Posted by Taoguang Chen on Sep 07

#Use After Free Vulnerabilities in unserialize()

Taoguang Chen <[@chtg](http://github.com/chtg)> – Write Date:
2015.7.31 – Release Date: 2015.9.4

Affected Versions
————
Affected is PHP 5.6 < 5.6.12
Affected is PHP 5.5 < 5.5.28
Affected is PHP 5.4 < 5.4.44

Credits
————
This vulnerability was disclosed by Taoguang Chen.

Description
————
“`
if (ce->unserialize == NULL) {…

Posted by Taoguang Chen on Sep 07

#Use After Free Vulnerabilities in Session Deserializer

Taoguang Chen <[@chtg](http://github.com/chtg)> – Write Date: 2015.8.9
– Release Date: 2015.9.4

Affected Versions
————
Affected is PHP 5.6 < 5.6.13
Affected is PHP 5.5 < 5.5.29
Affected is PHP 5.4 < 5.4.45

Credits
————
This vulnerability was disclosed by Taoguang Chen.

Description
————
“`
PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
{

……

Posted by Taoguang Chen on Sep 07

#Use After Free Vulnerability in unserialize() with GMP

Taoguang Chen <[@chtg](http://github.com/chtg)> – Write Date:
2015.8.17 – Release Date: 2015.9.4

Affected Versions
————
Affected is PHP 5.6 < 5.6.13

Credits
————
This vulnerability was disclosed by Taoguang Chen.

Description
————
“`
static int gmp_unserialize(zval **object, zend_class_entry *ce, const
unsigned char *buf, zend_uint buf_len,…

Posted by Stefan Kanthak on Sep 07

Hi @ll,

in <http://seclists.org/fulldisclosure/2013/Sep/132> I showed an
elaborated way for privilege elevation using IExpress (and other
self-extracting) installers containing *.MSI or *.MSP which works
“in certain situations”.

Microsoft addressed this vulnerability with
<https://technet.microsoft.com/library/security/ms14-049.aspx>

In <http://seclists.org/fulldisclosure/2013/Oct/5> I showed an
indirect way for…

Posted by Praveen D on Sep 07

Introduction
*********************************************************************************
Using Advantech WebAccess SCADA Software we can remotely manage Industrial
Control systems devices like RTU’s, Generators, Motors etc. Attackers can
execute code remotely by passing maliciously crafted string to
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.

Operating System: Windows SP1
Affected Product: Advantech WebAccess 8.0, 3.4.3…

Posted by Praveen D on Sep 07

Create a malicious DLL and rename as anyone of the below DLL’s.
UxTheme.dll
CtComDlgENU.dll
CtComDlgLOC.dll
CTPROJENU.dll
CTPROJLOC.dll
CRYPTBASE.dll
SspiCli.dll
profapi.dll
dnsapi.dll
located at
C:Program FilesSchneider ElectricCitectSCADA 7.40Bin
Vulnerable Process Name, CtExplor.exe
The malicious DLL’s will have arbitrary code written by attacker.

Tested on OS: Windows 7 Ultimate N SP1
Schneider Electric CitectSCADA 7.40

Best…

Posted by Julien Ahrens on Sep 07

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
———————–
Product: Yahoo! Messenger
Vendor URL: www.yahoo.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-05-02
Date published: 2015-09-03
CVSSv3 Score: 4,8 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
CVE: CVE-2014-7216

2. CREDITS
———-
This vulnerability was discovered and researched by Julien Ahrens…

Posted by Scott Arciszewski on Sep 07

Story time, FD.

Hopefully I can save someone else from having to deal with the
frustration of dealing with Bullhorn.

March 3, 2014 – I observed that SendOuts (owned by Bullhorn) didn’t
use HTTPS even though it was available, nor HSTS once someone
explicitly accessed the https://webconnect3.sendouts.com URL.

When I went to notify them on their support forums, I noticed they
were running an ancient version of phpBB. A version known to be…

Posted by Dau, Huy-Ngoc (FR – Paris) on Sep 07

Checkmarx CxQL Sandbox bypass (CVE-2014-8778)

Vendor: Checkmarx – www.checkmarx.com
Product: CxSuite
Version affected: 7.1.5 and prior

Credit: Huy-Ngoc DAU (@ngocdh) of Deloitte Conseil, France

================================
Introduction
================================
Checkmarx is a static source code analysis suite (https://www.checkmarx.com).

CxQL (Checkmarx Query Language) is a CSharp-based language defined by Checkmarx to query source…

Posted by Hector Marco-Gisbert on Sep 07

Hello,

A weakness in the dynamic loader have been found, Glibc prior to 2.22.90
are affected. The issue is that the LD_POINTER_GUARD in the environment
is not sanitized allowing local attackers easily to bypass the pointer
guarding protection on set-user-ID and set-group-ID programs.

Details and PoC at:
http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html

A patch is already sent to Glibc maintainers. This issue is similar to…