Fuzzing the RAR file format found multiple crashes, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.

The ACL on %PROGRAMDATA%Kaspersky Lab allows BUILTINUsers to create new files. This can be abused to create new plugins and modules during update, and other filesystem races to gain elevated privileges.

The attached testcase was found by fuzzing DEX files, and results in a heap overflow with a wild memcpy. Note that Kaspersky catch exceptions and continue execution, so running into unmapped pages doesn’t terminate the process, this should make exploitation quite realistic.

BSidesCharm 2016 has announced its Call For Papers. It will be held in Baltimore, MD, USA April 23rd through the 24th, 2016.

Adobe Reader X and XI for Windows suffer from an out-of-bounds read in CoolType.dll.

On Windows 8.1 Update 32/64 bit, the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn’t correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller’s impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem’s SID. It doesn’t check the impersonation level of the token so it’s possible to get an identify token on your thread from a local system process and bypass this check.

TECO JN5 L510-DriveLink version 1.482 suffers from a vulnerability that is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .LF5 file. Successful exploitation could allow execution of arbitrary code on the affected machine.

TECO AP-PCLINK version 1.094 suffers from a vulnerability that is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .TPC file. Successful exploitation could allow execution of arbitrary code on the affected machine.

TECO SG2 FBD Client version 3.51 suffers from a vulnerability that is caused due to a boundary error in the processing of a Genie FBD, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .GFB file. Successful exploitation could allow execution of arbitrary code on the affected machine.

networkd is the system daemon which implements the com.apple.networkd XPC service. It’s unsandboxed but runs as its own user. com.apple.networkd is reachable from many sandboxes including the Safari WebProcess and ntpd (plus all those which allow system-network). networkd parses quite complicated XPC messages and there are many cases where xpc_dictionary_get_value and xpc_array_get_value are used without subsequent checking of the type of the returned value.