Broadcom: Multiple memory corruptions in "bcmdhd" when handling WLFC information (CVE-2017-0571)

Detailed analysis: https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi4.html https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi11.html Broadcom produces the Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing...

Broadcom: Heap overflow in "wl_iw_get_essid" when handling WLC_GET_SSID ioctl results(CVE-2017-0570)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On Android devices, the "bcmdhd" driver is use...

WebKit: use-after-free in RenderLayer（CVE-2017-2455）

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the latest nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac. PoC and ASan log follow PoC: function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize",...

WebKit: WebCore::toJS use-after-free（CVE-2017-2476）

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: function freememory var a; forvar i=0;i ASan log: ==25184==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000076e80 at pc 0x000115bea4e0 bp 0x7fff52cef2e...

Broadcom: Heap overflow in "wlc_tdls_cal_mic_chk" due to large RSN IE in TDLS Setup Confirm frame (CVE-2017-0561)

Broadcom produces the Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. One of the events handled by the BCM...

Apple Webkit: UXSS by accessing a named property from an unloaded window (CVE-2017-2367)

The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetterJSDOMWindowProperties thisObject, Frame& frame, ExecState exec, PropertyName propertyName,...

MacOS/iOS kernel memory corruption due to off-by-one in SIOCGIFORDER socket ioctl (CVE-2017-2474)

SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the ifnetorderedhead linked list of interfaces. SIOCSIFORDER clears the existing list and allows userspace to specify an array of interface indexes used to build a new list. SIOCGIFORDER allow userspace to query the list...

MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability(CVE-2017-2489)

MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability Selector 0x710 of IntelFBClientControl ends up in AppleIntelCapriController::getDisplayPipeCapability. This method takes a structure input and output buffer. It reads an attacker...

Apple WebKit: UXSS via Frame::setDocument (1)(CVE-2017-2364)

void Frame::setDocumentRefPtr&& newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache state is not...

MacOS kernel uaf due to double-release in posix_spawn（CVE-2017-2472）

exechandleportactions is responsible for handling the map port actions extension to posixspawn. It supports 4 different types of port PSPASPECIAL, PSPAEXCEPTION, PSPAAUSESSION and PSPAIMPWATCHPORTS For the special, exception and audit the ports it tries to update the new task to reflect the port...

MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig (CVE-2017-2443)

Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it uses to index an array of pointers with no bounds checking: This pointer is passed...

Apple Webkit: UXSS with JSCallbackData(CVE-2017-2442)

Here is the definition of |JSCallbackData| class. This class is used to call a javascript function from a DOM object. class JSCallbackDataStrong : public JSCallbackData public: JSCallbackDataStrongJSC::JSObject callback, void : mcallbackcallback-globalObject-vm, callback JSC::JSObject callback...

MacOS/iOS kernel heap overflow in bpf (CVE-2017-2482)

The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: case BIOCSBLEN: / uint / if d-bdbif != 0 error = EINVAL; else uint size; bcopyaddr, &size, sizeof size; if size bpfmaxbufsize size = bpfmaxbufsize; else if size bdbufsize = size; break; d-bdbif is set to the currently attached...

MacOS/iOS kernel memory corruption due to bad bounds checking in necp_client_copy_interface（CVE-2017-2473）

necpclientcopyinterface contains this code where interfaceindex is an attacker controlled a uint32t that: if interfaceindex != IFSCOPENONE && intinterfaceindex = ifindex interface = ifindex2ifnetinterfaceindex; This leads to an interface pointer being read out of bounds. This can lead to kernel...

MacOS/iOS kernel double free due to bad locking in fsevents device（CVE-2017-2490）

fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64 ioctl: case FSEVENTSDEVICEFILTER64: if ! procis64bitvfscontextprocctx ret = EINVAL; break; devfiltargs = fseventdevfilterargs64 data; handledevfilter: int...

macOS/IOS: mach_msg doesn't copy memory in a certain case(CVE-2017-2456)

When sending ool memory via |machmsg| with |deallocate| flag or |MACHMSGVIRTUALCOPY| flag, |machmsg| performs moving the memory to the destination process instead of copying it. But it doesn't consider the memory entry object that could resurrect the moved memory. As a result, it could lead to a...

Apple WebKit: UXSS via disconnectSubframes (CVE-2017-2445)

When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframesiframe tag, object tag, etc.. Here is a snippet of |disconnectSubframes|. void disconnectSubframesContainerNode& root, SubframeDisconnectPolicy policy ... Vector frameOwners; if policy ...

Google Android Qualcomm Wi-Fi Driver Multiple Information Disclosure Vulnerabilities(CVE-2017-0531)

No description provided by source. include include include include include include include define SNDRVLSMLABCONTROL IOW'U', 0x08, uint32t int mainvoid int fd; int ret; fd = open"/dev/snd/pcmC0D30c", ORDWR; if fd 0 printf"Couldn't open device, error %s\n", strerrorerrno; return -1; printf"Phone...

