE-2016-3581)

Description While parsing a specially crafted TIFF file, a parser confussion can lead to a heap buffer overflow resulting in out of bounds memory overwrite leading to arbitrary code execution. Tested Versions Oracle Outside In IX sdk 8.5.1 Product URLs...

Oracle OIT ContentAccess libvs_word Denial of Service Vulnerability(CVE-2016-3590)

Description A partially controlled memory write vulnerability exists in Mac Word file format of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic creates a bitwise OR on out of bounds memory address, resulting in memory corruption and likely program termination...

Oracle OIT IX SDK GIF ImageWidth Code Execution Vulnerabiity(CVE-2016-3583)

Description While parsing a specially crafted GIF file, an integer overflow vulnerability and result in out of bounds heap memory overwrite potentially leading to arbitrary code execution. Tested Versions Oracle Outside In IX sdk 8.5.1 Product URLs...

Oracle OIT IX SDK TIFF file parsing heap buffer overflow(CVE-2016-3582)

Description While parsing a specially crafted TIFF file, a parser confusion can lead to a heap buffer overflow resulting in out of bounds memory overwrite and possibly leading to arbitrary code execution. Tested Versions Outside In IX sdk 8.5.1. Product URLs...

Oracle OIT IX SDK libvs_pdf Root xref Denial of Service Vulnerabiity(CVE-2016-3577)

DESCRIPTION A stack overflow leading to a crash due to unbounded recusive function call is present in the PDF file format parsing code of the IX SDK. TESTED VERSIONS Oracle Outside In IX sdk 8.5.1 PRODUCT URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html...

OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability(CVE-2016-1513)

Description An exploitable out-of-bounds vulnerability exists in OpenOffice when handling MetaActions. A specially crafted Open Office Impress file can cause an out-of-bounds read/write resulting in potential code execution. An attacker can provide the malicious file to trigger this vulnerability...

Oracle OIT IX SDK libvs_pdf Xref Offset Denial of Service Vulnerability(CVE-2016-3580)

Description A vulnerability in PDF parser of the IX SDK exists that results in out of bounds heap memory access following an unchecked memory allocation operation under specific conditions. Tested Versions Oracle Outside In IX sdk 8.5.1 Product URLs...

Oracle OIT ContentAccess libvs_mwkd VwStreamReadRecord Memory Corruption Vulnerability(CVE-2016-3591)

Description Partially controlled memory write vulnerability exists in Mac Works Database file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic causes an out of bounds memory write which can lead to denial of service or possibly code execution...

Oracle OIT IX SDK libvs_pdf Size Integer Overflow Vulnerability(CVE-2016-3575)

DESCRIPTION An integer overflow leading to two distinct issues can be triggered by a specially crafted PDF file. TESTED VERSIONS Oracle Outside In IX sdk 8.5.1 PRODUCT URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html DETAILS While parsing a PDF file with...

Oracle OIT IX SDK libvs_pdf Kids List Information Leak(CVE-2016-3574)

DESCRIPTION When parsing a specially crafted PDF document, the parser is expecting a pointer where string is located leading to a read access violation with a controlled source operand. TESTED VERSIONS Oracle Outside In IX SDK 8.5.1 PRODUCT URLs...

Oracle OIT ImageExport libvs_bmp BMP BI_RLE8 Width Code Execution Vulnerability(CVE-2016-3596)

Description When parsing a specially crafted BMP file, an erroneous memory copy operation can cause a heap buffer overflow leading to arbitrary code execution. Tested Versions Oracle Outside In Technology Content Access SDK 8.5.1. Product URLs...

Oracle OIT IX SDK libvs_pdf Tj Operator Denial of Service Vulnerability(CVE-2016-3576)

DESCRIPTION When parsing a specialy crafted PDF document, a NULL pointer dereference leading to a process termination. A pointer value from a memory structure initialized to zero is reference without check. TESTED VERSIONS Oracle Outside In IX SDK 8.5.1 PRODUCT URLs...

Oracle OIT libim_psi2 psiparse Code Execution Vulnerability(CVE-2016-3594)

Description A memory corruption vulnerability exists in file parsing code of Oracle Outside In Technology libimpsi2 library. Specifically, a integer overflow leading to an undersized memory allocation and a memory copy operation leading to buffer overflow in psiparse function can write 8 controll...

FiberHome Directory Traversal

Vulnerability Summary The following advisory describes a directory traversal vulnerability found in FiberHome routers. FiberHome Technologies Group “was established in 1974. After continuous and intensive development for over 40 years, its business has been extended to R&D, manufacturing, marketi...

