Latest Exploits

Syndicate content Packet Storm
Packet Storm - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
Updated: 15 min 33 sec ago

Adobe Flash XMLSocket Destructor Does Not Get Cleared Before Setting User Data In Connect (Part 2)

Fri, 08/21/2015 - 01:10
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
Categories: Security

Microsoft Office 2007 MSO.dll Use-After-Free

Fri, 08/21/2015 - 01:08
A crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
Categories: Security

Adobe Flash URL Resource Use-After-Free

Fri, 08/21/2015 - 01:06
Adobe Flash suffers from a URL resource use-after-free vulnerability.
Categories: Security

Adobe Flash Type Confusion In TextRenderer.setAdvancedAntialiasingTable

Fri, 08/21/2015 - 01:04
There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers.
Categories: Security

Adobe Flash Use-After-Free In CreateTextField

Fri, 08/21/2015 - 01:03
There is a use-after-free in CreateTextField in Adobe Flash.
Categories: Security

Chrome Heap Overflow In Linux HID Device Handler

Fri, 08/21/2015 - 01:00
A heap overflow exists due to a 64-32 integer truncation issue in device/hid/hid_connection_linux.cc.
Categories: Security

Flash Bad / Wild Write In XML When Callback Modifies XML Tree

Fri, 08/21/2015 - 00:59
The proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
Categories: Security

Adobe Flash Use-After-Free In SwapDepths

Fri, 08/21/2015 - 00:57
There is a use-after-free in MovieClip.swapDepths in Adobe Flash.
Categories: Security

Windows Kernel Win32k.sys TTF Font Processing Out-Of-Bounds Pool Write In Win32k!fsc_BLTHoriz

Fri, 08/21/2015 - 00:55
Researchers have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files.
Categories: Security

Windows Kernel Win32k.sys TTF Font Processing Out-Of-Bounds Pool Memory Access In Win32k!fsc_RemoveDups

Fri, 08/21/2015 - 00:54
Researchers have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files.
Categories: Security

Flash Wild Pointer Crash In XML Handling

Fri, 08/21/2015 - 00:53
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
Categories: Security

Flash Wild Pointer In Button Handling

Fri, 08/21/2015 - 00:52
The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes on Linux x64.
Categories: Security

Flash Bad Dereference At 0x23c On Linux X64

Fri, 08/21/2015 - 00:51
The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes on Linux x64 build (Flash v17.0.0.188).
Categories: Security

Flash Wild Pointer Crash After Continuing Slow Script

Fri, 08/21/2015 - 00:50
The attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script.
Categories: Security

Flash Wild Pointer Crash In Drawing And Bitmap Handling

Thu, 08/20/2015 - 21:39
A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
Categories: Security

Windows Kernel ATMFD.DLL Out-of-bounds Read Due To Malformed FDSelect Offset In The CFF Table

Thu, 08/20/2015 - 21:39
Researchers have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files.
Categories: Security

Adobe Flash Out-Of-Bounds Memory Read While Parsing A Mutated TTF File Embedded In SWF

Thu, 08/20/2015 - 21:19
An out-of-bounds memory read occurs when Adobe Flash parses a mutated TTF file embedded in a swf.
Categories: Security

Adobe Flash Heap Use-After-Free In SurfaceFilterList::C​reateFromScriptAtom

Wed, 08/19/2015 - 10:02
Adobe Flash suffers from a heap use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.
Categories: Security

Easy File Management Web Server 5.6 Buffer Overflow

Wed, 08/19/2015 - 09:44
Easy File Management Web Server version 5.6 suffers from a USERID remote buffer overflow vulnerability.
Categories: Security

Flash Broker-Based Sandbox Escape Via Timing Attack Against File Moving

Wed, 08/19/2015 - 09:02
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction.
Categories: Security