Apple iOS stack buffer overflow was addressed through improved input validation (CVE-2017-6975)

iOS 10.3.1 is now available and addresses the following: Wi-Fi Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A stack buffer overflo...

Google Android Qualcomm Camera Driver Multiple Information Disclosure Vulnerabilities（CVE-2016-8477）

No description provided by source. include include include include include include include include include define MAXSENSORNAME 32 enum eepromcfgtypet CFGEEPROMGETINFO, CFGEEPROMGETCALDATA, CFGEEPROMREADCALDATA, CFGEEPROMWRITEDATA, CFGEEPROMGETMMINFO, ; struct eepromgett uint32t numbytes; ; struc...

Microsoft Windows PowerShell Security Feature Bypass Vulnerability (CVE-2017-0007)

Over the past few months, I have had the pleasure to work side-by-side with Matt Graeber @mattifestation and Casey Smith @subtee in their previous job roles, researching Device Guard user mode code integrity UMCI bypasses. If you aren't familiar with Device Guard, you can read more about it here:...

Google Android Mediaserver Multiple Denial of Service Vulnerabilities（CVE-2017-0392）

VBRISeeker::CreateFromSource may cause an uncaught c++ exception due to trying to allocate a buffer where the size is attacker controllable. Fix: https://android.googlesource.com/platform/frameworks/av/+/453b351ac5bd2b6619925dc966da60adf6b3126c PoC:...

Google Android Qualcomm Camera Driver Multiple Privilege Escalation Vulnerabilities (CVE-2017-0521)

No description provided by source. include include include include include include include include include include //include include / Should be same as VIDEOMAXPLANES in videodev2.h / define MAXPLANES VIDEOMAXPLANES / PARTIALFRAMESTRIPECOUNT must be even / define PARTIALFRAMESTRIPECOUNT 4 define...

Google Android Qualcomm Camera Driver Multiple Information Disclosure Vulnerabilities（CVE-2016-8413）

No description provided by source. include include include include include include include include include struct msmcamerav4l2ioctlt uint32t id; sizet len; int32t transcode; void user ioctlptr; ; define VIDIOCMSMCPPDEQUEUESTREAMBUFFINFO \ IOWR'V', BASEVIDIOCPRIVATE + 7, struct msmcamerav4l2ioctl...

MacOS kernel memory corruption due to off-by-one in audit_sdev_open (CVE-2017-2483)

The auditsession device has a copy-pasted version of the same bug as the auditpipe device: static int auditsdevopendevt dev, unused int flags, unused int devtype, proct p struct auditsdev asdev; struct auditinfoaddr aia; int u; u = minordev; if u MAXAUDITSDEVS return ENXIO; void auditsdevgetaiap,...

Elevation of privilege vulnerability in Qualcomm crypto engine driver(CVE-2017-0576)

No description provided by source. include include include include include include include include include include / PoC By Scott Bauer Bug found by derrek / static const char dev = "/dev/qce"; define QCEDEVMAXKEYSIZE 64 define QCEDEVMAXIVSIZE 32 define QCEDEVMAXBUFFERS 16 struct bufinfo union...

WebKit: Type confusion in constructJSReadableStreamDefaultReader(CVE-2017-2457)

EncodedJSValue JSCHOSTCALL constructJSReadableStreamDefaultReaderExecState& exec VM& vm = exec.vm; auto scope = DECLARETHROWSCOPEvm; JSReadableStream stream = jsDynamicDowncastexec.argument0; if !stream return throwArgumentTypeErrorexec, scope, 0, "stream", "ReadableStreamReader", nullptr,...

MacOS/iOS kernel uaf due to bad locking in necp_open (CVE-2017-2478)

necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd, vfscontextcurrent; --------------------- a if error != 0 goto done; if fddata =...

math.js remote code execution vulnerability

This article explains in short how we found, exploited and reported a remote code execution RCE vulnerability. It is meant to be a guide to finding vulnerabilities, as well as reporting them in a responsible manner. Step one: discovery While playing around with a wrapper of the math.js API...

ASUS B1M projector remote commands execution Vulnerability

We recently obtained a ASUS B1M projector0 and have been exploring its capabilities when we discovered trivial to exploit vulnerabilities. The ASUS B1M features a small Wi-Fi adapter for a direct wireless connection to a notebook PC, or Android and iOS devices. The projector comes with an embedde...

LastPass: global properties can be modified across isolated worlds, allowing remote code execution

A major part of the LastPass password manager is content scripts, additional privileged javascript that is injected into pages and can change or monitor content. LastPass use content scripts to search webpages for forms, add additional UI elements, and so on. The reason that it's safe to have...