Oracle OIT libim_gem2 Gem_Text Code Execution Vulnerability(CVE-2016-3595)

Description An integer overflow vulnerability exists in file parsing code of Oracle Outside In Technology libimgem2 library. A specially crafted Gem file can trigger an integer overflow leading to multiple heap based buffer overflows which can be abused to achieve remote code execution. Tested...

Windows KEPT remote code execution vulnerability analysis(CVE-2017-11779)

根据 Microsoft 安全通告，多个版本 Windows 中的 DNSAPI.dll 在处理 DNS response 时可导致 SYSTEM 权限 RCE。 以 DNS Client API DLL 10.0.15063.0 与 10.0.15063.674 为例，补丁对比， 可知漏洞存在于 DNSAPI.dll 中的 Nsec3RecordRead 函数，那么可以确定问题就是出在解析 DNS response 的 NSEC3 Resource record，为了构造 PoC，先得了解这个 "NSEC3" 的背景。首先，DNS 协议数据结构如下图所示， 例如，当访问...

Oracle OIT IX SDK libvs_pdf FlateDecode Colors Denial of Service Vulnerabiity(CVE-2016-3578)

DESCRIPTION A null pointer dereference leading to process crash can occur while parsing a malformed PDF file. TESTED VERSIONS Oracle Outside In IX sdk 8.5.1 PRODUCT URLs http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html DETAILS While parsing a PDF file which...

Microsoft Windows PDF API Jpeg2000 csiz Remote Code Execution Vulnerability(CVE-2016-3319)

Description An exploitable out of bounds write vulnerability exists in the PDF parsing API in the latest versions of Microsoft Windows. A specially crafted PDF file can cause an out of bounds write resulting in arbitrary code execution. Vulnerability can be triggered via malicious web page or a...

Hancom Hangul HCell Workbook Table and Pivot Style Code Execution Vulnerability(CVE-2016-4293)

Description This vulnerability was discovered within the Hangul Hcell application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul Hcell Document .cell and...

Hancom Hangul Office HShow!NXDeleteLineObj+0x6960c Code Execution Vulnerability(CVE-2016-4290)

Description This vulnerability was discovered within the Hangul HShow application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul HShow Document .hpt and...

Hancom Hangul HCell OfficeArt Record pConnectionSites and pVertices Code Execution Vulnerability(CVE-2016-4294)

Description This vulnerability was discovered within the Hangul Hcell application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul Hcell Document .cell and...

Hancom Hangul Office HShow!NXDeleteLineObj+0x47269 Code Execution Vulnerability(CVE-2016-4292)

Description This vulnerability was discovered within the Hangul HShow application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul HShow Document .hpt and...

Hancom Hangul HCell HncChart CFormulaTokenSizeModifier Code Execution Vulnerability(CVE-2016-4295)

Description This vulnerability was discovered within the Hangul Hcell application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul Hcell Document .cell and...

Hancom Hangul HCell CSSValFormat::CheckUnderbar Code Execution Vulnerability(CVE-2016-4296)

Description This vulnerability was discovered within the Hangul Hcell application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul Hcell Document .cell and...

Lexmark Perceptive Document Filters CBFF Code Execution Vulnerability(CVE-2016-5646)

Description An exploitable heap overflow vulnerability exists in the Compound Binary File Format CBFF parser functionality of Lexmark Perceptive Document Filters library. A specially crafted CBFF file can cause a code execution. An attacker can send a malformed file to trigger this vulnerability...

Hancom Hangul Office HShow!NXDeleteLineObj+0x53692 Code Execution Vulnerability(CVE-2016-4291)

Description This vulnerability was discovered within the Hangul HShow application which is part of the Hangul Office Suite. Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. When opening a Hangul HShow Document .hpt and...

LexMark Perceptive Document Filters Bzip2 Convert Out of Bounds Write Vulnerability(CVE-2016-4336)

Description An exploitable out of bounds write exists in the Bzip2 parsing of the Perspective Document Filters conversion functionality. A crafted Bzip2 document can lead to a stack based buffer overflow causing an out of bounds write which under the right circumstance could potentially be...

Kaspersky Internet Security KLDISK Driver Multiple Kernel Memory Disclosure Vulnerabilities(CVE-2016-4306)

Summary Multiple information leaks exist in various IOCTL handlers of the Kaspersky Internet Security KLDISK driver. Specially crafted IOCTL requests can cause the driver to return out of bounds kernel memory, potentially leaking sensitive information such as privileged tokens or kernel memory...