bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/39601.txt
Offensive Security dfc00ffd48 DB: 2016-03-24 
22 new exploits

Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)
Windows XP SP3 x86 and 2003 SP2 x86 - NDProxy Privilege Escalation (MS14-002)

exim <= 4.84-3 - Local Root Exploit
Exim <= 4.84-3 - Local Root Exploit
CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow
OS X / iOS Suid Binary Logic Error Kernel Code Execution
Multiple CCTV-DVR Vendors - Remote Code Execution
MiCollab 7.0 - SQL Injection Vulnerability
Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans
Avira - Heap Underflow Parsing PE Section Headers
Comodo - PackMan Unpacker Insufficient Parameter Validation
Comodo - LZMA Decoder Heap Overflow via Insufficient Parameter Checks
Comodo - Integer Overlow Leading to Heap Overflow Parsing Composite Documents
Wireshark - dissect_ber_integer Static Out-of-Bounds Write
Comodo - Integer Overflow Leading to Heap Overflow in Win32 Emulation
Comodo Antivirus - Heap Overflow in LZX Decompression
OS X Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort
Adobe Flash - Shape Rendering Crash
Adobe Flash - Zlib Codec Heap Overflow
Adobe Flash - Sprite Creation Use-After-Free
Adobe Flash - Uninitialized Stack Parameter Access in AsBroadcaster.broadcastMessage UaF Fix
Adobe Flash - Uninitialized Stack Parameter Access in Object.unwatch UaF Fix
Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix
OS X Kernel - AppleKeyStore Use-After-Free
OS X Kernel - Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in nVidia Geforce Driver
OS X Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver
2016-03-24 05:03:51 +00:00

16 lines
943 B
Text
Executable file
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=764
Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. The code is available online here:
http://packmanpacker.sourceforge.net/
If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move pksDeCodeBuffer.ptr to an arbitrary address, which allows an attacker to free() an arbitrary pointer.
This issue is obviously exploitable to execute code as NT AUTHORITY\SYSTEM.
The attached testcase will attempt to free() an invalid pointer to demonstrate this.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39601.zip
Reference in a new issue View git blame Copy permalink