NIGHT GALLERY 2017 event.php parameter id SQL injection vulnerability

No description provided by source...

Windows Uniscribe heap-based out-of-bounds read in USP10!ScriptApplyLogicalWidth（CVE-2017-0062）

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ScriptApplyLogicalWidth function, while trying to display a malformed EMF file: 920c.9190: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Mirage – Fancy Clone - SQL Injection

Mirage – Fancy Clone - SQL Injection Mirage – Fancy Clone, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, if you turn off the error display, you can use the time-based and Boolean...

Apple WebKit: HTMLFormElement::reset() use-after free（CVE-2017-2362）

PoC: function go output.value = "aaa"; output.appendChildinserteddiv; document.getElementById"output".addEventListener'DOMSubtreeModified', function forvar i=0; i foo Analysis: The bug is in HTMLFormElement::reset function, specifically in this part: for auto& associatedElement :...

DedeCMS stored xss vulnerability

Vulnerability description: Dedecms is an open source PHP open source website management system. Dedecms member function shopsdelivery. in php des parameters there is stored XSS vulnerability, the attacker may exploit the vulnerability to obtain the users cookie. Test environment: DedeCMS-V5...

Joomla! Component Vik Rent Items 1.3 - SQL Injection

Joomla! The Component Vik Rent Items v1. 3 - SQL Injection Joomla! The Component Vik Rent Items v1. 3, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, Google Dork: inurl:index. php?...

Mozilla Firefox: use-after-poison in nsStylePadding::GetPadding

Mozilla bug tracker link: https://bugzilla.mozilla.org/showbug.cgi?id=1340593 There is a use-after-poison issue in Firefox. The vulnerability was confirmed on the nightly ASan build. PoC: padding: inherit; function go var s = menu.style; s.setProperty"scroll-snap-destination", "1px 63%";...

kernel: Local privilege escalation in XFRM framework（CVE-2017-7184）

A security issue was reported by ZDI, on behalf of Chaitin Security Research Lab, against the Linux kernel in Ubuntu. It also affected the upstream kernel. Chaitin Security Research Lab discovered that xfrmreplayverifylen, as called by xfrmnewae, did not verify that the user-specified replaywindo...

Microsoft Color Management Module (icm32.dll) out-of-bounds read （CVE-2017-0061）

We have encountered a crash in the Windows Color Management library icm32.dll, in the icm32!FillushortELUTsfromlut16Tag function, while trying to display a TIFF image with a malformed embedded color profile: 7c1c.93b0: Access violation - code c0000005 first chance First chance exceptions are...

Dedecms presence of a stored cross site scripting vulnerability

Vulnerability description: Dedecms is an open source PHP open source website management system. Dedecms member function carbuyaction. php in the address, des, email, postname parameters there is stored XSS vulnerability, the attacker may exploit the vulnerability to obtain the administrator cooki...

Mozilla Firefox table use-after-free（CVE-2017-5404）

Mozilla bug tracker link: https://bugzilla.mozilla.org/showbug.cgi?id=1340138 There is a use-after-free security vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build. PoC and ASan log can be found below. Notes for reproducing: - PoC uses domFuzzLite3 extension...

Cisco: WebEx: New Arbitrary Command Execution in 1.0.5 via Module Whitelist Bypass

In version 1.0.5 of the WebEx extension, Cisco added a GpcComponentName whitelist to prevent exploitation via XSS, preventing the issue 1096. This can be defeated by putting a module signed by Cisco under GpcUrlRoot, and tricking the installation routine to overwrite one of the whitelisted module...

Car Workshop System - SQL Injection

Car Workshop System - SQL Injection Car Workshop System, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can be directly used Google Dork: N/A Injection point:...

Adobe Acrobat Force-Installed Vulnerable Chrome Extension

On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here: https://chrome.google.com/webstore/detail/adobe-acrobat/efaidnbmnnnibpcajpcglclefindmkaj/ I can see from the webstore...

PHP Forum Script v3.0 - SQL Injection

PHP Forum Script v3. 0 - SQL Injection PHP Forum Script v3. 0, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, if you turn off the error display, you can use the time-based and...

Joomla! Component jCart for OpenCart 2.0 parameter product_id SQL injection vulnerability

No description provided by source...

Joomla component JooCart v2. the x parameter product_id SQL injection vulnerability

No description provided by source...

Country on Sale Script - SQL Injection

Country on Sale Script - SQL Injection Country on Sale Script, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, if you turn off the error display, you can use time-based blind Google...

Joomla! Component Simple Membership 3.3.3 - 'userId' Parameter SQL Injection

Joomla! Component Simple Membership 3.3.3 - the 'userId' Parameter SQL Injection Joomla! Component Simple Membership 3.3.3, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, if you tu...