Full Disclosure
Posted by PIN on Apr 30
Okay.
Step 0) invoke python (on linux)
Step 1) input print(hex(id(“__main__”) & ~4095))
Step 2) Take output of (1) and subtract that number from the base of libc’s
base address (or another library); this is your offset and seems to only
vary by compiled image (for me, with 3.3.5 its 0xb4f000.
Step 3) print(hex((id(“__main__”) & ~4095) – 0xb4f000))
Step 4) The output of (3) should be a stable offset from a given…
Posted by 魏诺德 on Apr 30
BO exploitation @ fontd, allows payload to run code with fontd
privileges.
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
#include <servers/bootstrap.h>
#define SERVICE_NAME “com.apple.FontObjectsServer”
#define DEFAULT_MSG_ID 46
#define EXIT_ON_MACH_ERROR(msg, retval, success_retval) if (kr !=
success_retval) { mach_error(msg “:” , kr); exit((retval));…
Posted by Melchior Limacher on Apr 30
Hello
I was reading about “ike aggressive mode with pre shared key” (CVE-2002-1623).
As described by cisco (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html),
this is still an issue
“When responding to IPSec session initialization, Cisco IOS(r) software
may use Aggressive Mode even if it has not been explicitly configured
to do so. Cisco IOS software initially tries to negotiate using…
Posted by Hanno Böck on Apr 30
https://blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html
While fuzzing GnuTLS I discovered a malformed certificate input sample
that would cause a heap overflow read of 99 bytes in the DER decoding
functions of Libtasn1. The heap overflow happens in the function
_asn1_extract_der_octet().
This issue was reported to the Libtasn1 developer on 16th April. A fix
was committed on 20th April and is part of the…
Posted by Mark Felder on Apr 30
It appears to me that CVE-2008-568 is rather hard to find information
about, outside the public exploit [1] and advisory [2] issued by the
team that found it. It’s unknown to CVE sites probably because it’s only
referenced by 3 digits instead of 4. The patch README [3] doesn’t seem
to reference this issue at all. Does anyone know if it has a different
CVE number or what happened here?
Posted by Vulnerability Lab on Apr 30
Document Title:
===============
SevDesk v1.1 iOS – Persistent Dashboard Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1311
Release Date:
=============
2015-04-23
Vulnerability Laboratory ID (VL-ID):
====================================
1311
Common Vulnerability Scoring System:
====================================
4.2
Product & Service Introduction:…
Posted by Denis Andzakovic on Apr 30
( , ) (,
. ‘.’ ) (‘. ‘,
). , (‘. ( ) (
(_,) .’), ) _ _,
/ _____/ / _ ____ ____ _____
____ ==/ /_ _/ ___/ _ /
/ / | \ __( <_> ) Y Y
/______ /___|__ / ___ >____/|__|_| /
/ /.-. / /:wq
(x.0)
‘=.|w|.=’
_=”””=….
Posted by Taoguang Chen on Apr 29
# Type Confusion Infoleak and Heap Overflow Vulnerability in
unserialize() with exception
Taoguang Chen <[ () chtg](http://github.com/chtg)> – Write Date: 2015.3.3
– Release Date: 2015.4.28
Affected Versions
————
Affected is PHP 5.6 < 5.6.8
Affected is PHP 5.5 < 5.5.24
Affected is PHP 5.4 < 5.4.40
Credits
————
This vulnerability was disclosed by Taoguang Chen.
Description
————
“`
ZEND_METHOD(exception,…
Posted by Taoguang Chen on Apr 29
# Type Confusion Infoleak Vulnerability in unserialize() with SoapFault
Taoguang Chen <[ () chtg](http://github.com/chtg)> – Write Date: 2015.3.1
– Release Date: 2015.4.28
Affected Versions
————
Affected is PHP 5.6 < 5.6.8
Affected is PHP 5.5 < 5.5.24
Affected is PHP 5.4 < 5.4.40
Affected is PHP 5.3 <= 5.3.29
Credits
————
This vulnerability was disclosed by Taoguang Chen.
Description
————
“`…
Posted by csirt on Apr 29
#############################################################
#
# SWISSCOM CSIRT ADVISORY – http://www.swisscom.com/security
#
#############################################################
#
# CVE ID: CVE-2015-1188
# Product: Swisscom DSL Router Centro Grande (ADB)
# Vendor: ADB
# Subject: Incorrect authentication, remotely exploitable
# Finder: Ivan Almuina (ivan.almuina _at_ hackingcorp.ch)
# Coord: Philippe Cuany (csirt _at_…